Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2473
  • Last Modified:

Requested EAP methods not available

I am having trouble getting a wireless Access point (Cisco AIR-AP1242AG-N-K9) to authenticate our users through Active Directory when they log in. This started happening about a month ago and I am unsure of why.

I have a Domain controller running Windows Server 2008 R2, NPS, Active Directory Certificate Services, DNS Server, AD Domain Services that the Access point is supposed to authenticate through.

The error I am receiving from Event Viewer is:
Negotiation failed. Requested EAP methods not available


The NPS Log shows:
<Event><Timestamp data_type="4">10/03/2014 09:08:06.888</Timestamp><Computer-Name data_type="1">AD2008</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">jdykstra</User-Name><Framed-MTU data_type="0">1400</Framed-MTU><Called-Station-Id data_type="1">003a.99c4.ae80</Called-Station-Id><Calling-Station-Id data_type="1">5894.6b43.e9d0</Calling-Station-Id><Service-Type data_type="0">1</Service-Type><NAS-Port-Type data_type="0">19</NAS-Port-Type><NAS-Port data_type="0">363</NAS-Port><NAS-IP-Address data_type="3">192.168.9.75</NAS-IP-Address><NAS-Identifier data_type="1">annex-wifi</NAS-Identifier><Client-IP-Address data_type="3">192.168.9.75</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">WirelessAnnex</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CO\jdykstra</SAM-Account-Name><Class data_type="1">311 1 192.168.9.31 10/03/2014 14:00:45 35</Class><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">NetMotion</NP-Policy-Name><Fully-Qualifed-User-Name data_type="1">co.walker.tx.us/Information Technology/Jason Dykstra</Fully-Qualifed-User-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

I believe the AP is reaching the Radius server, but something is wrong with EAP or Certificates. I am not versed in Certificates enough to do anything but cause problems. This may be why we are having the issue. I tried to create a certificate for a Cisco Unity and Callmanager LDAP integration for SSL and was not able to get it to work. I am not sure this is what broke it, but I have spent 2 days searching for answers and would like some help if possible.

I did not setup the AP from the start, I am coming into this already setup. I have not had a chance to really get my head around the setup and how they all talk to each other. So please bear with me if I have questions on how to do something.
0
WalkerCountyTX
Asked:
WalkerCountyTX
  • 6
  • 5
1 Solution
 
Craig BeckCommented:
Can you post a screenshot of the different tabs in your network access policy?
0
 
WalkerCountyTXAuthor Commented:
By this, do you mean the tabs on my Wireless AP....or the NPS information?

I have attached a screen of the Network policies in my NPS if that is what you mean.
NPS.jpg
0
 
Craig BeckCommented:
That's a start.

Can you open that policy and go to the Constraints tab, then screenshot the Authentication Methods?  Also, click 'Edit' on the method(s) you have there and screenshot those please.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
WalkerCountyTXAuthor Commented:
As requested
The Picture that shows the method information has the domain edited to show Domain Server.Domain
NPSWirelessConstraints.jpg
NPSWirelessConstraintsEdit.jpg
0
 
Craig BeckCommented:
In the first image - you don't want any boxes ticked.

Can you change that, then try to reconnect?

Can you go to the Custom logs on the NPS server and pull a record from there, instead of the standard NPS entries in the system or security logs please?  Just copy/paste without the XML stuff.
0
 
WalkerCountyTXAuthor Commented:
I unchecked the box as you requested and still could not connect. Here is the log for the failed attempt from the custom logs on the server (Minus the XML stuff :)  )

I notice that it gives me the Client Friendly Name:            WirelessAnnex
Then it shows the Network Policy Name:            NetMotion

The network policy should be Wireless Users I think.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/6/2014 4:00:14 PM
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      AD2008.co.walker.tx.us
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
      Security ID:                  CO\jdykstra
      Account Name:                  jdykstra
      Account Domain:                  CO
      Fully Qualified Account Name:      co.walker.tx.us/Information Technology/Jason Dykstra

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            003a.99c4.ae80
      Calling Station Identifier:            5894.6b43.e9d0

NAS:
      NAS IPv4 Address:            192.168.9.75
      NAS IPv6 Address:            -
      NAS Identifier:                  annex-wifi
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  480

RADIUS Client:
      Client Friendly Name:            WirelessAnnex
      Client IP Address:                  192.168.9.75

Authentication Details:
      Connection Request Policy Name:      Use Windows authentication for all users
      Network Policy Name:            NetMotion
      Authentication Provider:            Windows
      Authentication Server:            AD2008.co.walker.tx.us
      Authentication Type:            EAP
      EAP Type:                  -
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  22
      Reason:                        The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
0
 
Craig BeckCommented:
The authentication request is falling into the NetMotion policy.

Can you move the "Wireless Users" rule above the "NetMotion" rule and try again, but also test whatever uses the "NetMotion" authentication rule too?
0
 
WalkerCountyTXAuthor Commented:
Instead of moving Wireless Users policy above the NetMotion Policy I removed myself from the NetMotion Users group. I was then able to authenticate with the Wireless AP. I did it this was because the NetMotion Policy is important and I do nto want to disrupt service. I will have to get with the office that uses it to schedule a time for testing.
0
 
Craig BeckCommented:
Ok that's fair enough.  You may need to add extra conditions to more specifically match users to each policy.
0
 
WalkerCountyTXAuthor Commented:
My counterparts and myself decided to go ahead and move the wireless above the NetMotion and we are testing, so far today we have not seen any issues. I want to thank you for helping me step through this issue  :)

It has been a learning experience for us.
0
 
Craig BeckCommented:
My pleasure 😊
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now