Standalone AP with NPS Radius - not working

mSumo · ‎07-10-2018

Hello all,

I'm trying to resolve an issue with WIFI network that was handed over to me for one client. The problem is that users are not able to join corporate WIFI which should be using WPA2-Enterprise so users should be authenticated towards NPS Radius and AD - looks like there is something wrong with authentication. I dont have much experience with WIFI and Security and Servers, so I need some help what to check. Was doing some troublehsooting but didin't help. Not sure if I'm looking at the correct part of the network that could be wrong (Certificate, WPA2 configuration, NPS, etc)

Network devices:

-standalone AP (Cisco 3621)

-2x switch (Cisco Catalyst 2960-S)

-virtualized Windows Server 2016 with NPS for RADIUS

-2x Sohpos FW

Network info:

-VLAN 107 is configured as NATIVE for trunk between AP and SW1

-VLAN 1 is configured as NATIVE from SW1 all the way to the Win server TPLVH02 where NPS is running

-AP BVI IP is 10.0.7.22 - RADIUS server IP is 10.0.7.6

- AP has 2 SSID configured and bradcasted:

TPL_Guests for guests using WPA2 with PSK - this one is working
TPL with WPA2-Enterprise for staff - this is not working

-AP has 3 VLANs configured:

108 - for TPL_Guests
106 - for TPL
107 - as NATIVE for management and communication with RADIUS

-FWs have interface created for each VLAN. However, I believe that communication between AP and NPS should not go through FW as they should communicate via NATIVE VLAN

-certificate is already created

What I've checked:

-I can ping RADIUS from AP and vice versa

-I dont see anything strange in EVENT VIEWER on Windows server (file attached)

-with debugging on AP, I can see for one user "authentication error" while for another one I saw "dot11_mgmt: vlan differ and parameters are different".

-I tried to change NPS/Radius/Client configuration according the info I've found on Internet, but still nto working

Attached are all info I collected for tshooting (switch configs, AP debug, Server set up, etc...)

Woudl appretiate any help I can get from you.... what to check.. what to correct... I've already spent weeks on this with no success....

Thanks in advance

Flavio Miranda · ‎07-10-2018

Hi

If AP and Radius are in different vlan and you can ping each other this means that some layer 3 device is routing between vlan. According to your scenario description, I believe the firewall is doing that.

Make sure the firewall is permitting the traffic. Try to enable some tcpdump or similar on this firewall and check that.

-If I helped you somehow, please, rate it as useful.-

mSumo · ‎07-11-2018

Please correct me if I'm wrong:

- if user is in VLAN 106, and 107 is used as NATIVE (BVI is part of 107), I epxect this 107 is used for communication with RADIUS? That means, untagged traffic should go to RADIUS and back for authentication. Once user is authenticated, he will receive an IP from VLAN 106? Am I right?

PS: will not be able to run tcpdump for next few days. But will try it, thanks. I just want to collect as much info about what to check/try before my next visit of the site.

patoberli · ‎07-11-2018

Yes that should be correct. Make sure the radius ports are open (udp/1812, udp/1813 default) in both directions, between AP and Radius.
Then you should see in the Event Viewer of the Radius in the Security Log the authentication requests, which in your case are probably all failed. If you don't see any, capture the traffic on the Radius, to see if you do get the radius packets, or if the firewall is blocking them or a misconfiguration on the AP.
Although, when looking at the config, AP management vlan and the Radius appear to be in the same network segment:
interface BVI1
ip address 10.0.7.22 255.255.255.0
!
ip default-gateway 10.0.7.1
ip radius source-interface BVI1
!
radius server 10.0.7.6

mSumo · ‎07-11-2018

thank you for reply.... Will check the security logs....

I did run Wireshark on Radius server, and I could see packets going there and back

Access-request (1) -AP to RADIUS
Access-challenge (11) -RADIUS to AP
Access-Accept (2) -RADIUS to AP

...can see multiple REQUEST/CHALLENGE and after them ACCEPT.... these are repeating. However, dont see any other types of packet. (FYI, I had a filter set to show only RADIUS packets), so AP and RADIUS seems to be communicating between each other. FW has permited "any to any" temporarily when I'm doing testing.

