HPE Community
Aruba & ProVision-based
1752356 Members
5722 Online
108787 Solutions
New Discussion

Re: E2620 - admin authentication with NPS.

 
SOLVED
Go to solution
Chrisd131313
Trusted Contributor

‎07-19-2012 04:44 AM

‎07-19-2012 04:44 AM

E2620 - admin authentication with NPS.

Hi,

 

I am trying to configure login authentication on a 2620 with peap-mschapv2 and NPS on a windows 2008 R2 server. I have setup the config in the switch and also setup the poicy on the NPS server.

 

radius-server host xxx.xxx.xxx.xxx key xXxXxXx

 

aaa authentication login privilege-mode
aaa authentication web login peap-mschapv2 local
aaa authentication web enable peap-mschapv2 local

 

I have removed the ssh entries as I need to be able to login with the local account via ssh at the moment.

 

The NPS policy has been setup to use a AD group for specified users and I am setting the authentication method in the policy to peap, apart from those two settings the rest is default.

 

This configuration worked seamlessly on our test domain, but bringing it in to production it is failing the authentication everytime I try to use an account that is part of the AD group allowed to access the switch.

 

The strange thing is, if I try to login with a user account that does not exist I get an eventlog entry on the NPS server (EventID:6273) which I would expect to get, but when I try with an account that is in the AD group, it doesn't log anything and just puts a log entry in the switch...

 

auth: Invalid user name/password on WEB-UI session
auth: Invalid user name/password on WEBUI session

 

The only difference that I can see between production and test is that in production the NPS role is installed on the site's DC and in test it has its own server.

 

Has anyone come across this before? Or could point me in a direction to get to the bottom of the issue?

 

Any help would be much appreciated, I have been pulling my hair out over this for days now.

 

It does sound like a possible NPS issue, but it would be good if anyone is able to confirm this.

 

Thanks in advance

 

-----------------------------------------------------

Don't forget to mark a post resolved if your question was answered.
0 Kudos
1 REPLY 1
Chrisd131313
Trusted Contributor

‎07-31-2012 04:47 AM

‎07-31-2012 04:47 AM

Solution

Re: E2620 - admin authentication with NPS.

Well, it looks like the solution to this is pretty simple!! peap-mschapv2 dose not work with administration switch authentiation. Unless you are using the latest K series firmware (5400zl series etc) otherwise pap/spap is the only method that works.

 

Hopefully this will be updated in the next firmware revision as the option is available when setting up aaa.

 

Fingers crossed on that one! :)

 

 

-----------------------------------------------------

Don't forget to mark a post resolved if your question was answered.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.