Server 2008 RADIUS issue

  • 1
  • Question
  • Updated 4 years ago
  • Doesn't Need an Answer
I have got an aerohive network which runs over an MPLS network. At a site, we have got 3 SSIDS published, staff, guest and corporate. The staff and guest use WPA, and the corp uses Microsoft CA server and NPS server for the RADIUS. User can connect ok to the staff and guest, get and IP address and do what they need. The Issue i have is with the CORP, the end uses gets a self assigneed IP, 169.254. From looking at the client monitor, and debuggin on the cisco switch i can see the DORA process, the client send out a discovery message, the DHCP offers a message, but the client never acknolges it,and then times out. The setup is woking in HQ and the client i have been using works, there so i know the laptop is fine. I have also tried assigneding a static address and this to want connect, but the 2 ssids using wpa work fine, so there is somthing up with the RADIUS but i dintr know what and was hoping someone on here might be able to help?
Photo of Dan Clarkson

Dan Clarkson

  • 8 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
Use client monitor to troubleshoot where the breakdown is occurring

check out Gregor's quick troubleshooting video

https://vimeo.com/88227044

I would check your authentication logs as well

DHCP would occur after the 4 way handshake

http://blogs.aerohive.com/blog/the-wireless-lan-training-blog/its-not-a-wi-fi-problem-use-vlan-probe...

http://blogs.aerohive.com/blog/the-wireless-lan-training-blog/troubleshooting-wi-fi-connectivity-wit...

as quoted from David's Blog post:

"When the 4-Way Handshake completes, the encryption keys are installed and the Layer 2 connection is completed. The virtual controlled port on the authenticator (Aerohive AP) opens up for this Wi-Fi client, who can now proceed to higher layers and get an IP address. If the client does not get an IP address there is a networking issue and therefore the problem is not a Wi-Fi issue. Most likely there is an improperly configured VLAN."


A



(Edited)
Photo of Dan Clarkson

Dan Clarkson

  • 8 Posts
  • 0 Reply Likes
Hi i used the client monitor, i can see the 4 way hand shack happening for the the RADIUS authenentication which completes fine, and i also have check the logs on the NPS server and this say full access has given. When it comes to the DHCP DORA process, using the client monitor, i can see the DISCOVER message, i can then see the server go back with an OFFER, but the client never comes back with the REQUEST.  This is all working fine in the head office, it uses the same RADIUS sevver, but a differnant DHCP server. At the HQ is users a windows server, and at the remote site it uses a cisco router. The other 2 SSIDS that are using WPA work fine, i can see them authentication and see the DORA DHCP process complete. It only thre radius that i'm having the issue with. I have done some debugging on the cisco and what is shown in client monitor is also shown in cisco logs. If i take WIFI out of the equation, and use a wired connection and connected to the same network, this work fine. So i beleieve the issue is something to do with the radius but i dont know what. Thanks for your help
Photo of Dan Clarkson

Dan Clarkson

  • 8 Posts
  • 0 Reply Likes
I have set the vlan tag and set this as the default vlan in the user profile. Its strange at our headoffice this works fine, its just at the remote site. I have also tried assigning at static address, but this does not work. It shows connected on the laptop. but when you try to ping anyting you cant.
(Edited)
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
Is it working now?

You can always verify the switch CAM table for the client's mac address to see if it is  being assigned the correct vlan.

A
Photo of Dan Clarkson

Dan Clarkson

  • 8 Posts
  • 0 Reply Likes
not still not working, it if look at the switchs ARP table there an entry in there, also the switch shows as given out an IP address, but when you look on the client its got the IP address 169.254. Also when you debud the dhcp packets on the switch you can see the dhcp discovery coming in on the right interface.
(Edited)
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
Have you tried a complete upload and reboot of the AP.

I have never worked with MS radius, but you might want to try to simplify things for testing.
On C's ACS I can create separate service selections for the authenticators

if possible maybe you should create a separate service just for the branch, and not assign the vlan. then just assign the vlan via the default via user profile.

also you may want to clone you network profile, so you don't mess up corp setup

I assume that no firewall lists are assigned to the user profile
Photo of Dan Clarkson

Dan Clarkson

  • 8 Posts
  • 0 Reply Likes
hi there is no firewall in place,and i have tried uploading the config and rebooting thr ap, and no joy