ExtremeWireless and Microsoft NPS

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hello, everybody!

I have a strange situation with Microsoft NPS.

I have C5210 controller with 802.1x auth configured over Captive Portal.The task was to configure 802.1x auth using MS Active Directory, the domain name is "abc.def.local". I mean, I have users in both "abc" domain and in "def". At the moment everything works for "abc" domain, but doesn't work for "def".

By default, when I input just "username" and "password" (without ABC\username) at Captive Portal, controller sends it to NPS and it accepts these inputs for domain "abc". Access granted, voila!

But when I need to authenticate users in "def" domain something goes wrong. At Captive Portal I input "DEF\username" and password, then controller sends it to NPS. I can see in NPS's log that it came to NPS correctly. But NPS says "access denied". The password is OK, the account is not locked. This NPS server acts also as RADIUS for cisco WLC, it this user can be authenticated over CISCO WLC!!!

I've spent several hours checking NPS log and found out that using C5120 the only difference for users in ABC domain and DEF domain is the following:

in case of DEF the System ID field is empty. How does it happen? This is part of NPS log:


                Security ID:                                            NULL SID

                User name:                                        def\ivan

                Username domain:                                    DEF

                Full username:          DEF\ivan

Could you please share any ideas how could the problem be resolved?

Many thanks in advance, 
Photo of Ilya Semenov

Ilya Semenov

  • 3,622 Points 3k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 7,882 Points 5k badge 2x thumb
I would compare the radius attributes the WLC is sending to those what EWC is sending. Then I would go through the NPS configuration and find why different rules are matching.

The log you sent is not helping much :(

In the NPS log should be reason why it was rejected. Does that help?
Photo of Keene, Scott

Keene, Scott, Employee NMS/GTAC

  • 1,034 Points 1k badge 2x thumb

In the Event Viewer on the NPS server, at the bottom of each event, they should give you a reason why they are denied or accepted .  Sometimes they are a little generic but there should be a reason and perhaps a code.  You mentioned that it says "Access Denied" ...so scroll to the bottom of that event and there should be more detail.

-Scott Keene
Photo of Ilya Semenov

Ilya Semenov

  • 3,622 Points 3k badge 2x thumb
Pala, Scott,

I've got the info but I doubt it could help:

Reason Code:   16
 Reason:    Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

I doubt there is an error at NPS.

The most strange thing is I have only one VNS config (one topology, one SSID) at C5210 controller and it works for domain ABC, but doesn't work for parent domain DEF when I just add "DEF\" before the username.

I've checked this for several users, and all of them works over CISCO WLC over the same NPS server.

It seems like C5210 doesn't send this "Security ID:" or something important for it.

So, still searching... 
Photo of Ilya Semenov

Ilya Semenov

  • 3,622 Points 3k badge 2x thumb
Good evening, gentlemen,

There is additional information. I've created a test domain "domain.local" and child domain "child.domain.local" on Windows Server 2012 and configured NPS at domain.local DC (Domain Controller). The authentication for wireless clients works for both domain regardless use I "DOMAIN\User1" or "CHILD\User2" as login. So, Extreme WLC works as expected. But I repeat, I've done it at my own test environment. 

There is also some additional info from customer's environment.  I want to put in remembrance, that I can login in ABC domain, but can't login to DEF. Today I've installed NPS role at a new Windows Server in DEF domain (at customer's environment) and pointed C5210 to use this NPS as RADIUS. Nothing changed.

The additional info is I can log in to DEF domain using username@def as login format. Indeed, sometimes when I try to login as "DEF\username" I see in NPS log strange things:


                Security ID:                                            NULL SID

                User name:                                            defivan

                Username domain:                                ABC

                Full username:                                       ABC\defivan

It's like Extreme Controller or NPS can't parse domain and username in a correct way. When I use DEF\Username it sticks together and SOMETHING add ABC\ domain before. 

The question appeared: could Extreme Wireless works with NPS from Windows Server 2008? Was it tested?

I'm sorry for so much words and info(

Many thanks for any information,

Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 7,882 Points 5k badge 2x thumb
you can do wireshark and see where the ABC is added and changes the DEF\ivan to ABC\defivan.
if it goes from EWC or from NAC.

To your question, yes NPS W2K8 was tested and works well in several customers I have.

on NAC you can define AAA rule (advanced) and based on domain you can use different radius server (NPS).

With EWC you can have different wlan service (SSID) and point to different radius server.