locked
Wireless 802.1x with NPS and HP Access point - not working.. RRS feed

  • Question

  • Hi,

    I seem to have some problems with my 802.1x NPS and HP V-M200 access point setup.

    My problem is properly more HP related then Microsoft, but here goes, maybe someone has the same access points as i do. 

    On my access points i have 2 SSID's one for guests (open, no problem) and one for our private network, and this is the network i want 802.1x on, i configured my access point and NPS, and the connection between the two seem to be working.

    When i connect to my private wireless network, the event-viewer on my NPS server says it approves the client, and everything is okay. But on  my access point, not so much, i have a overview over connected clients and my laptop is stuck at status "Unauthorized" even though NPS have all ready approved my client.

    I am using PEAP for my authentication protocol, but again, it seems there is more of a problem with the "client is approved" messages send between NPS and my access points, i have these connection attributes configured on NPS:

    Framed-protocol: PPP (standard)

    Service-type: Framed (standard)

    Tunnel-Pvt-Group-ID: 11 (my private VLAN)

    Tunnel-type: VLAN

    Tunnel-Medium-type: 802

    I checked the manual for my access points to find the right accept messages and to see, if what i wanted was even possible with my access points.

    HP says it is, and it says the configuration above, should be all.. or at least in their manual.

    Any help is much appreciated!

    /Mick


    /Mick Negendahl

    • Moved by Aiden_Cao Thursday, August 9, 2012 2:10 AM (From:Network Infrastructure Servers)
    Tuesday, August 7, 2012 8:18 AM

All replies

  • Hmm.. i just saw something very strange.

    I was looking at the "Connection overview" on my access point, and my client was connected (and NPS had granted full access) - The status was "not authorized".

    As soon as i disconnect my client, the status changes to "authorized" and authenticated by 802.1x..

    To me, this does not make any sense!


    /Mick Negendahl

    Tuesday, August 7, 2012 9:18 AM
  • Hi,

    Thanks for your post.

    From your description, I see no misconfiguration here in your deployment. For VLAN attributes in network policy, we need to configure the following:

    Tunnel-Medium-Type

    Tunnel-Pvt-Group-ID

    Tunnel-Type

    Tunnel-Tag (option)

    VLAN Attributes Used in Network Policy

    http://technet.microsoft.com/en-us/library/cc754422(WS.10).aspx

    In order to troubleshoot, please verify that the user group specific in network policy is correct. Also, I would like to know is this issue occurs all on clients try to access network. If possible, please try to remove the VLAN attributes from network policy. Then, try to investigate if the client can authenticate by NPS server when access to default VLAN.

    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    Thursday, August 9, 2012 2:57 AM
  • Hi,

    My network policy settings look like this (for test, i removed all the VLAN tunnel attributes):

    test network policy

    My access point config look like this:


    /Mick Negendahl

    Thursday, August 9, 2012 6:33 AM
  • When i connect with my PC (and i tried multiple users / pc's - same result) the NPS log says its granting access:

    My client still have no IP-address, and no access.

    On the access point in the overview, the client looks to be not authorized:


    /Mick Negendahl

    Thursday, August 9, 2012 6:33 AM
  • I tried to test some different things, i tried removing all the "tunnel" attributes from the NPS Network policy, and it didn't do anything.

    I tried my standard configuration, with all the "tunnel" attributes, and still doesn't work either.. its very strange, since the client is approved my NPS, but the access point doesn't seem to know.. and the client does not get a IP, because the access point does not allow data to flow to the VLAN.

    I am almost sure, its a problem with the attributes in NPS (even though i followed HP's manual for this) or a problem with the access point it self.. it just seems very strange..

    Btw, the VLAN tagging / untag no problem, if i just make 2 normal SSID's with different VLAN assignments, and just a standard WPA encryption or something like that, it works perfectly fine. But i cant have a static code for our private network, i could just image all my clients writing the code on a note, and then put in on their screen, or desk :D


    /Mick Negendahl

    Thursday, August 9, 2012 9:06 AM