topic Web Auth with Microsoft NPS in Wireless

Web Auth with Microsoft NPS

Rafael Jimenez — Mon, 05 Jul 2021 15:32:41 GMT

Hello,

I have a 5520 controller, I already setup the wlan autentication with RADIUS on the AAA Servers, Security->Leyer 2 in 802.1X and WPA2, Security->Leyer 3 in NONE and works fine.

The users get authenticated against the AD via RADIUS.

My problem is if I change the WLAN authentication to Web Policy with Local webauth, and the same RADIUS, the authentication fail showing a invalid user or password message.

First, its is possible?. If so, what is worong?

Thanks.

Re: Web Auth with Microsoft NPS

H-H — Fri, 20 Apr 2018 22:35:18 GMT

good day Rafael,

some pieces of information would be great to address this issue.

from the controller enable the following:

debug aaa all enable

debug client <mac address of test machine>

once those are enable try to connect the test machine x3 times, attach the terminal output to this chain let's see.

Re: Web Auth with Microsoft NPS

Rafael Jimenez — Mon, 23 Apr 2018 14:59:47 GMT

Good day H-H,

this is the output:

(Cisco Controller) >debug client B0:DF:3A:DA:F4:A2

(Cisco Controller) >*ewmwebWebauth1: Apr 23 10:56:19.765: b0:df:3a:da:f4:a2 Username entry (rjimenez) created for mobile, length = 8
*ewmwebWebauth1: Apr 23 10:56:29.871: b0:df:3a:da:f4:a2 Username entry 'rjimenez' is deleted for mobile from the UserName table
*ewmwebWebauth1: Apr 23 10:56:29.871: b0:df:3a:da:f4:a2 Username entry rjimenez deleted for mobile

The error in the client is :

The User Name and Password combination you have entered is invalid. Please try again.
*ewmwebWebauth1: Apr 23 10:56:29.871: b0:df:3a:da:f4:a2 Plumbing web-auth redirect rule due to user logout
*ewmwebWebauth1: Apr 23 10:56:29.871: b0:df:3a:da:f4:a2 Web Authentication failure for station
*ewmwebWebauth1: Apr 23 10:56:29.871: b0:df:3a:da:f4:a2 172.16.64.66 WEBAUTH_REQD (8) Reached ERROR: from line 6920

Re: Web Auth with Microsoft NPS

Rafael Jimenez — Mon, 23 Apr 2018 15:06:04 GMT

The windows server is 2012 R2 Standard.

Re: Web Auth with Microsoft NPS

Rafael Jimenez — Mon, 23 Apr 2018 15:18:54 GMT

attached the full debug with 3 retries.

Re: Web Auth with Microsoft NPS

Rafael Jimenez — Mon, 23 Apr 2018 16:33:40 GMT

Attached the capture on the radius server.

Re: Web Auth with Microsoft NPS

CTSCloud.Europe — Mon, 23 Apr 2018 16:35:45 GMT

Rafa,

debug is not complete, for example could not seen the debug aaa all enable output, however with the debug provided i can see the client being blacklisted, lets first remove any "exclusion" configuration from the SSID, also from the NPS for testing can you increase the timeout timers?

Time	Task	Translated
Apr 23 11:15:13.067	*DHCP Socket Task	Received DHCP request from client
Apr 23 11:15:13.067	*DHCP Socket Task	Sending DHCP Discover to DHCP Server CP through gateway 172.16.64.1 on VLAN selected relay 2 - NONE (server address 0.0.0.0,local address 0.0.0.0, gateway 172.16.95.254, VLAN 908, port 1)
Apr 23 11:15:13.068	*DHCP Socket Task	Received DHCP offer from server and transmitting to client
Apr 23 11:15:13.072	*DHCP Socket Task	Received DHCP request from client
Apr 23 11:15:13.072	*DHCP Socket Task	Sending DHCP Request to DHCP Server CP through gateway 172.16.64.1 requesting 172.16.64.66 on VLAN sending REQUEST to 172.16.95.254 (len 374, port 1, vlan 908)
Apr 23 11:15:13.073	*DHCP Socket Task	Received DHCP ACK, assigning IP Address 172.16.64.66
Apr 23 11:15:13.073	*DHCP Socket Task	Received DHCP ACK from DHCP server
Apr 23 11:16:30.598	*ewmwebWebauth1	Client expiration timer code set for 10 seconds. The reason: Client deleted as it was blacklisted
Apr 23 11:16:40.626	*apfReceiveTask	Client disassociation event has occured. Possible reasons may be due to AP Radio Reset usually due to channel change or wlan was manually disabled or Client unable to get valid DHCP IP for WLAN using DHCP required
Apr 23 11:16:40.626	*apfReceiveTask	Client has been deauthenticated
Apr 23 11:16:40.626	*apfReceiveTask	Client expiration timer code set for 60 seconds. The reason: Client entry deleted after the exclusion timer expired (client was blacklisted)
Apr 23 11:16:40.626	*apfReceiveTask	Client session has timed out

Re: Web Auth with Microsoft NPS

CTSCloud.Europe — Mon, 23 Apr 2018 16:38:06 GMT

Rafael,

the access reject came from the NPS server side.

Re: Web Auth with Microsoft NPS

Rafael Jimenez — Mon, 23 Apr 2018 17:07:48 GMT

attached new debug client f0:4f:7c:da:22:09

The NPS is Rejecting the request.

I saw in other posts, something about the Dial-In Profile and Service Type = Login.

But I don't see this in NPS.

Re: Web Auth with Microsoft NPS

H-H — Mon, 23 Apr 2018 17:42:11 GMT

Rafael, i saw the capture and agree with the NPS is the one that is rejecting the authentication, i am not sure if NPS has a debug / log tool but let's investigate both of us, 🙂

Re: Web Auth with Microsoft NPS

Rafael Jimenez — Mon, 23 Apr 2018 20:27:50 GMT

Hello H-H,

I installed the NPS following the the Document ID: 115988.

For some reason I dont know why the WLC with its IP was missing on the Conditions tab in the connection request policy created for wifi purpouse.

Its working now.

Thanks for your help.

Re: Web Auth with Microsoft NPS

H-H — Mon, 23 Apr 2018 21:23:09 GMT

Rafael,

great to know that everything is working now.

Re: Web Auth with Microsoft NPS

Rafael Jimenez — Sat, 19 May 2018 00:46:18 GMT

Complementing the configuration for Web Radius Authentication with Microsoft NPS, its important be aware the protocol used in the Network policy must be PAP instead of PEAP.