802.1X authentication woes with NPS & EAP

Had a frustrating issue with some UniFi APs where clients were not able to authenticate to the Pro models, but OK to the standard UniFis.

Running a packet capture on the NPS server I could see many Access-Requests arriving at the server with an Access-Challenge immediately being sent back, but the AP would just keep sending the same request and the server was neither Rejecting or Allowing the connection.

If you’re having similar sounding issues, try adding a ‘Framed-MTU’ attribute to the Network Policy settings.

The MS article recommends to use a Framed-MTU of 1344, but ended up settling on 1400. We did had Jumbo frames enabled on the server running NPS role which I think may have been contributing to the problem. Hope this can help someone out!

Framed-MTU Setting

 

 

This entry was posted in Admin Tips, Work and tagged , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

2 Comments

  1. Deniel
    Posted December 23, 2016 at 1:41 am | Permalink

    Hi, I’m having the same problem as you on the UNIFI AC Pro models, I’d like to know the configuration that was applied to the network policies to see if I’m on the right track, my standard UNIFI normally authenticate

    • James
      Posted January 5, 2017 at 7:06 am | Permalink

      Hi Deniel – did you get the issue sorted? I think you may have been posting on a UBNT forum I saw

Leave a Reply