802.1x Authentication with Cisco Catalyst 3850 WLC + NPS as RADIUS Server + Cisco Aironet 1600 series AP

Hello guys,

I have setup a test lab that I hope to eventually roll out to our production environment to lock down Wireless access to our corporate network. The goal is to setup a SSID that uses 802.1x authentication, which will then use our RADIUS server to authenticate a user to the wireless network. I will try to include as many details as I can in this post, so please forgive me if it seems a bit long winded. If I'm posting this in the wrong sub-reddit, please guide me in the right direction. Also, if there is any information that I am missing that would help, feel free to let me know and I will update this post.

​

Test LAB Gear

• Cisco Catalyst 3850 Switch configured as a wireless mobility controller.
• Windows Server 2012 Standard Server with NPS installed.
• Cisco Aironet 1600 Series wireless AP.
• Windows 10 Professional Laptop (client)

​

Articles Followed

• NPS Can use SAM database if AD is not installed)
• Setting up 802.1x using WLC and NPS

​

To start, I've configured my NPS to use LOCAL authentication (not Active Directory) to authenticate users to the test wireless network.

​

Cisco Switch Configuration

aaa new-model

​

aaa group server radius TEST_RADIUS

server 192.168.100.2 auth-port 1812

aaa authentication dot1x default group TEST_RADIUS

​

dot1x system-auth-control

​

interface GagabitEthernet1/0/1

description: RADIUS server port; SVI is 192.168.100.1

switchport access vlan 100

switchport mode access

spanning-tree portfast

​

interface GigabitEthernet1/0/3

description: Cisco Aironet 1600 series AP

switchport access vlan 10

switchport mode access

spanning-tree portfast

​

interface Vlan10

description: Wireless AP Management LAN

ip address 192.168.10.1 255.255.255.0

​

interface Vlan20

description: Wireless Client LAN

ip address 192.168.20.1 255.255.255.0

​

interface Vlan100

description: 192.168.100.1 255.255.255.0

​

wireless mobility controller

wireless management interface Vlan10

wlan dot1xtest 1 DOT1XTEST

client association limit 200

client vlan 20

no security wpa

no security wpa akm dot1x

no security wpa wpa2

no security wpa wpa2 ciphers aes

security dot1x

security dot1x authentication-list TEST_RADIUS

no shutdown

​

​

Windows Server 2012 Standard + NPS

• Nas Port Type: Wireless - IEEE 802.11
• Authentication Type EAP (Microsoft Protected EAP or PEAP)
• User Groups: RADIUSTEST\dot1x
  • I created a local usergroup called "dot1x" on the Windows Server 2012 server to test authentication with. I created a few local user accounts and added them to this dot1x group.
• I did NOT install a server certificate for this configuration.

​

I can see my SSID "DOT1XTEST" appear when I try to connect to it from my client laptop. However, when I enter the username and password for one of the local users I configured on the Windows Server, it doesn't authenticate. Eventually, Windows 10 will tell me "Can't connect to this network". I've tried connecting using the [Name_of_Server]\[Username], but still no luck.

​

Any advice is much appreciated. Again, sorry for this long-winded post.