cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

ExtremeWireless and Microsoft NPS

ExtremeWireless and Microsoft NPS

Ilya_Semenov
Contributor
Hello, everybody!

I have a strange situation with Microsoft NPS.

I have C5210 controller with 802.1x auth configured over Captive Portal.The task was to configure 802.1x auth using MS Active Directory, the domain name is "abc.def.local". I mean, I have users in both "abc" domain and in "def". At the moment everything works for "abc" domain, but doesn't work for "def".

By default, when I input just "username" and "password" (without ABC\username) at Captive Portal, controller sends it to NPS and it accepts these inputs for domain "abc". Access granted, voila!

But when I need to authenticate users in "def" domain something goes wrong. At Captive Portal I input "DEF\username" and password, then controller sends it to NPS. I can see in NPS's log that it came to NPS correctly. But NPS says "access denied". The password is OK, the account is not locked. This NPS server acts also as RADIUS for cisco WLC, it this user can be authenticated over CISCO WLC!!!

I've spent several hours checking NPS log and found out that using C5120 the only difference for users in ABC domain and DEF domain is the following:

in case of DEF the System ID field is empty. How does it happen? This is part of NPS log:

User: Security ID: NULL SID

User name: def\ivan

Username domain: DEF

Full username: DEF\ivan

Could you please share any ideas how could the problem be resolved?

Many thanks in advance,
Ilya

4 REPLIES 4

Zdeněk_Pala
Extreme Employee
you can do wireshark and see where the ABC is added and changes the DEF\ivan to ABC\defivan.
if it goes from EWC or from NAC.

To your question, yes NPS W2K8 was tested and works well in several customers I have.

on NAC you can define AAA rule (advanced) and based on domain you can use different radius server (NPS).

With EWC you can have different wlan service (SSID) and point to different radius server.

Regards

Zdenek
Regards Zdeněk Pala

Ilya_Semenov
Contributor
Good evening, gentlemen,

There is additional information. I've created a test domain "domain.local" and child domain "child.domain.local" on Windows Server 2012 and configured NPS at domain.local DC (Domain Controller). The authentication for wireless clients works for both domain regardless use I "DOMAIN\User1" or "CHILD\User2" as login. So, Extreme WLC works as expected. But I repeat, I've done it at my own test environment.

There is also some additional info from customer's environment. I want to put in remembrance, that I can login in ABC domain, but can't login to DEF. Today I've installed NPS role at a new Windows Server in DEF domain (at customer's environment) and pointed C5210 to use this NPS as RADIUS. Nothing changed.

The additional info is I can log in to DEF domain using username@def as login format. Indeed, sometimes when I try to login as "DEF\username" I see in NPS log strange things:

User: Security ID: NULL SID

User name: defivan

Username domain: ABC

Full username: ABC\defivan

It's like Extreme Controller or NPS can't parse domain and username in a correct way. When I use DEF\Username it sticks together and SOMETHING add ABC\ domain before.

The question appeared: could Extreme Wireless works with NPS from Windows Server 2008? Was it tested?

I'm sorry for so much words and info(

Many thanks for any information,

Ilya

Keene__Scott
Extreme Employee
Hello,

In the Event Viewer on the NPS server, at the bottom of each event, they should give you a reason why they are denied or accepted . Sometimes they are a little generic but there should be a reason and perhaps a code. You mentioned that it says "Access Denied" ...so scroll to the bottom of that event and there should be more detail.

-Scott Keene

Zdeněk_Pala
Extreme Employee
I would compare the radius attributes the WLC is sending to those what EWC is sending. Then I would go through the NPS configuration and find why different rules are matching. The log you sent is not helping much ļ˜ž In the NPS log should be reason why it was rejected. Does that help?
Regards Zdeněk Pala
GTM-P2G8KFN