PS: I've also noticed that RADIUS was responding to AP with ports 1645/1646 (which I dont have configured on AP), so I've deleted them from RADIUS and left only 1812/1813

PS:2 The strange thing that I noticed is that NATIVE VLAN 107 on AP doesnt have any input packets (when I'm checking show vlans)

patoberli · ‎07-11-2018

Yes it looks like radius is working, although there are some Rejected messages in your radius log.
Regarding your PS2: that might be because it's directly handled by the BVI / Gigabitethernet0/0.

In any case, check the Radius Server logs, they should tell you what's the issue. It's in the security log. You can try to search for the MAC address of the client, in the format 00-11-22-33-44-55.

mSumo · ‎07-13-2018

Hi...

so I've tried to check Event Viewer > Windows logs > Security but haven't found anything strange there... I can see a message "Network Policy Server granted access to a user."

Also, I ran debugging once again on AP and this is what I've noticed there againa problem with VLAN? ...Looks like the CLIENT / AP / RADIUS are communicationg together up to some point where VLAN doesnt match and the session is aborted...

Jul 13 10:10:53.051 CET: dot11_mgr_disp_client_send_eapol: sending eapol to client 3ca9.f430.f1b4 on BSSID ccd5.3988.7190

Jul 13 10:10:53.051 CET: dot11_mgr_sm_send_wpav2_ptk_msg3: [3] Sent PTK msg 3 to 3ca9.f430.f1b4, no timer set

Jul 13 10:10:53.051 CET: dot11_mgr_sm_hs_callback: [3] Handshake msg to 3ca9.f430.f1b4, timer set: timeout 100 ms

Jul 13 10:10:53.151 CET: dot11_mgr_sm_run_machine: Executing Action(WPAV2_PTK_MSG4_WAIT,TIMEOUT) for 3ca9.f430.f1b4

Jul 13 10:10:53.151 CET: dot11_mgr_sm_handshake_pass: Handshake pass for 3ca9.f430.f1b4

Jul 13 10:10:53.151 CET: dot11_mgmt: recv AAA Auth resp for 3ca9.f430.f1b4, vlan name 107, id 107 and wnid 0

Jul 13 10:10:53.151 CET: dot11_mgmt: vlan differ and parameters are different

Jul 13 10:10:53.151 CET: dot11_mgmt: de-auth msg sent with reason = 24

Jul 13 10:10:53.151 CET: dot11_mgr_disp_auth_abort: Sending abort request for client 3ca9.f430.f1b4 to local Authenticator

I've noticed also one more WARNING in Event Viewer > Windows logs > System, but not sure whether it is realted to my problem.

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID

PS: The full outputs are attached

patoberli · ‎07-13-2018

What is the name of the virtual interface serving vlan107 on the AP?
Can you post your Standard and Vendor Specific attributes that you have configured on the NPS for the policy?
I think there is a misconfiguration. Because authentication works, but the AP can't accept the attributes you're sending it back.

mSumo · ‎07-13-2018

I've attached the full AP configuration and also screenshots of the NPS setup in my very first post. If you are looking for some other information, could you be more specific where to find them please? Im not really sure whether you are asking for the info which are already there or some additional info I need to check.

btw,,, thanks for helping out...

patoberli · ‎07-13-2018

In your word document on page 3, first screenshot, you have on the left side of the open policy the tabs Standard and Vendor Specific, those two I'd like to see.

mSumo · ‎07-17-2018

Hi,

got the info you asked for. Looks like those attributes are empty. See the attachment.

patoberli · ‎07-17-2018

Indeed empty. Do you also have policies under Network Policies?

Just asking because this part of the debug confuses me a little:

Jul 10 15:32:14.039 CET: RADIUS: AAA Unsupported Attr: ssid              [346] 3   67891736
Jul 10 15:32:14.039 CET: RADIUS: AAA Unsupported Attr: service-type      [344] 4   1
Jul 10 15:32:14.039 CET: RADIUS: AAA Unsupported Attr: interface         [221] 4   67897228

In any case, your Radius says it's failed:

Jul 10 15:32:15.375 CET: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL

Jul 10 15:32:15.375 CET: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
Jul 10 15:32:15.375 CET: Client 3ca9.f430.f1b4 failed: by EAP authentication server
Jul 10 15:32:15.375 CET: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 3ca9.f430.f1b4

mSumo · ‎07-17-2018

thre is a Network Policy created as well. See the DOC file - page 3 (2nd and 3rd picture) and page 4 (1st picture)

patoberli · ‎07-17-2018

And those have the same fields to configure attributes (tabs Standard and Vendor Specific), can you also check those?

mSumo · ‎07-17-2018

you're right. Here you are - attached