Controllerless Networks

last person joined: 2 days ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

NPS Profile For Office With PEAP/CV2 (OK) + NPS Ext CP For Guest Network (NOT OK)

This thread has been viewed 0 times

  • 1.  NPS Profile For Office With PEAP/CV2 (OK) + NPS Ext CP For Guest Network (NOT OK)

    Posted Dec 09, 2014 08:15 PM

    Hi All,

     

    I am having some problems with my IAP setup that I am hoping I can get some advice about.

     

    I didn't have any problems creating an office network using PEAP/MSChapv2 802.1x authenticating against a 2012 r2 NPS server.

     

    I also didn't have any problems creating a guest network that authenticates against the internal captive portal.

     

    I was also able to add a NAS ID so that when the office network authenticates against NPS that it chooses the rule that applies and then authenticates with the office AD group.

     

    Where I am having problems though, is having the guest network captive portal (redirects fine to the captive portal site) authenticate against the same NPS server.

     

    I have two distinct NAS ID's (with different names in the IAP) pointing to the same NPS server, and as I said this all works fine with the office network.  The captive portal posts fine to the secure site, but then after a bit, comes back with just a number that increments in the top left, with the site url now saying incorrect login.  The NPS logs show no attempt to authenticate, and the IAP alerts tell me it was unable to communicate with the NPS but the setup for both authentication servers is IDENTICAL, other than the NAS ID so I am a little stumped.  It's like the IAP isn't even trying to communicate with NPS and the firewall logs show no traffic.  I have quadruple checked, and the only difference with the auth server on the IAP side is the NAS ID.

     

    Hoping someone can point me in the right direction, thanks in advance.

     

     



  • 2.  RE: NPS Profile For Office With PEAP/CV2 (OK) + NPS Ext CP For Guest Network (NOT OK)
    Best Answer

    Posted Dec 22, 2014 01:28 PM

    you have to allow different methods for the guest network access, probably PAP even, not the MSCHAP(v2) ones.

     

    NPS is nice when it works, but when you need to troubleshoot it is annoying.



  • 3.  RE: NPS Profile For Office With PEAP/CV2 (OK) + NPS Ext CP For Guest Network (NOT OK)

    Posted Dec 22, 2014 03:06 PM

    Thanks boneyard for replying.

     

    I had figured that out in the meantime.  The whole external captive portal setup is kinda like fumbling around in the dark without a flashlight, documentation is lacking.  

     

    That was a minor problem compared to figuring out that:

     

    a) you have to pass back the url of the original requested site once authentication is successful (after reformatting it since the format they send in the request url isn't the format they want back!!!) 

     

    and

     

    b) setting up a listener using jscript to parse the incoming url and appending it to the form submit so successful authentication takes them to their requested page.

     

    In the end though I was able to setup a nice html5 page (local/session storage) ecp that remembers their password (if they use their browser 'remember password') to the public network and stores their acceptance of terms of use, just nags them every 10 times and autosubmits it so they get nagged to death every time they connect.  It's just a public network anyways and password isn't a secret.