HPE Community
M and MSM Series
1752815 Members
6044 Online
108789 Solutions
New Discussion юеВ

Re: MSM710 Controller (Active Directory Authentication)

 
Viper_x
Advisor

тАО04-16-2012 07:59 AM

тАО04-16-2012 07:59 AM

MSM710 Controller (Active Directory Authentication)

Hello everyone. I have been trying to configure the MSM710 to authicate a wireless user using the Active Directory settings.

Everytime a wireless client connects I keep getting the same error on the controller:

E:internal authorization attributes are missing.

 

I have successfully connected the controller to AD, (computer object created in Computers OU) which is great. I have also setup a group on the controller called "Wireless-Group" which matches the secuirty group in AD, the user has been added to the group.

 

Both the VSC and the Active directory group attributes on the controller have the "Access controlled" set to NO.I have attached a screen print below.

 

Apr 16 15:53:08 debug iprulesmgr Added Station Table Entry (id='8',ip-address='192.168.5.20',mac-address='00:1C:2E:D9:CD:00',virtual-ap-index='1').

 

Apr 16 15:53:03 debug iprulesmgr Sending RADIUS Access Challenge (id='28') to RADIUS Client (ip-address='169.254.0.4',port='35997').

 

Apr 16 15:53:03 debug iprulesmgr Received RADIUS Packet (Length:'106',Code:'Access-Challenge',Id:'26') from RADIUS Server (Ip:'127.0.0.1',Port:'1645') for User (nas-port:'54',username:'portav\test').

 

Apr 16 15:53:03 debug radiusd E:internal authorization attributes are missing.

 

I must be missing something simple, if anyone has an idea please post.

 

0 Kudos
8 REPLIES 8
Viper_x
Advisor

тАО04-17-2012 02:00 AM

тАО04-17-2012 02:00 AM

Re: MSM710 Controller (Active Directory Authentication)

Unfortunatly I am still getting the same authentication issue with the MSM710 controller with AD running on Windows Server 2008 R2.

 

I'm starting to think that there might be a compatibility issue with the MSM710 controller and Windows 2008 R2. Has anyone else experienced any problems with a simular setup?

0 Kudos
bstahl
Occasional Visitor

тАО04-18-2012 06:46 AM

тАО04-18-2012 06:46 AM

Re: MSM710 Controller (Active Directory Authentication)

I am having the exact same issue with a MSM 765zl and Windows Server 2008 R2. I keep getting

 

debug radiusd E:internal authorization attributes are missing.

 

Current firmware version: 5.5.3.0-01-10326

 

I doubled checked every setting especially AD group mappings (using different groups). I am using a setup without access control.


0 Kudos
Viper_x
Advisor

тАО04-18-2012 08:37 AM

тАО04-18-2012 08:37 AM

Re: MSM710 Controller (Active Directory Authentication)

Thank you for the reply.

 

I still have the same problem and unfortunatly HP support does not cover configuration within the support contract of the controller or WAP.

 

I really do think this maybe a compatability issue with R2 still despite HP stating is was fixed. One question I have for you, are your DCs servers virtual (Sphere or Hyper-V) ?

 

Also I did ran wireshark on the the DC and when trying to get RADIUS working before playing around with AD authentication and noticed a CHECKSUM error with one of the RADIUS packets.

I edited the adaptor on the server and change the IPv4 Checksum Offload option to disabled.

 

This fixed this issue with the RADIUS packet erroring but still I was unable to authentication using RADIUS with NPS.

 

I've gone back to AD authenication now, which I still get the same error as you.Let me know if you figure it out.

 

 

0 Kudos
bstahl
Occasional Visitor

тАО04-20-2012 08:29 AM

тАО04-20-2012 08:29 AM

Re: MSM710 Controller (Active Directory Authentication)

I updated to 5.7.0.2 yesterday, still no luck.

 

DCs are virtual (Hyper-V).

 

TCP offload should not be related to this issue. Connection to the AD is doing just fine and the controller is retrieving all the groups for the user. You might want to start Extra AD/Radius debug via Controller -> Tools -> System tools for additional info in the System log. I think i am missing some setting on the controller.

0 Kudos
Viper_x
Advisor

тАО04-20-2012 11:56 AM

тАО04-20-2012 11:56 AM

Re: MSM710 Controller (Active Directory Authentication)

I have already applied the Extra AD/Radius debugging... I think there is a compatibility issue with AD auth with R2.

 

It'' not all bad news though, I managed to successfully configure RADIUS with NPS on an R2 box. It's looks as though the guys at microsoft forgot add a important attribute within the Controller Authentication Certificate template when they changed secuirty in R2.

 

Under the Controller Authentication Certificate under the details TAB there is an attribute called subject, which is blank (this is meant to contain the server name) I used common name.The suject is required for EAP-TLS or PEAP with EAP-TLS to work. 

 

After changing the Controller Authentication Certificate default template and re-enrolling the certificate RADIUS authtication started to work. I was hoping this would also sort out the issue with AD auth but it didn't.

 

I've spent to much time on this now so i'm sticking with RADIUS for the time being, if you figure it out let me know. I think its a bug.

0 Kudos
bstahl
Occasional Visitor

тАО04-25-2012 04:35 AM

тАО04-25-2012 04:35 AM

Re: MSM710 Controller (Active Directory Authentication)

I just figured out that the radiusd error does not seem to be related to the clients not being able to connect. For me, the issue was a certificate validation error. The clients were not able to verify the authenticity of the certifcate used for the eap authentication. I installed a trusted certifcate from our internal CA and assigned it for use with radius eap. On Windows 7, i preconfigured the network for user authentication and selected the corresponding root ca to validate the certifcate. This solved my problem.

0 Kudos
ndoudna
Frequent Advisor

тАО05-11-2012 03:58 PM

тАО05-11-2012 03:58 PM

Re: MSM710 Controller (Active Directory Authentication)

 

>>

I have successfully connected the controller to AD, (computer object created in Computers OU) which is great. I have also setup a group on the controller called "Wireless-Group" which matches the secuirty group in AD, the user has been added to the group.

>>

 

Do you *have* to set up a group on the Controller in order for AD authentication to work?  My MSM710 has joined our Windows domain, but wireless users don't get an IP address or appear in AD at all.

 

(If I remove the AD authentication from the VSC, it all works, so I know the wired network and DHCP and all that is working -- it's just AD authentication that stops us dead in our tracks, including no DHCP.)

 

thanks,

noemi

0 Kudos
Colin_Airpass
Occasional Advisor

тАО02-07-2013 07:12 AM

тАО02-07-2013 07:12 AM

Re: MSM710 Controller (Active Directory Authentication)

I'm having similar issue with an MSM710 on our test bed.

It's running 5.7.1.1 code and we're using creaky-old server 2003 enterprise R2.

It seems to be another case where the feature used to work fine but now doesn't.

I'm considering rolling-back to an older vers of code to double-check my config.

Will post any results.

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.