locked
Single Radius/DHCP multiple DHCP Scopes RRS feed

  • Question

  • Hello,

     

    We have some access points (Colubris MAP-320R), that authenticate customers to a Windows Server 2008R2 network policy server.

     

    At the AP side:

    802.1X

    Radius WEP encryption

                    MSCHAPv2

     

    At Network Policy Server side:

                    Windows Server 2008R2

                    Member of domain

                    Network Policy Server

                                   Requested Doman Controller and Domain Controller Authentication certificates from CA Server – Status Available

                                    Two different Network Policies in the Network Policy Server

                                                   Policy1 that authenticates members of Active Directory Security group Group1

                                                   Policy2 that authenticates members of Active Directory Security group Group2

    Other Servers:

                    Windows Server 2008R2  DC/DHCP/Certification Authority

     

     

    Users use their domain account to authenticate trough the access point.

    When that happens I see that in Event Viewer in Network Policy and Access Services.

    The events state that users from Group 1 are authenticated with Network Policy Name: Policy 1

     

    The goal I am trying to achieve: Users from Group1 to be given IP Addresses from one DHCP Pool, and users from Group2 to be given IP Addresses from another DHCP Pool.

     

    At the moment, the access points are connected to the network at the same place as the NIC of the DHCP server. The DHCP server has two DHCP Pools (on 1 NIC). When the users log in, regardless they are using different security policy, they get IP address from the first DHCP Pool.

     

    Do I have to use DHCP Network Policy and redirect connections from different Network Access policies to the appropriate DHCP pool.

    Or I can achieve that with two DHCP servers?

    Or I can set the Standard and Vendor Specific RADIUS Attributes on Policy 1 and 2 for some VLAN/Tunneling and then set another policies for the two DHCP Pools with the same VLAN/Tunneling?

     

    Also, my APs support Discovery protocol (advertises information about the AP to any device that supports CDP), IP routes, VLANs (802.1q)

    Wednesday, April 8, 2015 12:52 PM

Answers

  • Hi  Yattà ,

    When using DHCP ,IP addresses are distributed to computers ,not users .DHCP server cannot distribute IP addresses of different scopes according to different groups of users .

    As a workaround ,you can implement it by configuring dial-in properties of user accounts .

    Here are the steps we can follow :

    1. Open Active Directory Users and Computers .
    2. Right click on the user account we want to configure ,click Properties .
    3. Choose Dial-in tab and select Assign Static IP Addresses .
    4. Input IP address and click OK .
    5. Click OK to save and exit .

    Attention :To avoid confliction ,users can’t be configured with same IP address and the IP addresses configured to users need to be excluded in DHCP scopes .

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by Leo Han Monday, April 27, 2015 9:46 AM
    • Marked as answer by Steven_Lee0510 Thursday, April 30, 2015 9:11 AM
    Thursday, April 9, 2015 9:54 AM

All replies

  • Hi  Yattà ,

    When using DHCP ,IP addresses are distributed to computers ,not users .DHCP server cannot distribute IP addresses of different scopes according to different groups of users .

    As a workaround ,you can implement it by configuring dial-in properties of user accounts .

    Here are the steps we can follow :

    1. Open Active Directory Users and Computers .
    2. Right click on the user account we want to configure ,click Properties .
    3. Choose Dial-in tab and select Assign Static IP Addresses .
    4. Input IP address and click OK .
    5. Click OK to save and exit .

    Attention :To avoid confliction ,users can’t be configured with same IP address and the IP addresses configured to users need to be excluded in DHCP scopes .

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by Leo Han Monday, April 27, 2015 9:46 AM
    • Marked as answer by Steven_Lee0510 Thursday, April 30, 2015 9:11 AM
    Thursday, April 9, 2015 9:54 AM
  • The DHCP Server gives IP to the client station, even tough I'v tried setting the static IP addres from ADUC. I'v checked that the mark to ignore dial-in properties in the network policy the user is using to connect is unchecked.

    I have also tried setting a static IP address via network policy. I can confirm the user is using the policy when connecting, but again, the machines takes the IP address from the DHCP Pool and not the static IP address.

    If I stop the DHCP Server the machine gets the APIPA address. Any suggestion why the dhcp server (or the Network policy server) bypasses the AD dial-in tab property.

    Edit:

    Taken from Technet:For example, the caller-ID, callback, static IP address, and static routes properties are designed for a client that is dialing into a network access server, not for clients that are connecting to wireless access points

    Does that mean I have to setup something on the APs?

    • Edited by Yattà Thursday, April 9, 2015 1:35 PM
    Thursday, April 9, 2015 1:25 PM
  • Hi  Yattà ,

    It's hard to tell why the dhcp server bypasses the AD dial-in property.We can reconnect and check the events of DHCP client service on client computer to analyze the problem .

    Here are the steps to see the events :

    1. Open Event Viewer .
    2. Expand Applications and Services Logs .
    3. Expand Microsoft .
    4. Expand Windows .
    5. Find Dhcp-Client and then we can see the events .

    The warnings or Errors may tell us the cause of the problem .

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, April 10, 2015 7:44 AM