Solved

Requested EAP methods not available

Posted on 2014-10-03
11
1,689 Views
Last Modified: 2014-10-07
I am having trouble getting a wireless Access point (Cisco AIR-AP1242AG-N-K9) to authenticate our users through Active Directory when they log in. This started happening about a month ago and I am unsure of why.

I have a Domain controller running Windows Server 2008 R2, NPS, Active Directory Certificate Services, DNS Server, AD Domain Services that the Access point is supposed to authenticate through.

The error I am receiving from Event Viewer is:
Negotiation failed. Requested EAP methods not available


The NPS Log shows:
<Event><Timestamp data_type="4">10/03/2014 09:08:06.888</Timestamp><Computer-Name data_type="1">AD2008</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">jdykstra</User-Name><Framed-MTU data_type="0">1400</Framed-MTU><Called-Station-Id data_type="1">003a.99c4.ae80</Called-Station-Id><Calling-Station-Id data_type="1">5894.6b43.e9d0</Calling-Station-Id><Service-Type data_type="0">1</Service-Type><NAS-Port-Type data_type="0">19</NAS-Port-Type><NAS-Port data_type="0">363</NAS-Port><NAS-IP-Address data_type="3">192.168.9.75</NAS-IP-Address><NAS-Identifier data_type="1">annex-wifi</NAS-Identifier><Client-IP-Address data_type="3">192.168.9.75</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">WirelessAnnex</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CO\jdykstra</SAM-Account-Name><Class data_type="1">311 1 192.168.9.31 10/03/2014 14:00:45 35</Class><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">NetMotion</NP-Policy-Name><Fully-Qualifed-User-Name data_type="1">co.walker.tx.us/Information Technology/Jason Dykstra</Fully-Qualifed-User-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

I believe the AP is reaching the Radius server, but something is wrong with EAP or Certificates. I am not versed in Certificates enough to do anything but cause problems. This may be why we are having the issue. I tried to create a certificate for a Cisco Unity and Callmanager LDAP integration for SSL and was not able to get it to work. I am not sure this is what broke it, but I have spent 2 days searching for answers and would like some help if possible.

I did not setup the AP from the start, I am coming into this already setup. I have not had a chance to really get my head around the setup and how they all talk to each other. So please bear with me if I have questions on how to do something.
0
Comment
Question by:WalkerCountyTX
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 46

Expert Comment

by:Craig Beck
ID: 40360950
Can you post a screenshot of the different tabs in your network access policy?
0
 

Author Comment

by:WalkerCountyTX
ID: 40364529
By this, do you mean the tabs on my Wireless AP....or the NPS information?

I have attached a screen of the Network policies in my NPS if that is what you mean.
NPS.jpg
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 40364572
That's a start.

Can you open that policy and go to the Constraints tab, then screenshot the Authentication Methods?  Also, click 'Edit' on the method(s) you have there and screenshot those please.
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 

Author Comment

by:WalkerCountyTX
ID: 40364621
As requested
The Picture that shows the method information has the domain edited to show Domain Server.Domain
NPSWirelessConstraints.jpg
NPSWirelessConstraintsEdit.jpg
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 40364733
In the first image - you don't want any boxes ticked.

Can you change that, then try to reconnect?

Can you go to the Custom logs on the NPS server and pull a record from there, instead of the standard NPS entries in the system or security logs please?  Just copy/paste without the XML stuff.
0
 

Author Comment

by:WalkerCountyTX
ID: 40364756
I unchecked the box as you requested and still could not connect. Here is the log for the failed attempt from the custom logs on the server (Minus the XML stuff :)  )

I notice that it gives me the Client Friendly Name:            WirelessAnnex
Then it shows the Network Policy Name:            NetMotion

The network policy should be Wireless Users I think.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/6/2014 4:00:14 PM
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      AD2008.co.walker.tx.us
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
      Security ID:                  CO\jdykstra
      Account Name:                  jdykstra
      Account Domain:                  CO
      Fully Qualified Account Name:      co.walker.tx.us/Information Technology/Jason Dykstra

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            003a.99c4.ae80
      Calling Station Identifier:            5894.6b43.e9d0

NAS:
      NAS IPv4 Address:            192.168.9.75
      NAS IPv6 Address:            -
      NAS Identifier:                  annex-wifi
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  480

RADIUS Client:
      Client Friendly Name:            WirelessAnnex
      Client IP Address:                  192.168.9.75

Authentication Details:
      Connection Request Policy Name:      Use Windows authentication for all users
      Network Policy Name:            NetMotion
      Authentication Provider:            Windows
      Authentication Server:            AD2008.co.walker.tx.us
      Authentication Type:            EAP
      EAP Type:                  -
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  22
      Reason:                        The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
0
 
LVL 46

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 40364861
The authentication request is falling into the NetMotion policy.

Can you move the "Wireless Users" rule above the "NetMotion" rule and try again, but also test whatever uses the "NetMotion" authentication rule too?
0
 

Author Comment

by:WalkerCountyTX
ID: 40365859
Instead of moving Wireless Users policy above the NetMotion Policy I removed myself from the NetMotion Users group. I was then able to authenticate with the Wireless AP. I did it this was because the NetMotion Policy is important and I do nto want to disrupt service. I will have to get with the office that uses it to schedule a time for testing.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 40365913
Ok that's fair enough.  You may need to add extra conditions to more specifically match users to each policy.
0
 

Author Comment

by:WalkerCountyTX
ID: 40366884
My counterparts and myself decided to go ahead and move the wireless above the NetMotion and we are testing, so far today we have not seen any issues. I want to thank you for helping me step through this issue  :)

It has been a learning experience for us.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 40367067
My pleasure 😊
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question