RADIUS Authentication Not Working

REF: http://www.experts-exchange.com/Networking/Wireless/Q_28153280.html

Ok - I have both a Server 2008 R1 and Server 2012 setup with NPS. Neither are working. They both appear to give the same error message. Dlink is still saying that it is supported but are not much help. This is the error from the log file on the NPS. Can anybody decipher this?

"NPS","IAS",10/10/2013,16:01:01,3,,"DOMAINSHORTNAME\USER",,,,,,,,0,"192.168.0.145","Dlink Closet AP",,,,,,,5,"Secure Wireless Connections 2",22,"311 1 192.168.0.17 10/10/2013 19:58:53 5",,,,"",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections 2",1,,,,

I have tried authenticating using all possible forms of domain formats (full domain name, short domain name, etc.). I have manually configured the wireless as mentioned in the previous post listed at the top of the question.

Looking for any more pearls of wisdom,

Thanks.
LVL 1
Ryan RoodAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jakob DigranesSenior ConsultantCommented:
Hi

You're looking at the wrong logs. Try to get the logs from either Customized View and server roles, or from Event Viewer - Security - look for Network Policy Server logs.

But to get this working, here a few things to consider,
1. make sure AP is in Radius Client list (Yours appear to be okay, but still, check)
2. Make sure Preshared Key is correct
3. What Network Policy have you configured? If you're not using client side certificates, I'd recommend using PEAP as EAP-Type and MsChapV2 as inner authentication method.
4. If you're using PEAP or EAP-TLS (mutual certificates) for EAP-Type, make sure NPS has a valid certificate that clients trust
5. Make sure clients wireless settings match the ones on server. i.e. if server is set to PEAP + MsChapV2 then client must be set to PEAP + MsChapV2 as well.
if server is granting access to User only, and members of the group 'wireless_users' make sure client settings are set to User Authentication, and user is member of correct group
6. remember to always always always always deselect 'Less Secure Authentication Methods' in Network Policy

:-)

If you find the logs, and they tell you nothing; post the logs here
You can also post a summary of Network Policy so we can take a look.

802.1X with NPS is in fact rather easy, so post the policy - and I'll give you a walkthrough
0
Craig BeckCommented:
Jakob is correct - use the custom logs, not the text logs or the Windows System logs.

Also, can you confirm you're using a Network Access Policy and not a Connection Request Policy to authenticate users?  You should be using a Network Access Policy for user authentication, not a Connection Request Policy,

The Connection Request Policy is used to tell the RADIUS server what types of authentications to process (not whether to allow or reject authentication).  The Network Access Policy is the policy which is used to determine whether user access is granted.
0
Ryan RoodAuthor Commented:
In the Windows Application Logs:

"Negotiation failed. No available EAP methods"

I did have both the "Connection Request and Network Policies. I have disabled the "Connection Request Policy".

So I retried to connect again ... and now I am not seeing anything in the Windows Logs. I can see it hitting it still because it is trying to authenticate.

"NPS","IAS",10/11/2013,08:04:32,1,"USER",,"C8-D3-A3-0F-B4-81:"Wireless RADIUS","C4-85-08-C9-FD-10",,,,"192.168.0.145",0,0,"192.168.0.145","Dlink Closet AP",,,19,"CONNECT 0Mbps 802.11a",,,,,0,"311 1 192.168.0.17 10/10/2013 19:58:53 6",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
"NPS","IAS",10/11/2013,08:04:32,3,,,,,,,,,,0,"192.168.0.145","Dlink Closet AP",,,,,,,,,49,"311 1 192.168.0.17 10/10/2013 19:58:53 6",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
"NPS","IAS",10/11/2013,08:05:41,1,"DOMAIN\USER",,"C8-D3-A3-0F-B4-81:"Wireless RADIUS","C4-85-08-C9-FD-10",,,,"192.168.0.145",0,0,"192.168.0.145","Dlink Closet AP",,,19,"CONNECT 0Mbps 802.11a",,,,,0,"311 1 192.168.0.17 10/10/2013 19:58:53 7",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
"NPS","IAS",10/11/2013,08:05:41,3,,,,,,,,,,0,"192.168.0.145","Dlink Closet AP",,,,,,,,,49,"311 1 192.168.0.17 10/10/2013 19:58:53 7",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Open in new window


I have attached a picture of the NPS server policies.
Untitled.png
0
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

Ryan RoodAuthor Commented:
Ok - so I added an extremely basic Connection Request Policy that says if you are wireless or 802.11 it is ok. It is now logged in Event Viewer. It allows this to pass. It seems to be getting stuck on the Network Policy.

See screen shot above for configuration settings. This should not be this difficult. I don't understand why this is not working or logging any sort of error information.

I am also seeing the following event(s) (many) under Applications and Services Logs Microsoft - Windows - EapHost:

Skipping: Unable to add EAP method. Friendly name not present. TypeId(21), AuthorId(311), VendorId(0), VendorType(0)

Open in new window


This is repeated many times ... could just be random but the EAP method mention is making me suspicious.
0
Craig BeckCommented:
Have you issued a certificate to the server running NPS?  It won't be able to process EAP-type authentication requests without a certificate.

