M and MSM Series
cancel
Showing results for 
Search instead for 
Did you mean: 

HP E-MSM430 802.11x Authentication with NPS

 
SOLVED
Go to solution
Highlighted
Advisor

HP E-MSM430 802.11x Authentication with NPS

If anyone can help it would be much appreciated.

I am having problems with 802.11x authentication between my new HP E-MSM430 wireless access point and an NPS server running on a Windows 2008 R2.

 

My Setup:

I have a new RADIUS client setup on the NPS server configured with the correct IP address of the WAP and matching shared secret that’s setup on the WAP.

 

On NPS a network policy has been setup with a condition to grant access to a selected security group containing users and computers. The only constraints are that EPEAP or EAP-MSCHAPv2 authentication methods are being used.

The NPS server has been registered with AD & server and client certificates have been rolled out to the NPS server and Clients.

 

Before testing the whole setup with a wireless client I decided to double check RADIUS was working between the WAP and the RADIUS server on NPS. To do this I used the ‘Management Tool’ under the Management TAB (image attached).

 

For some reason I keep getting the following RADIUS error:

Mar 25 21:21:04 warni webs Received RADIUS Access Reject for user test-user.

Mar 25 21:21:04 info webs Sending RADIUS Access Request for User (name='test-user') to RADIUS Server (ip-address='192.168.3.170',port='1812')

 

I keep tweaking little settings here and there but I seem to be getting the same error. I decided to setup RADIUS on another vendor device and authentication was successful. Am I missing a setting on the HP WAP?

 

Has anyone else had simular issues or advice me on where to go next, I'm at a complete loss.

 

Thanks

13 REPLIES 13
Highlighted
Honored Contributor

Re: HP E-MSM430 802.11x Authentication with NPS

Look in Event Viewer on the NPS server, the Security or System logs should have some info on why the users are beeing rejected.

---
CCIE Service Provider
MASE Network Infrastructure [2011]
H3CSE
CCNP R&S

Advisor

Re: HP E-MSM430 802.11x Authentication with NPS

Morning. I've had a look in the NPS and secuirty logs on the NPS server and I seem to be getting the following error..

 

A RADIUS message was received from the invalid RADIUS client IP address 192.168.3.170.

 

 

 

So there connection seems to be fine but for some reason the RADIUS server keeps rejecting the connection, unfortuantly the event logs dont seem to provide enough detail into the problem.

 

Has anyone comes across this before or maybe is there a way I can perform a more granular error logging on the NPS server to see why the connection is being REJECTED.

 

Thanks again

Highlighted
Honored Contributor

Re: HP E-MSM430 802.11x Authentication with NPS

I dont think you can be more granular than that, looks as if the servers isnt recognizing 192.168.3.170 as a client even as you clearly have it defined. Try removing it and adding it again?

 

Try and google the message also.

---
CCIE Service Provider
MASE Network Infrastructure [2011]
H3CSE
CCNP R&S

Highlighted
Advisor

Re: HP E-MSM430 802.11x Authentication with NPS

Thank you for the quick reply. I have been googling this all weekend to no avail, I shall keep looking though. Just out of interest.

 

On the WAP the only option I have configured to enable RADIUS is the RADIUS Profile, is that correct?

 

and I have been using the management tool to test the authentication, snapshoot attached.

Highlighted
Honored Contributor
Solution

Re: HP E-MSM430 802.11x Authentication with NPS

Hi,

When testing the management login, be sure you have it in your policy to match on NAS port type Async, as it doesnt use the Wireless NAS port that a regular RADIUS request from a wireless client would.
---
CCIE Service Provider
MASE Network Infrastructure [2011]
H3CSE
CCNP R&S

Highlighted
Advisor

Re: HP E-MSM430 802.11x Authentication with NPS

I've had a look at the network policy and I think everything is in place, I'm in the process of setting up another NPS server on a 32bit 2008 box to see if there are compatibility issues with 2008 R2.

 

Network and connection policy attached. Please highlight anything that might be missing or set incorrectly.

 

Thanks again

Highlighted
Regular Advisor

Re: HP E-MSM430 802.11x Authentication with NPS

On your VSC, do you have the authentication box enabled? On my 802.1X VSCs, I have that checked. Then, on the RADIUS/NPS server, I only end up putting the client IP addresses of my MSM controllers, not the IP address of each of the APs themselves.

Have you tried that?
Jesse R
Source One Technology, Inc.
HP Partner


MSM 5.7.x deployment guide:

Highlighted
Advisor

Re: HP E-MSM430 802.11x Authentication with NPS

Thanks for the reply Jesse. In my test enviroment I only have one WAP that's in standalone mode (It's not using a controller). The standalone WAP is trying to authenticate against the NPS.

 

I've been running WireShark to monitor the RADIUS packets to get a better idea why the connection is being REJECTED.

 

Shown Below: (Looks like the WAP is falling over when handshaking with the NPS server)

RadiusMSSpecificPublicTLV: MS-CHAP-Error, 1(0x1)

VendorType: MS-CHAP-Error, 2(0x2)

VendorLength: 16 (0x10)

Ident: 0 (0x0)

ErrorString: E=691 R=0 V=3

 

There must be an attribute i'm missing on the NPS server!?!

Highlighted
Advisor

Re: HP E-MSM430 802.11x Authentication with NPS

Would somone have an exmaple of the attributes that they have setup in NPS to get the HP WAP point working with windows NPS server?

 

Thanks in advance.