cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3618
Views
5
Helpful
12
Replies

Web Auth with Microsoft NPS

Rafael Jimenez
Level 4
Level 4

Hello,

I have a 5520 controller, I already setup the wlan autentication with RADIUS on the AAA Servers, Security->Leyer 2 in 802.1X and WPA2, Security->Leyer 3  in NONE and works fine.

The users get authenticated against the AD via RADIUS.

My problem is if I change the WLAN authentication to Web Policy with Local webauth, and the same RADIUS, the authentication fail showing a invalid user or password message.

First, its is possible?. If so, what is worong?

Thanks.

1 Accepted Solution

Accepted Solutions

Hello H-H,

I installed the NPS following the the Document ID: 115988.

For some reason I dont know why the WLC with its IP was missing on the Conditions tab in the connection request policy created for wifi purpouse.

Its working now.

Thanks for your help.

 

View solution in original post

12 Replies 12

H-H
Level 1
Level 1

good day Rafael,

 

some pieces of information would be great to address this issue.

 

from the controller enable the following:

 

debug aaa all enable

debug client <mac address of test machine>

 

once those are enable try to connect the test machine x3 times, attach the terminal output to this chain let's see.

Good day H-H,

this is the output:

(Cisco Controller) >debug client B0:DF:3A:DA:F4:A2

(Cisco Controller) >*ewmwebWebauth1: Apr 23 10:56:19.765: b0:df:3a:da:f4:a2 Username entry (rjimenez) created for mobile, length = 8
*ewmwebWebauth1: Apr 23 10:56:29.871: b0:df:3a:da:f4:a2 Username entry 'rjimenez' is deleted for mobile from the UserName table
*ewmwebWebauth1: Apr 23 10:56:29.871: b0:df:3a:da:f4:a2 Username entry rjimenez deleted for mobile

 

The error in the client is :

Login Error.

The User Name and Password combination you have entered is invalid. Please try again.
*ewmwebWebauth1: Apr 23 10:56:29.871: b0:df:3a:da:f4:a2 Plumbing web-auth redirect rule due to user logout
*ewmwebWebauth1: Apr 23 10:56:29.871: b0:df:3a:da:f4:a2 Web Authentication failure for station
*ewmwebWebauth1: Apr 23 10:56:29.871: b0:df:3a:da:f4:a2 172.16.64.66 WEBAUTH_REQD (8) Reached ERROR: from line 6920

The windows server is 2012 R2 Standard.

attached the full debug with 3 retries.

Rafa,

 

debug is not complete, for example could not seen the debug aaa all enable output, however with the debug provided i can see the client being blacklisted, lets first remove any "exclusion" configuration from the SSID, also from the NPS for testing can you increase the timeout timers?

 

Time Task Translated
Apr 23 11:15:13.067 *DHCP Socket Task Received DHCP request from client
Apr 23 11:15:13.067 *DHCP Socket Task Sending DHCP Discover to DHCP Server CP through gateway 172.16.64.1 on VLAN selected relay 2 - NONE (server address 0.0.0.0,local address 0.0.0.0, gateway 172.16.95.254, VLAN 908, port 1)
Apr 23 11:15:13.068 *DHCP Socket Task Received DHCP offer from server and transmitting to client
Apr 23 11:15:13.072 *DHCP Socket Task Received DHCP request from client
Apr 23 11:15:13.072 *DHCP Socket Task Sending DHCP Request to DHCP Server CP through gateway 172.16.64.1 requesting 172.16.64.66 on VLAN sending REQUEST to 172.16.95.254 (len 374, port 1, vlan 908)
Apr 23 11:15:13.073 *DHCP Socket Task Received DHCP ACK, assigning IP Address 172.16.64.66
Apr 23 11:15:13.073 *DHCP Socket Task Received DHCP ACK from DHCP server
Apr 23 11:16:30.598 *ewmwebWebauth1 Client expiration timer code set for 10 seconds. The reason: Client deleted as it was blacklisted
Apr 23 11:16:40.626 *apfReceiveTask Client disassociation event has occured. Possible reasons may be due to AP Radio Reset usually due to channel change or wlan was manually disabled or Client unable to get valid DHCP IP for WLAN using DHCP required
Apr 23 11:16:40.626 *apfReceiveTask Client has been deauthenticated
Apr 23 11:16:40.626 *apfReceiveTask Client expiration timer code set for 60 seconds. The reason: Client entry deleted after the exclusion timer expired (client was blacklisted)
Apr 23 11:16:40.626 *apfReceiveTask Client session has timed out

Attached the capture on the radius server.

 

Rafael,

 

the access reject came from the NPS server side.

attached new debug client f0:4f:7c:da:22:09

The NPS is Rejecting the request.

I saw in other posts, something about the Dial-In Profile and Service Type = Login.

But I don't see this in NPS.

 

 

Rafael, i saw the capture and agree with the NPS is the one that is rejecting the authentication, i am not sure if NPS has a debug / log tool but let's investigate both of us, :)

Hello H-H,

I installed the NPS following the the Document ID: 115988.

For some reason I dont know why the WLC with its IP was missing on the Conditions tab in the connection request policy created for wifi purpouse.

Its working now.

Thanks for your help.

 

Rafael,

 

great to know that everything is working now.

Rafael Jimenez
Level 4
Level 4

Complementing the configuration for Web Radius Authentication with Microsoft NPS, its important be aware the protocol used in the Network policy must be PAP instead of PEAP.

Review Cisco Networking for a $25 gift card