If you don't have certificate services on your network you can install a self-signed certificate or purchase a 3rd-party certificate.

This might help...

http://technet.microsoft.com/en-us/library/cc754367.aspx
0
Ryan RoodAuthor Commented:
Well - I was unaware a certificate was required for this ... so that makes more sense. I attempted to get a certificate issues and received the following error message:

Certificate enrollment for Local system failed to enroll for a RASandIASServer(2008) certificate with request ID 40 from dc4.REMOVED.ca\REMOVED-DC4-CA (The requested certificate template is not supported by this CA. 0x80094800 (-2146875392)).

Investigating possible reasons ... but suggestions are welcomed.
0
Craig BeckCommented:
It's easier to create a GPO for the NPS server to automatically enrol the server.  This is very easy...

http://technet.microsoft.com/en-us/library/cc731522.aspx
0
Ryan RoodAuthor Commented:
I have done this and refreshed the policy ... where exactly would the certificate be located if it was installed?

I am looking currently in Certificate (Local Computer) - Personal - Certificates.
0
Ryan RoodAuthor Commented:
Looking at the Enterprise CA - I can see a bunch of failed requests when ever I try to gpupdate ... it is attempting to load the certificate but not letting it go through. Similar error message as above.

The requested certificate template is not supported by this CA. 0x80094800 (-2146875392)

Open in new window


Denied by Policy Module  0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: 1.3.6.1.4.1.311.21.8.5086503.11190894.13650359.13201117.1698713.255.1.31(RAS and IAS Server).

Open in new window

0
Craig BeckCommented:
I am looking currently in Certificate (Local Computer) - Personal - Certificates.
That's correct.

This article will help with that...

http://social.technet.microsoft.com/Forums/windowsserver/en-US/cd46115a-a247-428f-ab9a-de05d1d5d9fe/2008-r2-servers-wont-autoenroll-certificates?forum=winserverDS
0
Ryan RoodAuthor Commented:
The exact same thing is happening on both the Server 2008 R1 and Server 2012. So that would tell me that the CA Enterprise is the issue? Which would also mean that this article is not valid for the issue?
0
Craig BeckCommented:
Well the article is still valid as it highlights some important things to look at.

The fact that this is happening on two separate servers with different OS' could mean a number of things, not just that it's more likely to be the CA.

I would check that no other similar certificates are installed on the two servers, and that the permissions are configured correctly for the certificate template.

When you applied for a certificate, which type of certificate did you request?
0
Ryan RoodAuthor Commented:
I applied for the "Computer" which accepted and the RAS and IAS Server which declined.

I will go back and review the link in more detail. On the first glance I didn't see much and the OS' being referenced did not seem to jive with what I had stated.

I did double check the permissions ... I have authenticated users and the actual NPS computers all with read, enroll and auto enroll.
ras-error.png
0
Craig BeckCommented:
A RAS and IAS server cert isn't a Computer cert.  Also that looks like manual enrolment, not auto enrolment via GPO.
0
Ryan RoodAuthor Commented:
Ok I am slightly confused then ... which cert am I installing to get NPS to work using RADIUS auth?
0
Craig BeckCommented:
Just a Computer certificate.
0
Ryan RoodAuthor Commented:
Ok - this one has a computer certificate issued. It is in the place mentioned prior. NPS connections are not showing the EAP errors that were present earlier. That being said it still errors out ... and I don't see any actual errors in the NPS section or event viewer. RADIUS still shows the connection attempts. I can see the connection for the first policy granting access with no user checking. Where should I be looking to troubleshoot this?
0
Craig BeckCommented:
You should see success events in the Custom NPS logs.  They will tell you which policy provided authentication and the detail.

In the Network Access Policy you should select the Computer certificate when you configure the EAP Authentication.  If you don't do this you won't process any EAP-type logons.
0
Ryan RoodAuthor Commented:
The certificate says it is installed and valid.

Connection Request Policy is granting and logging that it is granting access (logged under Network Policy and Access Services).

Still getting the following error under Applications and Services Logs - Microsoft - Windows - EAPHost:

Skipping: Unable to add EAP method. Friendly name not present. TypeId(21), AuthorId(311), VendorId(0), VendorType(0)

It would now appear that this is not an AP issue ... but an NPS issue. The firewall is disabled and there is no AV on this machine yet. No firewalls or anything in between currently.
0
Craig BeckCommented:
Do you have a Network Access Policy as well as a Connection Request Policy, or do you just have a Connection Request Policy?
0
Ryan RoodAuthor Commented:
Both - the first one just says allow all. I have disabled but it makes no difference either way.
0
Craig BeckCommented:
The connection request policy must be configured to process all EAP logins locally on this server.

The network access policy must be configured with authentication conditions matching EAP (smart-card or certificate) or PEAP.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ryan RoodAuthor Commented:
craigbeck: Thank you very much for your assistance and sticking with me. Your instructions led me down the path to get additional error information and there was other configuration issues. Everything is now working thanks to your guidance. :)
0
Craig BeckCommented:
No probs... glad to help :-)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.