How to configure Windows 2012 NPS for Radius authentication with EXtremeWireless Controller

  • 1
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Hi, I'm trying to use Windows 2012 NPS as Radius for 802.1x autentication with the WirelessController.
The problem is that the NPS authenticate the user, but don't return the Filter-ID with the policy to apply to the user..

In the NPS configuration I've defined the Filter-id but this value is not returned to the Wireless Controller:


How to solve this problem?

Thanks,
Antonio
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,216 Points 2k badge 2x thumb

Posted 3 years ago

  • 1
  • 1
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
What is the name of the policy on the wireless controller? The filter-id has to match exactly to the policy name in the controller.

If you could provide a screen shot of that, I would be more than happy to help
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,216 Points 2k badge 2x thumb
Hi Joseph, the name on the Wireless Controller has got the same value
But has you may see in the wireshark capture, seems that in the reply-accept message from radius, is not present the filter-id...
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,164 Points 50k badge 2x thumb
Here 2 screenshots from my old notes....

1) on the controller set it to the first option
2) on the NPS I've just put in the name of the role







Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,818 Points 2k badge 2x thumb
Antonio,

Are you sure that you're hitting that rule in the NPS configuration? I would check the logs in Event Viewer and see which policy name is being assigned. At the bare minimum, the filter-id would show up in wireshark. It's likely that your conditions don't match and it's falling to a different rule. Also, the NPS log will show whether the filter-id value was inserted or not.

Photo of Jason

Jason, Employee

  • 3,608 Points 3k badge 2x thumb
Antonio, 

In addition to what the other mentioned, it looks like you have extra information in the filter-id reading "Enterasys:version etc."  Based on your Role, you want to return back only "Staff" in the filter-id

Regards, 
Jason
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
Yessir! That's where I was taking him. Good call
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,216 Points 2k badge 2x thumb
Hi all,
I'v emade as you suggest, but in the event viever I see that the NPS don't return the policy despite the authenticationaccept message..below my new screenshots


Thanks for your reply
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,784 Points 2k badge 2x thumb
Antonio, double-check your connection request policy name.

You're not assigning a Network Policy at all. It looks like under your Authentication Details that you're sending the authentication to Server.demo.com. Is that the name of your NPS server? Another possibility is this is a log of an accounting message.

Typically in a fresh NPS install, the Connection Request Policy is called "Use Windows authentication for all users" It looks like you have a custom one called "Secure Wired-Wireless Connections" though. I would inspect that for differences.
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,216 Points 2k badge 2x thumb
Hi Tyler,
yes, my NPS name is server.demo.com..
Ok, I'll check tomorrow in office how you suggest (i've got a custom connection request policy in effect..)
I'll give you a feedback.
Thanks
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
In your VNS > Virtual Networks > <VNS Name> > Auth & Acct, do you have the Radius attributes that you want to send to the NPS checked?

Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb
Hi Joseph, yes, my Radius attributes are identical to your screenshot above.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,164 Points 50k badge 2x thumb
In your last screenshot we'd see that the NPS uses the connection request policy "secure wired-wireless-connection" and no network policy.

So you don't hit the right policy on the NPS and the default is used which doesn't include the filter-ID information.

Here a example - from a switch - but as you'd see my rules are hit = connection request policy and network policy "XOS-430" are used.....

Photo of Antonio Opromolla

Antonio Opromolla

  • 2,216 Points 2k badge 2x thumb
Thanks Ronald for this explain...I'll check tomorrow in office if the request is matching another policy instead of mine...in effect may be this one the problem, because my network policy name is named "Staff", and as suggest also by Tyler I need to check the policy order and the connection request policy..
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,216 Points 2k badge 2x thumb
Hi, today I've made one step ahead..the problem of yesterday was that the connection hitted a wrong rule...
Now hit the correct one, but I'm in trouble with the authentication .
Now on NPS I've got the error regarding EAP..below my latest screenshots (in my demo lab the DC and CA are on the same server that is also NPS server):
:





Which is your opinions on the configuration error?

Thanks
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,216 Points 2k badge 2x thumb
I also add the screenshot of the WLAN services used regarding hte Auth & Acct tab if may be useful..
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,216 Points 2k badge 2x thumb
Solved!!
I've solved the problem changing the certificate in the NPS and using the server certificate instead of the CA certificate that I've used in wrong manner in the previous example..
Below my screenshots related to the working configuration:





Thanks to all of you for the help!
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,784 Points 2k badge 2x thumb
Happy to help, glad to hear you it got squared away! 
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
That is awesome! great work!