Solved

Requested EAP methods not available

Posted on 2014-10-03
11
1,369 Views
Last Modified: 2014-10-07
I am having trouble getting a wireless Access point (Cisco AIR-AP1242AG-N-K9) to authenticate our users through Active Directory when they log in. This started happening about a month ago and I am unsure of why.

I have a Domain controller running Windows Server 2008 R2, NPS, Active Directory Certificate Services, DNS Server, AD Domain Services that the Access point is supposed to authenticate through.

The error I am receiving from Event Viewer is:
Negotiation failed. Requested EAP methods not available


The NPS Log shows:
<Event><Timestamp data_type="4">10/03/2014 09:08:06.888</Timestamp><Computer-Name data_type="1">AD2008</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">jdykstra</User-Name><Framed-MTU data_type="0">1400</Framed-MTU><Called-Station-Id data_type="1">003a.99c4.ae80</Called-Station-Id><Calling-Station-Id data_type="1">5894.6b43.e9d0</Calling-Station-Id><Service-Type data_type="0">1</Service-Type><NAS-Port-Type data_type="0">19</NAS-Port-Type><NAS-Port data_type="0">363</NAS-Port><NAS-IP-Address data_type="3">192.168.9.75</NAS-IP-Address><NAS-Identifier data_type="1">annex-wifi</NAS-Identifier><Client-IP-Address data_type="3">192.168.9.75</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">WirelessAnnex</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CO\jdykstra</SAM-Account-Name><Class data_type="1">311 1 192.168.9.31 10/03/2014 14:00:45 35</Class><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">NetMotion</NP-Policy-Name><Fully-Qualifed-User-Name data_type="1">co.walker.tx.us/Information Technology/Jason Dykstra</Fully-Qualifed-User-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

I believe the AP is reaching the Radius server, but something is wrong with EAP or Certificates. I am not versed in Certificates enough to do anything but cause problems. This may be why we are having the issue. I tried to create a certificate for a Cisco Unity and Callmanager LDAP integration for SSL and was not able to get it to work. I am not sure this is what broke it, but I have spent 2 days searching for answers and would like some help if possible.

I did not setup the AP from the start, I am coming into this already setup. I have not had a chance to really get my head around the setup and how they all talk to each other. So please bear with me if I have questions on how to do something.
0
Comment
Question by:WalkerCountyTX
  • 6
  • 5
11 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40360950
Can you post a screenshot of the different tabs in your network access policy?
0
 

Author Comment

by:WalkerCountyTX
ID: 40364529
By this, do you mean the tabs on my Wireless AP....or the NPS information?

I have attached a screen of the Network policies in my NPS if that is what you mean.
NPS.jpg
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40364572
That's a start.

Can you open that policy and go to the Constraints tab, then screenshot the Authentication Methods?  Also, click 'Edit' on the method(s) you have there and screenshot those please.
0
 

Author Comment

by:WalkerCountyTX
ID: 40364621
As requested
The Picture that shows the method information has the domain edited to show Domain Server.Domain
NPSWirelessConstraints.jpg
NPSWirelessConstraintsEdit.jpg
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40364733
In the first image - you don't want any boxes ticked.

Can you change that, then try to reconnect?

Can you go to the Custom logs on the NPS server and pull a record from there, instead of the standard NPS entries in the system or security logs please?  Just copy/paste without the XML stuff.
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 

Author Comment

by:WalkerCountyTX
ID: 40364756
I unchecked the box as you requested and still could not connect. Here is the log for the failed attempt from the custom logs on the server (Minus the XML stuff :)  )

I notice that it gives me the Client Friendly Name:            WirelessAnnex
Then it shows the Network Policy Name:            NetMotion

The network policy should be Wireless Users I think.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/6/2014 4:00:14 PM
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      AD2008.co.walker.tx.us
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
      Security ID:                  CO\jdykstra
      Account Name:                  jdykstra
      Account Domain:                  CO
      Fully Qualified Account Name:      co.walker.tx.us/Information Technology/Jason Dykstra

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            003a.99c4.ae80
      Calling Station Identifier:            5894.6b43.e9d0

NAS:
      NAS IPv4 Address:            192.168.9.75
      NAS IPv6 Address:            -
      NAS Identifier:                  annex-wifi
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  480

RADIUS Client:
      Client Friendly Name:            WirelessAnnex
      Client IP Address:                  192.168.9.75

Authentication Details:
      Connection Request Policy Name:      Use Windows authentication for all users
      Network Policy Name:            NetMotion
      Authentication Provider:            Windows
      Authentication Server:            AD2008.co.walker.tx.us
      Authentication Type:            EAP
      EAP Type:                  -
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  22
      Reason:                        The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 40364861
The authentication request is falling into the NetMotion policy.

Can you move the "Wireless Users" rule above the "NetMotion" rule and try again, but also test whatever uses the "NetMotion" authentication rule too?
0
 

Author Comment

by:WalkerCountyTX
ID: 40365859
Instead of moving Wireless Users policy above the NetMotion Policy I removed myself from the NetMotion Users group. I was then able to authenticate with the Wireless AP. I did it this was because the NetMotion Policy is important and I do nto want to disrupt service. I will have to get with the office that uses it to schedule a time for testing.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40365913
Ok that's fair enough.  You may need to add extra conditions to more specifically match users to each policy.
0
 

Author Comment

by:WalkerCountyTX
ID: 40366884
My counterparts and myself decided to go ahead and move the wireless above the NetMotion and we are testing, so far today we have not seen any issues. I want to thank you for helping me step through this issue  :)

It has been a learning experience for us.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40367067
My pleasure 😊
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now