802.1X and Windows NPS Configuration Best Tips

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Solved
Does anyone have any suggestions on how to best configure the VNS and Windows NPS to handle 802.1X? I'm finding in our tests that users seem to drop off the VNS during the day and need to reconnect as well as just roaming throughout the building. Our NPS logs on the Windows server would appear to show the same. I did just turn on opportunistic keying and preauth but I'm curious if there are any other tweaks I should look for? Especially for iOS devices since we have quite a few of those. Thanks!
Photo of Andrew Schmitt

Andrew Schmitt

  • 310 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,192 Points 20k badge 2x thumb
Andrew, 

If you don't have a day/time restriction on your NPS policy, I would say it must be something else that would require a bit more investigation. I would suggest contacting the GTAC so further diagnostics can be captured from your system during an event. I would have the following ready when you reach out...

Controller Tech Support...
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-Collect-a-Tech-Support-File-From-a-Wireless-Controller

Access Point Data from where the user was attached...
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-Collect-Access-Point-Logging-Information-Trace-Bundle

Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,286 Points 20k badge 2x thumb
How about 802.11r which is now supported in V9.21 ?
Some IOS devices support it - here the list....
https://support.apple.com/en-us/HT202628

-Ron
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,192 Points 20k badge 2x thumb
Photo of Andrew Schmitt

Andrew Schmitt

  • 310 Points 250 badge 2x thumb
Thank you both. I'm still struggling with this so I think I'll need to call GTAC. I join the 802.1X network than now has 802.11r on and Management Frame Protection off with an iPhone 6. The device works on the network, but when the device leaves the building and comes back, it never rejoins. Manually tap on it again and it joins ok.
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,192 Points 20k badge 2x thumb
I'm running 9.21.02 on my lab controller, 3825i, 802.1x, PEAP, I just tested my iPhone 6 (8.4.1) no issues. How long are you out of the building? Longer than the default 30 min idle timeout? 
Photo of Andrew Schmitt

Andrew Schmitt

  • 310 Points 250 badge 2x thumb
Yes, it was an hour, but I don't see how it's different from a WPA2-PSK network where the device caches the credentials and just reuses them when it sees the AP again. Am I missing something with 802.1X?
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,192 Points 20k badge 2x thumb
Could you be roaming controllers? 
Photo of Andrew Schmitt

Andrew Schmitt

  • 310 Points 250 badge 2x thumb
I only have one V2110. It's running 09.21.02.0014. Could it have anything to do with the topology? It starts bridged at controller and then switches to bridged at AP after auth.
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,192 Points 20k badge 2x thumb
All in the same ip subnet? 
Photo of Andrew Schmitt

Andrew Schmitt

  • 310 Points 250 badge 2x thumb
No, sir. The installer set it up as mentioned because the wireless clients need to be in a different subnet than the rest of the network since I ran out of DHCP scope space. it's all converging layer-3 at the X460 stack. If I didn't bridge at AP, I would need to allow everything as a radius client through PEAP, as far as I understand it, but I'm new to Identifi of course :)
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,192 Points 20k badge 2x thumb
Okay, so the client would not get an IP until it authenticated. So using B@AP is not an issue, the clients will always get the ip from the Authenticated role. Contacting GTAC would probably be your best option, someone will look at the client state when it roams back into the network. It should try and probe the nearest ap then attempt to attach again... 

I go home at night, then come back into the lab in the morning and my phone hooks right back up. I'm using b@ap tagged for my topology.