HPE Community
M and MSM Series
1820599 Members
1771 Online
109626 Solutions
New Discussion

HP E-MSM430 802.11x Authentication with NPS

 
SOLVED
Go to solution
Viper_x
Advisor

‎03-25-2012 02:43 PM

‎03-25-2012 02:43 PM

HP E-MSM430 802.11x Authentication with NPS

If anyone can help it would be much appreciated.

I am having problems with 802.11x authentication between my new HP E-MSM430 wireless access point and an NPS server running on a Windows 2008 R2.

 

My Setup:

I have a new RADIUS client setup on the NPS server configured with the correct IP address of the WAP and matching shared secret that’s setup on the WAP.

 

On NPS a network policy has been setup with a condition to grant access to a selected security group containing users and computers. The only constraints are that EPEAP or EAP-MSCHAPv2 authentication methods are being used.

The NPS server has been registered with AD & server and client certificates have been rolled out to the NPS server and Clients.

 

Before testing the whole setup with a wireless client I decided to double check RADIUS was working between the WAP and the RADIUS server on NPS. To do this I used the ‘Management Tool’ under the Management TAB (image attached).

 

For some reason I keep getting the following RADIUS error:

Mar 25 21:21:04 warni webs Received RADIUS Access Reject for user test-user.

Mar 25 21:21:04 info webs Sending RADIUS Access Request for User (name='test-user') to RADIUS Server (ip-address='192.168.3.170',port='1812')

 

I keep tweaking little settings here and there but I seem to be getting the same error. I decided to setup RADIUS on another vendor device and authentication was successful. Am I missing a setting on the HP WAP?

 

Has anyone else had simular issues or advice me on where to go next, I'm at a complete loss.

 

Thanks

0 Kudos
13 REPLIES 13
Fredrik Lönnman
Honored Contributor

‎03-25-2012 10:23 PM

‎03-25-2012 10:23 PM

Re: HP E-MSM430 802.11x Authentication with NPS

Look in Event Viewer on the NPS server, the Security or System logs should have some info on why the users are beeing rejected.

---
CCIE Service Provider
MASE Network Infrastructure [2011]
H3CSE
CCNP R&S

0 Kudos
Viper_x
Advisor

‎03-26-2012 02:07 AM

‎03-26-2012 02:07 AM

Re: HP E-MSM430 802.11x Authentication with NPS

Morning. I've had a look in the NPS and secuirty logs on the NPS server and I seem to be getting the following error..

 

A RADIUS message was received from the invalid RADIUS client IP address 192.168.3.170.

 

 

 

So there connection seems to be fine but for some reason the RADIUS server keeps rejecting the connection, unfortuantly the event logs dont seem to provide enough detail into the problem.

 

Has anyone comes across this before or maybe is there a way I can perform a more granular error logging on the NPS server to see why the connection is being REJECTED.

 

Thanks again

0 Kudos
Fredrik Lönnman
Honored Contributor

‎03-26-2012 02:22 AM

‎03-26-2012 02:22 AM

Re: HP E-MSM430 802.11x Authentication with NPS

I dont think you can be more granular than that, looks as if the servers isnt recognizing 192.168.3.170 as a client even as you clearly have it defined. Try removing it and adding it again?

 

Try and google the message also.

---
CCIE Service Provider
MASE Network Infrastructure [2011]
H3CSE
CCNP R&S

0 Kudos
Viper_x
Advisor

‎03-26-2012 02:29 AM

‎03-26-2012 02:29 AM

Re: HP E-MSM430 802.11x Authentication with NPS

Thank you for the quick reply. I have been googling this all weekend to no avail, I shall keep looking though. Just out of interest.

 

On the WAP the only option I have configured to enable RADIUS is the RADIUS Profile, is that correct?

 

and I have been using the management tool to test the authentication, snapshoot attached.

0 Kudos
Fredrik Lönnman
Honored Contributor

‎03-26-2012 02:36 AM

‎03-26-2012 02:36 AM

Solution

Re: HP E-MSM430 802.11x Authentication with NPS

Hi,

When testing the management login, be sure you have it in your policy to match on NAS port type Async, as it doesnt use the Wireless NAS port that a regular RADIUS request from a wireless client would.
---
CCIE Service Provider
MASE Network Infrastructure [2011]
H3CSE
CCNP R&S

0 Kudos
Viper_x
Advisor

‎03-26-2012 03:08 AM

‎03-26-2012 03:08 AM

Re: HP E-MSM430 802.11x Authentication with NPS

I've had a look at the network policy and I think everything is in place, I'm in the process of setting up another NPS server on a 32bit 2008 box to see if there are compatibility issues with 2008 R2.

