cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
978
Views
0
Helpful
12
Replies

iDevices, AD authentication, and no connectivity

Kevin Parsons
Level 1
Level 1

Hello all!

I recently deployed a 2504 WLC running 7.5.102 firmware, 20 x 2602I AP's deployed.  I have a staff SSID that authenticates from their AD infrastructure via NPS (Win2K8) and a guest SSID that authenticates with a pre-shared key from the WLC.

I ran into the issue where i-Devices (iPhones, iPads, etc. couldn't connect to Gmail and download emails.  After a quick minute of research I discovered that adjusting the MTU to 1300 fixes the problem.  Applied the fix, rebooted, and yes, it worked, with one exception.

The guest SSID allows the i-Devices to connect to Gmail, but the staff (AD authenticated) SSID still does not.

Has anyone run into this before?   I can't find any information regarding AD authentication (or NPS) being an issue with this type of connectivity.  Or is it something else altogether ?!?!?!?

Thanks in advance for any help.

Kevin           

12 Replies 12

fb_webuser
Level 6
Level 6

is Gmail the only website you couldn't connect to?

---

Posted by WebUser Erik Boss from Cisco Support Community App

It is the only site this particular customer has reported having issues with.   Their mail "back end" is Google.

I use my iPad and iPhone to concurrently connect to Gmail, AIM, MSN, Yahoo and while implementing another WLC for another customer, same code version, I ran into the same problem.  As soon as I implemented the above mentioned fix and rebooted the WLC, I could access all services.

It seems to be related to the fact that the staff SSID is authenticating to AD via Win2K8 NPS.  The guest SSID, authenticating via PSK off the WLC, works just fine.

I have not ran into that at all... My home setup is a 2504 and 3600's, 2600's and an AP801 and I have Gmail, iCloud, Exchange and Yahoo on my Macbook Pro, iPads and Iphones and don't have issues getting mail from them.  Its weird that you have issues.  I have not heard any of my clients experiencing this either especially in schools where they use gmail for email.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

I ran into an mtu issue on the controller one time in all the years doing Cisco wifi. It was a few years back. We found some devices could connect to specific sites while others couldn't. We found the devices that couldn't were sending larger frames. Setting the wlc to smaller mtu it would break up the client frames to allow them to pass. The issue for us was a firewall setting. It dropped the larger frame. As I recall ..

There is likely something on your network path not liking the larger frame .. My guess

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

I would agree George, but the SSID's that are authenticating locally to the WLC via PSK are traversing the network just fine after globally setting the MTU for all AP's to 1300.  It worked on two WLC's for me in the last two days.

The remaining problem seems to be somehow connected to the fact that this particular SSID is authenticating via Radius to a Win2K8 NPS for AD authentication.

I think I see a TAC call in my near future.

Kevin

Kevin,

Strange .. Can you please keep this thread updated with what you find working with TAC? Thanks

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

The authentication method should make no difference, as once the client is in a RUN state AD would be out of the picture.

but, are you returing any attributes from the NPS?  There could be something in the AD profile that is setting a MTU that is conflicting with what you are setting on the WLC.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Stephen,

Interesting.

As far as I know NPS is not returning any attributes.   I am not an NPS guru; can you elaborate on which attributes I need to look into to confirm?  Or is there anything else about the NPS that would impact this that I can check for ?

http://technet.microsoft.com/en-us/library/cc771164%28v=ws.10%29.aspx

This would be a good place to start.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

George,

Definitely will!

Kevin Parsons
Level 1
Level 1

OK, I guess it helps to know when another of your engineers is messing with the ACL's and firewall rules.

Apparently the customer had outbound rules on their firewall that were blocking this from happening.  At least my faith in the configuration of the WLC has been restored. . . .  

Haha

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: