NPS setup correctly, HMOL setup correctly, users can't authenticate.

  • 1
  • Question
  • Updated 2 years ago
Our users cannot authenticate to our Radius (NPS) server. The configuration on the hive manager appears to be working correctly according to support. We also tested an AP being able to connect to the NPS server in the tools section of the hive manager (Radius test). 

On the NPS server, everything appears to be working correctly. The only changes made to our environment were some users who were domain admins were lowered to standard users. I don't think this should have anything to do with the issue but was the only change.


If you can point us in the right direction since we do not have much (if any) knowledge on NPS, we would appreciate it greatly.


We are on 6.6 r1 with a Windows 2008 R2 server. 

Checked all the logs that we know about on NPS and can't seem to find any issues.
Photo of Eddie Clark

Eddie Clark

  • 9 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Dianne Dunlap

Dianne Dunlap

  • 75 Posts
  • 15 Reply Likes
You can run Aerohive client debugs to see if you are getting any access accept or access reject from the NPS server (I'm assuming 802.1x).  You can interpret NPS logs at iso.csusb.edu/tools/nps-log-interpreter.
If you see neither accept nor reject, the issue is probably in the client where you need to uncheck 'validate server cert' (for testing) or NPS (where you should be doing PEAP not Smartcard at least to begin with).
Photo of Jonathan Hurtt

Jonathan Hurtt

  • 98 Posts
  • 48 Reply Likes
The key will be within your NPS Policy definition. It sounds like by moving some users from Domain Users to "Standard Users" might of moved them to another user group. I would check the Policy within your NPS settings to see if this is it.



If you have a user that doesn't work you can confirm what Groups they are part of by finding the User Account within Active Directory Users and Computers (ADUC) to verify.  (Note in this case, this user is not part of the group that is allowed through the NPS policy thus this user would not be able to authenticate)



Hope this helps.

Photo of Eddie Clark

Eddie Clark

  • 9 Posts
  • 0 Reply Likes
Update:

After looking through some logs, it turns out that there was an SSL cert error. Not sure exactly what has happened yet (not a priority, yet) but we have been working to try and resolve the issue. One thing that was done was try and revoke all the certs, we also looked at a restoral but the sysadmin has been wanting to create another DC (NPS as main function but backup DC) in HyperV (the others are VMware). So, he is doing that as we speak, looking at the configuration guide, it doesn't appear that anything will change in HMOL other than changing the IP address. Is that a correct statement?