Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
729
Views
5
Helpful
4
Replies

Connect a WLC to a NPS Server

rui-b-rodrigues
Beginner
Beginner

‎05-11-2021 11:32 AM - edited ‎07-05-2021 01:17 PM

Hello,

 

I'm trying to config a NPS server with WLC, to authenticate on WLAN with AD users.

The WLC has various interfaces,

10.10.10.10 (Management)

10.10.11.10 (LAN)

10.10.12.10 (Guest)

 

The NPS Server as an IP add: 10.10.11.99.

If in the NPS server, the radius client IP is configured as the as the management IP of the WLC (10.10.10.10) I received the message:

A RADIUS message was received from the invalid RADIUS client IP address 10.10.11.99

If in the NPS server the radius client IP is configured as the as the LAN IP interface (10.10.11.10) I do not received any error message, but the client doesn't authenticate.

 

Is there any way to force the WLC when contacting to NPS to use the management IP and not the LAN IP interface.

I follow the example from cisco where the the Network policies are:

Windows Groups

NAS Port-Type: Wireless

and

Authentication Type: EAP or PEAP

but my NPS server isn't a 2003 srv, but a 2012 R2 srv.

 

Can anybody help what am I doing wrong?

Thank you

 

 

 

Labels:
4 Replies 4

balaji.bandi
VIP Community Legend VIP Community Legend
VIP Community Legend

‎05-11-2021 01:08 PM

here is a step by step guide : ( there is a configuration to use management interface)

 

https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

rui-b-rodrigues
Beginner
Beginner
In response to balaji.bandi

‎05-11-2021 02:31 PM

Hello,

 

that was the example i refer in my post.

Isn't working.

 

On the WLC, making a debug to aaa I can check the username from the AD machine, but the answer is:

Access-Reject received from RADIUS server

[Error] Client requested no retries for mobile

Returning AAA Error 'Authentication Failed' (-4) for mobile

AuthorizationResponse: 0x404e0874

 

I'm trying from a windows 7 laptop with a user inside a AD group, that is in the network policy condition.

 

Thank you.

0 Helpful

MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

‎05-11-2021 06:08 PM

ffff.png

check the network user box, try enable it and see result I think when enable it the WLC will use Management IP.

0 Helpful

JPavonM
VIP Collaborator VIP Collaborator
VIP Collaborator

‎05-11-2021 11:11 PM

This is a classic routing mistake.

NPS is sharing subnet with production interface in the WLC, so all the packets been sent from the WLC to NPS server are forwarded via this interface.

To solve this, you need to add a static route to NPS server IP address in the WLC pointing to NPS server with source the management interface.

HTH
-Jesus
*** Please Rate Helpful Responses ***

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents