Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4773
Views
10
Helpful
18
Replies

Standalone AP with NPS Radius - not working

mSumo
Level 1
Level 1

‎07-10-2018 01:49 PM - edited ‎07-05-2021 08:50 AM

Hello all,

 

I'm trying to resolve an issue with WIFI network that was handed over to me for one client. The problem is that users are not able to join corporate WIFI which should be using WPA2-Enterprise so users should be authenticated towards NPS Radius and AD - looks like there is something wrong with authentication. I dont have much experience with WIFI and Security and Servers, so I need some help what to check. Was doing some troublehsooting but didin't help. Not sure if I'm looking at the correct part of the network that could be wrong (Certificate, WPA2 configuration, NPS, etc)

 

Network devices:

-standalone AP (Cisco 3621)

-2x switch (Cisco Catalyst 2960-S)

-virtualized Windows Server 2016 with NPS for RADIUS

-2x Sohpos FW

 

Network info:

-VLAN 107 is configured as NATIVE for trunk between AP and SW1

-VLAN 1 is configured as NATIVE from SW1 all the way to the Win server TPLVH02 where NPS is running

-AP BVI IP is 10.0.7.22 - RADIUS server IP is 10.0.7.6

- AP has 2 SSID configured and bradcasted:

  • TPL_Guests for guests using WPA2 with PSK - this one is working 
  • TPL with WPA2-Enterprise for staff - this is not working

-AP has 3 VLANs configured:

  • 108 - for TPL_Guests
  • 106 - for TPL
  • 107 - as NATIVE for management and communication with RADIUS

-FWs have interface created for each VLAN. However, I believe that communication between AP and NPS should not go through FW as they should communicate via NATIVE VLAN

-certificate is already created

 

What I've checked:

-I can ping RADIUS from AP and vice versa

-I dont see anything strange in EVENT VIEWER on Windows server (file attached)

-with debugging on AP, I can see for one user "authentication error" while for another one I saw "dot11_mgmt: vlan differ and parameters are different".

-I tried to change NPS/Radius/Client configuration according the info I've found on Internet, but still nto working

 

Attached are all info I collected for tshooting (switch configs, AP debug, Server set up, etc...)

 

Woudl appretiate any help I can get from you.... what to check.. what to correct... I've already spent weeks on this with no success....

 

Thanks in advance

Labels:
Preview file
10 KB
Preview file
64 KB
Preview file
63 KB
Preview file
88 KB
Preview file
2199 KB
0 Helpful
18 Replies 18

patoberli
VIP Alumni
VIP Alumni
In response to mSumo

‎07-17-2018 06:51 AM

Ah look at that :) Here you enforce VLAN 107 to the client. This VLAN is currently not configured on the AP, thus it probably fails. This VLAN needs to be available, similar to the VLANs 106 and 108, which you already have. 107 can't be the native one, with this configuration.

mSumo
Level 1
Level 1
In response to patoberli

‎07-17-2018 07:13 AM - edited ‎07-17-2018 07:14 AM

awesome... thanks for catching this.... So I will modify my AP configuration as below:

 

interface GigabitEthernet0.107
description Management VLAN 107
encapsulation dot1Q 107 native
no ip route-cache
bridge-group 107


interface Dot11Radio0.107
encapsulation dot1Q 107 native
no ip route-cache
bridge-group 107

 

...also will change native on Switch port connected to AP to 1 insead of 107. All the way to the Server, VLAN 107 is allowed so should be good here. Just FYI, I was trying to change the vlan 107 to tagged earlier, but when I did it, the GUEST WIFI was not working... not sure why... maybe I did something wrong... Anyway, will try it again.

 

With the configuration above, do I need to configure also native VLAN (as below)? I guess I must as it will not automatically change the native to 1, right?

 

interface GigabitEthernet0.1
description 1 native
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1

interface Dot11Radio0.107
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1

 

 

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to mSumo

‎07-17-2018 07:28 AM

I wouldn't use VLAN 1 as the native vlan personally, but it's a design decision, that has to be made beforehand.
I honestly haven't configured a standalone AP in many years, so I can't answer this with certainty.
On the second part, where you configure your native VLAN, you probably want to change the 107 to 1:
interface Dot11Radio0.107 -> here to .1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1

mSumo
Level 1
Level 1
In response to patoberli

‎07-17-2018 08:30 AM

yes,,, should be 1 instead of 7.... just typo

 

The situation is that I need to fix this issue asap. Once working, I will re-do the design a bit, as using default vlan as a native is not the best practice. However, want to sort out the WIFI first so that I know that all is working before I starts with that.

 

thank you so far. Will share the results here once I change the NATIVE.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card