802.1x and GPO with multiple SSIDs RRS feed

  • Question

  • Hi Folks,

    I'm having an issue with 802.1x, Windows Server 2008 R2 NPS, and Windows 7 Clients.  I am attempting to deploy two WLANs, one for student use and one for staff use.  The Network Policies are both configured the same, with access to the Staff SSID requiring membership in the Domain\Staff group and the Student SSID requiring membership in the Domain\Students group (I'm using Called Station ID to associate the network policies with the appropriate SSID).  

    The SSIDs are each utilizing the same authentication methods and are configured identically in my GPO (computer - windows settings - Security Settings - Wireless Network (IEEE 802.3) Policies.  

    The issue is as follows:

    If the "Student" SSID is listed first in the list under "Connect to available networks in the order of profiles listed below" (and appears in the windows login as "Windows will attempt to connect to Student") then students can login and they connect as expected.  However, "Staff" members, who are NOT authorized for the "Student" network, get a "unable to connect to Student, logging on..." message quickly followed by "There are currently no logon servers available to service the logon request."  If move the Staff SSID to the top of the list, it appears in the windows login screen as "Windows will attempt to connect to Staff."  Now Members of the Staff group can login but Student users now receive a "unable to connect to Staff, logging on..." message quickly followed by "There are currently no logon servers available to service the logon request."

    Users with cached credentials can login as SSO is enabled, but I need "new" users to be able to authenticate and connect to the appropriate network.  It appears to me that the credentials are never passed after the user is denied access to the first SSID on the list.  What am I missing? 

    Tuesday, April 9, 2013 3:39 PM

All replies

  • Addition:

    Combined both GPO wireless profiles into a single profile with multiple SSIDs thinking that since they share a common authentication and security settings, this might make a difference.  As best as I can tell, the issue is remains.  

    Tuesday, April 9, 2013 4:29 PM
  • Hi,

    If your deployment uses multiple SSIDs and each wireless AP uses the same wireless security settings, repeat this step to add the SSID for each wireless AP to which you want this profile to apply.

    If your deployment uses multiple SSIDs and the security settings for each SSID do not match, configure a separate profile for each group of SSIDs that use the same security settings. For example, if you have one group of wireless APs configured to use WPA2-Enterprise and AES, and another group of wireless APs to use WPA-Enterprise and TKIP, configure a profile for each group of wireless APs.

    For more details, please refer to Configure 802.1X Wireless Access Clients running Windows 7 and Windows Vista.

    Hope this helps.

    Jeremy Wu
    TechNet Community Support

    • Proposed as answer by Jeremy_Wu Saturday, April 13, 2013 7:09 AM
    • Marked as answer by Jeremy_Wu Monday, April 15, 2013 8:46 AM
    • Unmarked as answer by KingBear159256987 Monday, April 15, 2013 10:16 AM
    Thursday, April 11, 2013 5:27 PM
  • The issue remains.  Only the SSID at the top of the list will auto-connect, which means that if the user is new to the computer, he or she will be denied access with the "There are currently no logon servers available to service the logon request" if the user is not a member of a windows security group that the NPS rule uses to allow access.  This is the issue identified in the original post.  My guess is that I have something misconfigured in the WLAN GPO.  It appear to me that once a user is denied access to the top SSID defined in the GPO, the user's credentials/attributes are never tested against the next SSID in the list.  How can I make this happen? 

    And again...  The issue is only for a new user who does not have a local profile on the machine.  

    Network Policy Server denied access to a user.  The concerning thing, is that the event viewer of the NPS server never shows the "student" user being tested against the "Student" SSID, but rather only against the "Staff" SSID.  Of course the student account will fail, because it should.  Why does it not then try the next SSID defined in the GPO profile?  

    If I remove the Staff SSID from the list, then the students authenticate without issue.  It appears that once a user fails one NPS network policy, processing of any further policies stops.  Is this how it is supposed to work?

    Monday, April 15, 2013 10:46 AM
  • Any update on some help?  I've been messing with every setting in the GPO without any change to behavior.  Would having the machine authenticate to the network first allow for new users to successfully login?  Although I thought that was the job of SSO? 

    Tuesday, April 23, 2013 11:21 AM