Hi,
I’ve configured a PEAP, NPS Cisco AP environment at head office on a Server 2008 machine and it’s working as expected. But when I’ve deployed this solution to other sites it doesn’t work!
The difference between the sites is as follows:
1. The NPS server on the sites are Server 2008R2 the head office site is Server 2008.
2. The head office certificate server is on the same box as the NPS server. The remote site NPS servers receive their self-signed certificate from this head office Certificate server.
3. The clients in the head office have a copy of the NPS server certificate in Trusted Root Certificate Authorities. Other site clients do not have a copy of their NPS server certificate.
What works:
I am running two SSID’s per AP – one performs PEAP authentication (this part doesn’t work). The other SSID performs WPA2 password authentication (this part works). Since the WPA2 password part works then I assume the AP is registered correctly with the NPS server and the AP log indicates this is OK.
The cisco AP config is identical across all sites.
The symptoms are:
Windows 7
Client: “windows was unable to connect to this network” No event logs
Server: No event logs and the same NPS log entry as below.
Windows XP
Client: Wireless status “Attempting to Authenticate”. Stops then repeats forever…. No relevent event logs.
NPS Server: No event logs. NPS log as follows:
Computer-Name data_type=”1″ SERVER_NAME
Event-Source data_type=”1″ IAS
Framed-MTU data_type=”0″ 1400
Called-Station-Id data_type=”1″ e804.625e.3250
Calling-Station-Id data_type=”1″ 001c.bf87.1ab6
Service-Type data_type=”0″ 1
NAS-Port-Type data_type=”0″ 19
NAS-Port data_type=”0″ 438
NAS-Port-Id data_type=”1″ 438
NAS-IP-Address data_type=”3″ 10.232.240.140
NAS-Identifier data_type=”1″ DENI-AP01
Client-IP-Address data_type=”3″ 10.232.240.140
Client-Vendor data_type=”0″ 9
Client-Friendly-Name data_type=”1″ DENI-AP01
User-Name data_type=”1″ USERNAME
Proxy-Policy-Name data_type=”1″ Deni Secure Wireless Connections
Provider-Type data_type=”0″ 1
SAM-Account-Name data_type=”1″ USERNAME
Class data_type=”1″ 311 1 10.232.240.48 08/30/2011 05:21:16 954
Authentication-Type data_type=”0″ 5
NP-Policy-Name data_type=”1″ Deni Wireless New
Fully-Qualifed-User-Name data_type=”1″ USERNAME
Quarantine-Update-Non-Compliant data_type=”0″ 1
Packet-Type data_type=”0″ 1
Reason-Code data_type=”0″ 0
Event>
Computer-Name data_type=”1″ SERVER_NAME
Event-Source data_type=”1″ IAS
Class data_type=”1″ 311 1 10.232.240.48 08/30/2011 05:21:16 954
Session-Timeout data_type=”0″ 30
Fully-Qualifed-User-Name data_type=”1″ USERNAME
Client-IP-Address data_type=”3″ 10.232.240.140
Client-Vendor data_type=”0″ 9
Client-Friendly-Name data_type=”1″ DENI-AP01
Proxy-Policy-Name data_type=”1″ Deni Secure Wireless Connections
Provider-Type data_type=”0″ 1
SAM-Account-Name data_type=”1″ USERNAME
Quarantine-Update-Non-Compliant data_type=”0″ 1
Authentication-Type data_type=”0″ 5
NP-Policy-Name data_type=”1″ Deni Wireless New
Packet-Type data_type=”0″ 11
Reason-Code data_type=”0″ 0
Clarification?
I assume the problem is with the NPS configuration (which was configured with the wizard)
Connection Request Policy – this seems OK? There’s not much in here: NAS Port Type = Wireless Other or Wireless 802.11
Network Policies –
Windows Groups: Wireless Users or Wireless Computers
Constraints: Authentication = PEAP: Includes self signed cert issued to NPS server. EAP type = EAP-MSCHAP v2
Everything else is default.
I think the issue may be the certificate? My (limited) understanding is that the only the server needs to have a copy of the certificate (group policy for the client tells the client NOT to validate the certificate as it is self signed). Is this correct?
I’ve tried setting this up at 3 sites. First site was OK, second site was OK. Then after a day or 2 (and probbaly a server reboot) both sites stopped working. Set it up on the 3rd site and can’t get it working at all.
Any thoughts or insights would be HUGELY appreciated!!
Thanks!