Extreme Networks

Hello.

My infrastructure is including: External radius server (Microsoft Windows 2012R2 NPS) which is providing 802.1X authentication to my end wireless users and CWP wireless agreement, which the end users have to agree to in order to connect to the network.

I'd have to say I wish this was the setup but doesn't work correctly. Why?

Because in order to have an external radius server MS NPS I have to have a security certificate and the end user has to confirm the usage of the certificate during the authentication process, in order to be able to authenticate via 802.1X. This is MS requirement and I can't go around it because the tunnel has to be encrypted prior the handshaking for the AD credentials. Once the credentials being accepted the end user gets connected to the wireless network every time automatically without being prompted for credentials, unless they change their password. So far great.

When is prompted for credentials, CWP popup window appears and the end user can read and accept (or reject) the agreement and gets connected to the network. Perfect right?

Next time when the end user is around, gets connected to the wireless network automatically because already provided its credentials to the MS NPS. They are still verified but that's transparent to the end user. Well, CWP however has to be accepted again because this is how AeroHive programmed it, or at least I've being informed that way. Once the client hits the maximum "inactive client ageout" or disconnect from the network, it has to reconfirm the CWP. Since the end user already entered the 802.1X credentials in MS NPS it is not being asked and from the wireless point of view it has networking. The network indicator is "on" on the wireless device and the user cannot go anywhere because didn't accept CWP. CWP is not popping up because no credentials are being entered. The end user is thinking it has network but in reality has to sense that is not true somehow and if they are expecting any network related activity, they are out of luck. No email, calendar, or anything else network related will pop up because there is no network. If it is a cell phone, still will not show any new emails because by default any cell phone has a priority first to check for wifi and guess what, it is there but it is not working because of CWP.

My question is: How to make 802.1X authentication with my AD to work with CWP popping up every time when an end user needs to accept it? I can't ask the users to enter username and password every time because we have 16 character password policy and that's going to be very challenging and perhaps the idea is not to enter the password each time.

Please help.

Thank you in advance and let me know if you have questions.

George Z