HPE Community
M and MSM Series
1833365 Members
3310 Online
110052 Solutions
New Discussion

MSM760 AD Integration

 
Tim Dressel
Occasional Advisor

‎11-01-2009 11:05 AM - last edited on ‎12-01-2013 07:43 PM by

‎11-01-2009 11:05 AM - last edited on ‎12-01-2013 07:43 PM by

MSM760 AD Integration

I have an MSM760 Access Controller and a handful of MSM AP's (dual b/g radios). I have figured out how to create VSC's and assign them to AP's on one or both radios. I have also figured out how to do static encryption.

What I am trying to accomplish is Single Sign On for Vista and Windows 7. I have followed the guides for 802.1X in the Implementation Guide date May 2009, but their examples are more complex that what I need.

I've also tried doing AD integration, but I'm getting nowhere. I was able to join the controller to AD, and when I create groups in AD and on the Controller named the same, I can't get authentication on the controller to work.

Anyone out there have a simple step by step example of enterprise authentication with AD using WPA2 to achieve SSO capability with Vista/7?

Thanks so much in advance...

 

P.S. This thread has been moved from Communications, Wireless (Legacy ITRC forum) to MSM Series. -HP Forum Moderator

0 Kudos
3 REPLIES 3
Holger Hasenaug
Trusted Contributor

‎11-01-2009 02:31 PM

‎11-01-2009 02:31 PM

Re: MSM760 AD Integration

Testing and Troubleshooting Active-Directory
https://my.procurve.com/knowledgebase/knowledgemanagement.aspx?wp=showarticle&id=984
0 Kudos
Sietze Reitsma
Respected Contributor

‎11-02-2009 12:37 AM

‎11-02-2009 12:37 AM

Re: MSM760 AD Integration

OK. First of all you need a radius server for 802.1x either the internal radius server on the controller or an external one.

so you need to make the following choices:

1. using internal radius server and use AD
for authentication.

2. using external radius server (for example Microsoft IAS or NPS)

If you want to do authentication on the wired lan in the future, I would recommend to use the external radius server. How to configure IAS is described in the implementation guide.

If number 1 is your choice then you can do 802.1x step by step by starting with a local account and the internal radius server. If this works then disable the local accounts and authenticate via the AD. At least you know that 802.1x is working.

If you want to use the single sign-on, check in you client settings EAP-MSCHAPv2 windows logon is on.
0 Kudos
Tim Dressel
Occasional Advisor

‎11-02-2009 08:34 AM

‎11-02-2009 08:34 AM

Re: MSM760 AD Integration

Hi everyone,

Thanks for your replys. I was under the impression that the AD integration was as simple as joining the controller to AD, then doing some sort of map between local and AD groups and WPA2 enterprise with SSO would just work.

After spending the whole weekend messing around with this, I discovered that although its not hard, its by no means a straight forward setup.

What I ended up doing is creating a new AD server with 2008 Enterprise (because all my servers were standard, and standard 2008 cannot sign an RAS/NPS certificate,,, apparently this is supported in 2008 R2), then I configured NPS for MSCHAPV2 with EAP, auto enroled my wireless devices and setup the default domain policy for Vista and 7 desktops to auto connect as machines, then configured the controller for Authentication and Access control. I pointed it towards my NPS server in the RADIUS section, and the VSC uses 802.1X as remote radius, not AD.

Less elegant than I had expected, but the end result is a beautiful thing! I can push GPO's before startup to deploy settings, software, etc, over encrypted wireless. What more could you ask for. Well, maybe the setup to be simpler, haha!

Cheers,
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.