My goal is to set it up so that when a computer is plugged into a network jack, it'll use 802.1X to authenticate the computer and allow it on the network. Any computer that does not authenticate gets put into a guest VLAN.
I have the guest VLAN portion working, however I'm having problems with getting computers which should be granted access are not authenticating.
The computers involved are:
2008 R2 Domain Controller - 192.168.1.2
2008 R2 Member Server running NPS - 192.168.1.10
HP Procurve 2530 switch - 192.168.1.4 - Port 48 configured for 802.1X and Port 37 no configuration
Test Workstation - 192.168.1.54 when using port 37. 192.168.5.25 when using port 48 - NTRadPing client
On the Domain Controller I have AD Certificate Services installed. I have a User, Workstation Authentication and RAS and IAS Server certificate template with autoenroll enabled. The Test Workstation has a User and WA certificate issued to it.
Here are the settings:
I added both the HP Switch and the Test Workstation NTRadPing as RADIUS clients to NPS. I then created 2 Connection Request Policies for them with the following settings:
For the Test Workstation I used the Client IPv4 Address of 192.168.1.54.
For the Network Policy I have:
I have similar settings for Test Workstation client except the settings for that are just Framed-Protocol - PPP and Service-Type - Framed.
When I use NTRadPing from the Test Workstation with CHAP checked I get this:
I get the following in the NPS log file:
<Event>
<Timestamp data_type="4">02/10/2016 15:05:41.738</Timestamp>
<Computer-Name data_type="1">PLANFIRST-NPS</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Client-IP-Address data_type="3">192.168.1.54</Client-IP-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">Conf-Laptop</Client-Friendly-Name>
<Proxy-Policy-Name data_type="1">Conf-Laptop TEST</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<User-Name data_type="1">npsuser</User-Name>
<SAM-Account-Name data_type="1">PLANFIRST\npsuser</SAM-Account-Name>
<Authentication-Type data_type="0">2</Authentication-Type>
<NP-Policy-Name data_type="1">Conf-Laptop_TEST</NP-Policy-Name>
<Class data_type="1">311 1 192.168.1.10 02/10/2016 20:05:33 1</Class>
<Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant>
<MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State>
<MS-Quarantine-State data_type="0">0</MS-Quarantine-State>
<Fully-Qualifed-User-Name data_type="1">planfirst.local/Users/NPS TEST</Fully-Qualifed-User-Name>
<Packet-Type data_type="0">1</Packet-Type>
<Reason-Code data_type="0">0</Reason-Code>
</Event>
<Event>
<Timestamp data_type="4">02/10/2016 15:05:41.738</Timestamp>
<Computer-Name data_type="1">PLANFIRST-NPS</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Class data_type="1">311 1 192.168.1.10 02/10/2016 20:05:33 1</Class>
<MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State>
<Client-IP-Address data_type="3">192.168.1.54</Client-IP-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">Conf-Laptop</Client-Friendly-Name>
<Proxy-Policy-Name data_type="1">Conf-Laptop TEST</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<MS-Quarantine-State data_type="0">0</MS-Quarantine-State>
<SAM-Account-Name data_type="1">PLANFIRST\npsuser</SAM-Account-Name>
<Authentication-Type data_type="0">2</Authentication-Type>
<NP-Policy-Name data_type="1">Conf-Laptop_TEST</NP-Policy-Name>
<Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant>
<Framed-Protocol data_type="0">1</Framed-Protocol>
<Service-Type data_type="0">2</Service-Type>
<Fully-Qualifed-User-Name data_type="1">planfirst.local/Users/NPS TEST</Fully-Qualifed-User-Name>
<Packet-Type data_type="0">2</Packet-Type>
<Reason-Code data_type="0">0</Reason-Code>
