A PC member of another domain can't login with username and password on our MS radius server

  • 1
  • Question
  • Updated 3 years ago

Computers there is member of our domain Gymund.dk (se picture below) have no problem. Our student computers which is not member of any domain is logging fine with there AD username and password.

But if we got a student which have a computer which is member of another domain, they can't login with there AD account.

It is possible to get this computer on our Wireless Network, but it is not easy.

We are using MS Radius server. We think it has something to do with the configuration below

Photo of Jan Boje

Jan Boje

  • 47 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Dawn Douglass

Dawn Douglass

  • 67 Posts
  • 3 Reply Likes
Is the student computer a member of a domain that is is in the same forest as Gymund.dk?
Photo of Jan Boje

Jan Boje

  • 47 Posts
  • 0 Reply Likes

Students computer is not member of any domain, they use Windows home.

If we got a teacher coming in from another school and his computer is member of domain Roskilde.dk, they can't login.

We have been told that this is a limitation in Windows radius server on Windows 2008.

At the moment we have guest SSID that we use for those users.


Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
My first question is: Why are you using HiveOS as a RADIUS proxy?
You would be better to send everything on to NPS directly for many reasons.

If you have a RADIUS client limit in the edition of Windows Server that you are using, you should consider upgrading to an edition that does not have this.

(Server 2012 Standard edition and later does not have a limit...)

My second question is: Have you verified what that the Access-Request packets are getting through to the expected EAP-terminating RADIUS server? If those Access-Request packets are getting through as expected, this cannot have anything to do with HiveOS.

At that point, the concern can only be with the place of EAP termination. Whatever is carrying out that function that has to handle talking to other domains to auth as necessary.

All the RADIUS proxy configuration is doing is routing things, optionally stripping the realm if desired.
(Edited)
Photo of Alan Gordon

Alan Gordon

  • 1 Post
  • 0 Reply Likes
Could it be that the students machines do not have your radius server certificate trust chain installed ?!
It would seem likely as their machines are not join to the domain.
(Edited)
Photo of Jan Boje

Jan Boje

  • 47 Posts
  • 0 Reply Likes
Students are not member of any domain - no problem logging in fine.
Problem is only with computers which is member of another domain. On the Radius server we can see that those computer is rejected. Our radius server will not allow a computer which is member of another domain. This is a known problem with windows 2008 server. We will try with server 2012 and radus to see if this works. But we are busy at the moment (1500 new students)
Photo of Bill W.

Bill W.

  • 222 Posts
  • 35 Reply Likes
As Dawn asked, are both domains in the same forest?  If not, have you established a trust relationship between the forests?  If so, is it a one-way or two-way trust?  If it is a one-way trust, which direction is the trust?  I'm thinking along the same lines as Alan that it could be a certificate issue.

Have you tried using the RADIUS Test and Client Monitor to troubleshoot?  They are very helpful in troubleshooting.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
RADIUS test is of limited use actually as it does not use a TLS-based EAP type as a client would.
It tests if a RADIUS server is responding and little more.
(Edited)
Photo of Bill W.

Bill W.

  • 222 Posts
  • 35 Reply Likes
I know it is limited, but it also depends upon how you have NPS configured. We use a tag to tell the APs which NPS server to use.  So the RADIUS Test can tell us if someone mis-configured an AP by not entering a tag or not entering the correct tag. It can also let us know if the NPS server is returning the correct Tunnel-Pvt-Group-ID in case a particular user is being placed on the incorrect VLAN.

So even though it is very limited in the information that is provided, it can be very useful information depending upon the setup of your environment.
Photo of Jan Boje

Jan Boje

  • 47 Posts
  • 0 Reply Likes
The domain is not in the our forest, and they will never be part of our forest/domain.
We know from log files on the radius, that a computer comming from another domain is rejected because of the rule "if you a member of Gymund.dk then you are ok".
But we will live with that for the moment.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
If there's no trust relationship between the two domains, authentication won't work.

Without a trust relationship, you'll need to RADIUS proxy over to another RADIUS sever that is that other domain. I'd suggest proxying from the NPS instance that's in the primary domain. You shouldn't be proxying via the APs if you can avoid it.