locked
802.1x authentification fails after migration to NAP RRS feed

  • Question

  • hi,
     
    we have problem with 802.1x authentification after migration from w2003 ent to w2008 ent. Authentification its proceeded for users in AD (2003 DC) by NAP (radius) rules to point to different vLAN's. It seems in 2003 it was working rather good. The problem we have now is that all clients (xp sp3) that has profile paths in AD account fails to authentificate with new NAP server. 

    Clients without roaming profiles (or who's users account's profile path is ampty) works well. It seems NAP rules are fine and works good as IAS logs doesn't show any problems (old w2003 worked fine). Security and permissions are also fine. 

    p.s. of course it generates event errors 1511, 1521 Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile... But the poblem is why clients are unable to authentificate??  

    thank you for help
    Wednesday, December 3, 2008 8:35 AM

Answers

All replies

  • Hi,

    Clients with roaming profiles do have to communicatie with the server. if it's not reachable then an error is shown.
    Clients without roaming profiles don't have to communicate with the server so no error is shown, even there's no network connectivity.

    So i think that all clients have network connectivity issues due to failed authentication. Try to isolate the problem to a specific area. You could seperate check if:

    radius is working
    802.1x is working
    set debugging on @ the switch for easier troubleshooting
    check switch counters if the numbers are increasing.

    check if radius is working:
    You can check that by secure the switch console login. to gain access to the switch console (or telnet) you have to enter a domain account and password. if you are gained access, radius is working good.

    another troubleshooting approach is to use the bottom up model.
    see http://www.ciscopress.com/articles/article.asp?p=102211&seqNum=3 for more information about this.

    Good luck with it
    Thursday, December 4, 2008 10:38 AM
  • Hi, Roel, thanks for your answer.

    Radius, 802.1x seems works fine. Switch counters numbers are increasing.

    Actually what we found is that with XP SP2 everything works fine. So I guess XP SP3 has influence in my problems. Maybe you or somebody else has the same situation with same problems, or it is just our NAP misconfiguration.

    Thanks in advaced.
    Friday, December 5, 2008 9:58 AM
  • i just want to know if somebody has similar configuration

    802.1x
    win 2008 NPS server
    XP SP3 with roaming frofiles

    and how does it works ?

    Wednesday, December 10, 2008 12:13 PM
  • Well, it shouldn't be that hard to get roaming profiles working with nap.
    personally, i didn't tested it with roaming profiles, just only NAP 802.1x (AD 2003 DC server, NPS server, Vista, XP SP3, 802.1x)

    something to think about, is if your DC is on a different vlan than the compliant (and/or non compliant) clients, and you want to allow connectivity to the DC, inter vlan routing must be enabled.
    because vlans are logically seperated networks, the client computer has to know how to reach the DC.

    NAP 802.1x without roaming profiles is working well? if that's the case then something is wrong with network connectivity to the DC (or file server) or it's a bug in XP SP3. But that's hard to imagine because i never heard about it;)

    good luck with it
    Thursday, December 11, 2008 7:48 AM
  • Hi,

    Are you still having a problem authenticating with XP SP3 and roaming profiles? Can you confirm that this is because NPS can't find the profile location? This isn't really a NAP related question, but we will try to help. Please provide more information about the policy configuration and location of profiles for XP SP2 and XP SP3. What is your VLAN configuration?

    Also note that there are differences in SP2 and SP3 with regard to 802.1X authentication services. With SP3, we have separated the wireless service from the wired service and created a new Dot3Svc (Wired AutoConfig).  This service is set as a manual start. 

    Thanks,
    -Greg
    Sunday, December 14, 2008 7:38 PM
  • hi, guys,

    yes the problem still persists. yes Dot3Svc service is started all the time. XP SP2 seems to work well with roaming profiles, but not SP3. So from the begining it goes like this.

    I start XP SP3, it boots till (cntrl+alt+delete) and it gets the IP address from WORKERS vlan by one of radius (Network Policies) rules (computer authentication). Ping goes and everythings looks fine. I take user TEST1 from WORKERS domain, enter login credentials, users logs in (no log on errors about roaming profile) and he shuld get the address from the SAME WORKERS vlan, but authetication fails on the client.

    On the XP SP3 event viewer i won't get errors about roming profile. No errors while loging on. Profile is locate on separate file server and has full access rights by this user.

    Our HP 2650 configuration:
     
    aaa authentication port-access eap-radius

    radius-server key ********

    radius-server host 10.0.0.18

    no snmp-server enable traps link-change 1-49

    aaa port-access authenticator 31

    aaa port-access authenticator 31 server-timeout 300

    aaa port-access authenticator 31 reauth-period 60

    aaa port-access authenticator 31 unauth-vid 136

    aaa port-access authenticator active

    aaa port-access 31


     

    Monday, December 15, 2008 12:59 PM
  • i found what mandatory profile mess things up (with NTUSER.dat works fine)  
    Tuesday, January 6, 2009 3:13 PM