Go Premium for a chance to win a PS4. Enter to Win


Requested EAP methods not available

Posted on 2014-10-03
Medium Priority
Last Modified: 2014-10-07
I am having trouble getting a wireless Access point (Cisco AIR-AP1242AG-N-K9) to authenticate our users through Active Directory when they log in. This started happening about a month ago and I am unsure of why.

I have a Domain controller running Windows Server 2008 R2, NPS, Active Directory Certificate Services, DNS Server, AD Domain Services that the Access point is supposed to authenticate through.

The error I am receiving from Event Viewer is:
Negotiation failed. Requested EAP methods not available

The NPS Log shows:
<Event><Timestamp data_type="4">10/03/2014 09:08:06.888</Timestamp><Computer-Name data_type="1">AD2008</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">jdykstra</User-Name><Framed-MTU data_type="0">1400</Framed-MTU><Called-Station-Id data_type="1">003a.99c4.ae80</Called-Station-Id><Calling-Station-Id data_type="1">5894.6b43.e9d0</Calling-Station-Id><Service-Type data_type="0">1</Service-Type><NAS-Port-Type data_type="0">19</NAS-Port-Type><NAS-Port data_type="0">363</NAS-Port><NAS-IP-Address data_type="3"></NAS-IP-Address><NAS-Identifier data_type="1">annex-wifi</NAS-Identifier><Client-IP-Address data_type="3"></Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">WirelessAnnex</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CO\jdykstra</SAM-Account-Name><Class data_type="1">311 1 10/03/2014 14:00:45 35</Class><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">NetMotion</NP-Policy-Name><Fully-Qualifed-User-Name data_type="1">co.walker.tx.us/Information Technology/Jason Dykstra</Fully-Qualifed-User-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

I believe the AP is reaching the Radius server, but something is wrong with EAP or Certificates. I am not versed in Certificates enough to do anything but cause problems. This may be why we are having the issue. I tried to create a certificate for a Cisco Unity and Callmanager LDAP integration for SSL and was not able to get it to work. I am not sure this is what broke it, but I have spent 2 days searching for answers and would like some help if possible.

I did not setup the AP from the start, I am coming into this already setup. I have not had a chance to really get my head around the setup and how they all talk to each other. So please bear with me if I have questions on how to do something.
Question by:WalkerCountyTX
  • 6
  • 5
LVL 47

Expert Comment

by:Craig Beck
ID: 40360950
Can you post a screenshot of the different tabs in your network access policy?

Author Comment

ID: 40364529
By this, do you mean the tabs on my Wireless AP....or the NPS information?

I have attached a screen of the Network policies in my NPS if that is what you mean.
LVL 47

Expert Comment

by:Craig Beck
ID: 40364572
That's a start.

Can you open that policy and go to the Constraints tab, then screenshot the Authentication Methods?  Also, click 'Edit' on the method(s) you have there and screenshot those please.
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.


Author Comment

ID: 40364621
As requested
The Picture that shows the method information has the domain edited to show Domain Server.Domain
LVL 47

Expert Comment

by:Craig Beck
ID: 40364733
In the first image - you don't want any boxes ticked.

Can you change that, then try to reconnect?

Can you go to the Custom logs on the NPS server and pull a record from there, instead of the standard NPS entries in the system or security logs please?  Just copy/paste without the XML stuff.

Author Comment

ID: 40364756
I unchecked the box as you requested and still could not connect. Here is the log for the failed attempt from the custom logs on the server (Minus the XML stuff :)  )

I notice that it gives me the Client Friendly Name:            WirelessAnnex
Then it shows the Network Policy Name:            NetMotion

The network policy should be Wireless Users I think.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/6/2014 4:00:14 PM
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      AD2008.co.walker.tx.us
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

      Security ID:                  CO\jdykstra
      Account Name:                  jdykstra
      Account Domain:                  CO
      Fully Qualified Account Name:      co.walker.tx.us/Information Technology/Jason Dykstra

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            003a.99c4.ae80
      Calling Station Identifier:            5894.6b43.e9d0

      NAS IPv4 Address:  
      NAS IPv6 Address:            -
      NAS Identifier:                  annex-wifi
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  480

RADIUS Client:
      Client Friendly Name:            WirelessAnnex
      Client IP Address:        

Authentication Details:
      Connection Request Policy Name:      Use Windows authentication for all users
      Network Policy Name:            NetMotion
      Authentication Provider:            Windows
      Authentication Server:            AD2008.co.walker.tx.us
      Authentication Type:            EAP
      EAP Type:                  -
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  22
      Reason:                        The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
LVL 47

Accepted Solution

Craig Beck earned 2000 total points
ID: 40364861
The authentication request is falling into the NetMotion policy.

Can you move the "Wireless Users" rule above the "NetMotion" rule and try again, but also test whatever uses the "NetMotion" authentication rule too?

Author Comment

ID: 40365859
Instead of moving Wireless Users policy above the NetMotion Policy I removed myself from the NetMotion Users group. I was then able to authenticate with the Wireless AP. I did it this was because the NetMotion Policy is important and I do nto want to disrupt service. I will have to get with the office that uses it to schedule a time for testing.
LVL 47

Expert Comment

by:Craig Beck
ID: 40365913
Ok that's fair enough.  You may need to add extra conditions to more specifically match users to each policy.

Author Comment

ID: 40366884
My counterparts and myself decided to go ahead and move the wireless above the NetMotion and we are testing, so far today we have not seen any issues. I want to thank you for helping me step through this issue  :)

It has been a learning experience for us.
LVL 47

Expert Comment

by:Craig Beck
ID: 40367067
My pleasure 😊

Featured Post

WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question