 

Network and connection policy attached. Please highlight anything that might be missing or set incorrectly.

 

Thanks again

0 Kudos
JesseR
Regular Advisor

‎03-26-2012 07:30 AM

‎03-26-2012 07:30 AM

Re: HP E-MSM430 802.11x Authentication with NPS

On your VSC, do you have the authentication box enabled? On my 802.1X VSCs, I have that checked. Then, on the RADIUS/NPS server, I only end up putting the client IP addresses of my MSM controllers, not the IP address of each of the APs themselves.

Have you tried that?
Jesse R
Source One Technology, Inc.
HP Partner


MSM 5.7.x deployment guide:

0 Kudos
Viper_x
Advisor

‎03-26-2012 07:49 AM

‎03-26-2012 07:49 AM

Re: HP E-MSM430 802.11x Authentication with NPS

Thanks for the reply Jesse. In my test enviroment I only have one WAP that's in standalone mode (It's not using a controller). The standalone WAP is trying to authenticate against the NPS.

 

I've been running WireShark to monitor the RADIUS packets to get a better idea why the connection is being REJECTED.

 

Shown Below: (Looks like the WAP is falling over when handshaking with the NPS server)

RadiusMSSpecificPublicTLV: MS-CHAP-Error, 1(0x1)

VendorType: MS-CHAP-Error, 2(0x2)

VendorLength: 16 (0x10)

Ident: 0 (0x0)

ErrorString: E=691 R=0 V=3

 

There must be an attribute i'm missing on the NPS server!?!

0 Kudos
Viper_x
Advisor

‎03-26-2012 08:01 AM

‎03-26-2012 08:01 AM

Re: HP E-MSM430 802.11x Authentication with NPS

Would somone have an exmaple of the attributes that they have setup in NPS to get the HP WAP point working with windows NPS server?

 

Thanks in advance.

0 Kudos
JesseR
Regular Advisor

‎03-26-2012 08:20 AM

‎03-26-2012 08:20 AM

Re: HP E-MSM430 802.11x Authentication with NPS

One thing that looked weird to me is the NASID you are using "1234" ?? Where did you get that?  On my MSM controller, the NASID for the RADIUS profile is the actual serial # of the MSM.    (dont think thats the problem... just curious)

 

On my NPS server, under Conditions, the NAS Port Type only has 2 items checked.   "Wireless - IEEE 802.11" and "Wireless - Other".   I am not used any vendor specific RADIUS attributes at all.   The standard attributes that are set are Framed Protocol - PPP and Service Type - Framed.

 

If you can screenshot all of your various RADIUS policy settings, I can compare to mine.  Though I have 2 different ones.. one for EAP-TLS and another for PEAP.

 

J

Jesse R
Source One Technology, Inc.
HP Partner


MSM 5.7.x deployment guide:

0 Kudos
JesseR
Regular Advisor

‎03-26-2012 08:22 AM

‎03-26-2012 08:22 AM

Re: HP E-MSM430 802.11x Authentication with NPS

Also, what is the NPS event log reporting?? (windows event log -> server roles - > nps

You should see the actual rejection/error and applicable error code and reason why.. ?


Jesse R
Source One Technology, Inc.
HP Partner


MSM 5.7.x deployment guide:

0 Kudos
Fredrik Lönnman
Honored Contributor

‎03-26-2012 11:15 AM

‎03-26-2012 11:15 AM

Re: HP E-MSM430 802.11x Authentication with NPS

I'd suggest creating a separate policy for the management login, Im not sure on using framed-protocol ppp and service-type framed will match with that. Sadly I dont have access to the NPS where I've done this ;\
---
CCIE Service Provider
MASE Network Infrastructure [2011]
H3CSE
CCNP R&S

0 Kudos
Viper_x
Advisor

‎03-26-2012 02:03 PM

‎03-26-2012 02:03 PM

Re: HP E-MSM430 802.11x Authentication with NPS

I'd like to thank you all for your help today. Final I got the management tool authenticatng correctly. After analysing the RADIUS packets on the NPS server and using notes you guys posted I got it working.

Fredrik the post regarding "match on NAS port type Async" under the network conditions was required and a re-newal of the CA CERT on the WAP resolved my problem.

I do have one last problem, which I will raise as a different post, if anyone is willing to take a look it'll be most appricated.

Again thanks for your help.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.