</Event>
When I plug the Test Workstation into Port 48, I get put into the guest VLAN and the log file from NPS is:
<Event>
<Timestamp data_type="4">02/10/2016 15:15:23.849</Timestamp>
<Computer-Name data_type="1">PLANFIRST-NPS</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Framed-MTU data_type="0">1480</Framed-MTU>
<NAS-IP-Address data_type="3">192.168.1.4</NAS-IP-Address>
<NAS-Identifier data_type="1">HP-2530-48G</NAS-Identifier>
<Service-Type data_type="0">2</Service-Type>
<Framed-Protocol data_type="0">1</Framed-Protocol>
<NAS-Port data_type="0">48</NAS-Port>
<NAS-Port-Type data_type="0">15</NAS-Port-Type>
<NAS-Port-Id data_type="1">48</NAS-Port-Id>
<Called-Station-Id data_type="1">40-a8-f0-fd-39-80</Called-Station-Id>
<Calling-Station-Id data_type="1">a4-ba-db-bc-b6-44</Calling-Station-Id>
<Connect-Info data_type="1">CONNECT Ethernet 1000Mbps Full duplex</Connect-Info>
<Vendor-Specific data_type="2">0000000BFF09011A0000000B28</Vendor-Specific>
<Vendor-Specific data_type="2">0000000BFF09011A0000000B2E</Vendor-Specific>
<Vendor-Specific data_type="2">0000000BFF09011A0000000B30</Vendor-Specific>
<Vendor-Specific data_type="2">0000000BFF09011A0000000B3D</Vendor-Specific>
<Vendor-Specific data_type="2">0000000BFF040138</Vendor-Specific>
<Vendor-Specific data_type="2">0000000BFF04013A</Vendor-Specific>
<Vendor-Specific data_type="2">0000000BFF040140</Vendor-Specific>
<Vendor-Specific data_type="2">0000000BFF040141</Vendor-Specific>
<Vendor-Specific data_type="2">0000000BFF040151</Vendor-Specific>
<Client-IP-Address data_type="3">192.168.1.4</Client-IP-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">HP Switch</Client-Friendly-Name>
<MS-RAS-Vendor data_type="0">11</MS-RAS-Vendor>
<Proxy-Policy-Name data_type="1">HP Switch</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type><User-Name data_type="1">PLANFIRST\npsuser</User-Name>
<SAM-Account-Name data_type="1">PLANFIRST\npsuser</SAM-Account-Name>
<Fully-Qualifed-User-Name data_type="1">PLANFIRST\npsuser</Fully-Qualifed-User-Name>
<Class data_type="1">311 1 192.168.1.10 02/10/2016 20:14:24 1</Class>
<Authentication-Type data_type="0">2</Authentication-Type>
<Packet-Type data_type="0">1</Packet-Type>
<Reason-Code data_type="0">0</Reason-Code>
</Event>
<Event>
<Timestamp data_type="4">02/10/2016 15:15:23.849</Timestamp>
<Computer-Name data_type="1">PLANFIRST-NPS</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Class data_type="1">311 1 192.168.1.10 02/10/2016 20:14:24 1</Class>
<Authentication-Type data_type="0">2</Authentication-Type>
<Fully-Qualifed-User-Name data_type="1">PLANFIRST\npsuser</Fully-Qualifed-User-Name>
<SAM-Account-Name data_type="1">PLANFIRST\npsuser</SAM-Account-Name>
<Provider-Type data_type="0">1</Provider-Type>
<Proxy-Policy-Name data_type="1">HP Switch</Proxy-Policy-Name>
<Client-Friendly-Name data_type="1">HP Switch</Client-Friendly-Name>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-IP-Address data_type="3">192.168.1.4</Client-IP-Address>
<Packet-Type data_type="0">3</Packet-Type>
<Reason-Code data_type="0">16</Reason-Code>
</Event>
I bolded the parts where with NTRadPing using CHAP is accepted, but going through the HP Switch I get rejected.
The switch settings are:
radius-server host 192.168.1.10 key "shared key"
radius-server host 192.168.1.10 dyn-authorization
aaa authentication port-access chap-radius
aaa port-access gvrp-vlans
aaa port-access authenticator 48
aaa port-access authenticator 48 unauth-vid 5
aaa port-access authenticator 48 client-limit 1
aaa port-access authenticator active
I've tried changing the GPO for the Wired 802.1X settings to all the different options and I still cannot get authenticated.
Anyone able to help out?