12-09-2014 05:15 PM
I am having some problems with my IAP setup that I am hoping I can get some advice about.
I didn't have any problems creating an office network using PEAP/MSChapv2 802.1x authenticating against a 2012 r2 NPS server.
I also didn't have any problems creating a guest network that authenticates against the internal captive portal.
I was also able to add a NAS ID so that when the office network authenticates against NPS that it chooses the rule that applies and then authenticates with the office AD group.
Where I am having problems though, is having the guest network captive portal (redirects fine to the captive portal site) authenticate against the same NPS server.
I have two distinct NAS ID's (with different names in the IAP) pointing to the same NPS server, and as I said this all works fine with the office network. The captive portal posts fine to the secure site, but then after a bit, comes back with just a number that increments in the top left, with the site url now saying incorrect login. The NPS logs show no attempt to authenticate, and the IAP alerts tell me it was unable to communicate with the NPS but the setup for both authentication servers is IDENTICAL, other than the NAS ID so I am a little stumped. It's like the IAP isn't even trying to communicate with NPS and the firewall logs show no traffic. I have quadruple checked, and the only difference with the auth server on the IAP side is the NAS ID.
Hoping someone can point me in the right direction, thanks in advance.
Solved! Go to Solution.
12-22-2014 10:28 AM
you have to allow different methods for the guest network access, probably PAP even, not the MSCHAP(v2) ones.
NPS is nice when it works, but when you need to troubleshoot it is annoying.
12-22-2014 12:06 PM
Thanks boneyard for replying.
I had figured that out in the meantime. The whole external captive portal setup is kinda like fumbling around in the dark without a flashlight, documentation is lacking.
That was a minor problem compared to figuring out that:
a) you have to pass back the url of the original requested site once authentication is successful (after reformatting it since the format they send in the request url isn't the format they want back!!!)
b) setting up a listener using jscript to parse the incoming url and appending it to the form submit so successful authentication takes them to their requested page.