Wireless Authentication with RADIUS

Nathan Lindley
Nathan Lindley used Ask the Experts™
Hi Experts,

I am looking for some assistance on configuring a Windows Server 2012 RADIUS server. We want this to be able to make users have to authenticate to get on our wireless networks... and maybe if we are successful with this, we would also configure this with our HP Procurve ARUBA 2920 switches.

But firstly, I would like to get this working with our Ubiquti wireless network system.

Steps that I have completed so far.

Set up a brand new (virtual) WinSVR 2012 R2 Std box
Configured Active Directory Certificate Services role
Installed Certificate authority
Configured Network Access Protection role
(registered server in Active Directory) by right-clicking NPS (local) and selecting the register option
Set up the radius clients (our access point management server)
Changed the standard configuration as RADIUS server for 802.1X wireless or Wired Connections and set the EAP type to Microsoft: Secured password (EAP-MSCHAP v2)
Linked a security group configured in AD for authentication.
Specified the RADIUS server details on our AP interface for a wireless network.

When a computer attempts to connect to the wireless network, I do get the login box, I then log in with a user which is included in the security group configured, but this just fails to connect.

I've noticed on a lot of videos on YouTube, that there are some certificate configuring required

if I open Certificate snap-in via MMC on the RADIUS server, and select computer account, then browse down to Personal > Certificates, then right click and select 'Request New Certificate' I am only given the option to select 'Computer' on the request wizard, but apparently I should be able to see 'Domain Controller'

When requesting a certificate from our AD, I am only getting 'Computer' as a choice.?????!?!?
Please can someone advise what I may have missed off?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Your problem isn't with the certificate I think.
If your clients do get the prompt your certificate is in order (otherwise the client would reject the attempt before that even, unless you set it to ignore the radius certificate).  
Feel free to verify this: Go in your NPS and edit the EAP-PEAP with ms-chapv2 as inner auth method and you should see the certificate issued.
Make sure your clients trust this certificate (distribute it via AD) and your cert issues are solved.
Try testing with the "ignore server certificate" option on your client and see if that improves anything.

ASlso.. for EAP-PEAP a server certificate is all you need so the computer cert you can request from your CA is sufficient. If your server isn't a domain controller you wont be getting a DC cert for it either.

Still leaves us your problem.
Check Windows event viewer for the authentication attempt. Does it show up? What error?
If it doesn't show up... have you actually set it to use the NPS server on your WLC?
You may have configure it to do wpa2-aes (aka with authentication), but is it using the NPS server to authenticate with or might it be authenticating with an internal database of some sort?

I'm not familiar with Ubiquti so I can't realy help you further on that end.
Nathan LindleyIT Support Engineer


Hi Poohke,

I do get the prompt on the computer ... I have attempted to enter the credentials with the username specifying the domain, and without specifying the domain but these dont work, I cleared out the event viewer, and attempted, but didn't see any event relating to the failed connection attempt.

Here is a screen shot of my Network Policy constraints:
also, this is a screen shot of when I attempt to enroll the computer certiicate on the RADIUS server.
Have you set up RADIUS servers before? Perhaps you could go through a step by step to see if I have missed anything out?

Hello NAthan,

Yes, I've set up a ton of IAS and NPS servers as I'm a WLAN professional. Although these days most companies are moving away from NPS towards Clearpass or something.

Try double clicking on the "Microsoft: Secured password (EAP-MSCHAP v2)" from your screenshot . You should be able to see if a certificate is used and which one it is. There might be one there already.
Also uncheck all those less secure authentication methods. You don't need them if your WLC is properly configured for EAP-PEAP.

Setting up a CA isn't my business though. Can't help much with that. While I've set up a few for customers asking it, doing it properly and really supporting them is beyond me, sorry.

If you want to go the easy way, just install NPS on a domain controller. Then NPS will simply use the DC certificate and you will be good to go. Don't even need a CA then.

On NPS the config is pretty easy. From my head,
1) enter the radius clients (your WLC or whatever proxy is sending the radius requests).
2) enter a condition. Begin with hours of day and allow all for starters. Once you get everything working ad your user or computer policy that you want to allow.
3) constraints: check if there is a certificate available as explained above
4) check event viewer for authentication, check if logging is enabled (right click your NPS server if i remember correct).
5) if you don't see anything, check your WLC

Again, I think you should verify if there is already a certificate installed. I'm guessing there is. If so, ignore the CA for a while until you have everything working. Pre-configure a WLAN profile on your client with the correct details but uncheck the "verify servercertificate" (again, until everything works) and see if it will connect.
Check your WLC debug logs to find out what is happening with the authentication. Is it forwarding it to the correct NPS server?
Nathan LindleyIT Support Engineer


Thanks Poohke,

I will look through your last comment and check everything, but my most recent finding, is looking at the logs on the server role event viewer.. is this..

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/08/2016 16:41:12
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MARAD001.corporate.local
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

      Security ID:                  CORPORATE\Nathan.Lindley
      Account Name:                  nathan.lindley
      Account Domain:                  CORPORATE
      Fully Qualified Account Name:      corporate.local/MONEYPLUS GROUP/Manchester/IS Operations/Nathan Lindley

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            52-D9-E7-A5-10-3A:test
      Calling Station Identifier:            A4-34-D9-67-FA-43

      NAS IPv4 Address:  
      NAS IPv6 Address:            -
      NAS Identifier:                  44d9e7a4103a
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  0

RADIUS Client:
      Client Friendly Name:            MPAP3 - IT Suite
      Client IP Address:        

Authentication Details:
      Connection Request Policy Name:      IT Suite
      Network Policy Name:            New
      Authentication Provider:            Windows
      Authentication Server:            MARAD001.corporate.local
      Authentication Type:            PEAP
      EAP Type:                  -
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  265
      Reason:                        The certificate chain was issued by an authority that is not trusted.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <TimeCreated SystemTime="2016-08-11T15:41:12.998828300Z" />
    <Correlation />
    <Execution ProcessID="460" ThreadID="768" />
    <Security />
    <Data Name="SubjectUserSid">S-1-5-21-432469759-3583970380-2158479170-10217</Data>
    <Data Name="SubjectUserName">nathan.lindley</Data>
    <Data Name="SubjectDomainName">CORPORATE</Data>
    <Data Name="FullyQualifiedSubjectUserName">corporate.local/MONEYPLUS GROUP/Manchester/IS Operations/Nathan Lindley</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">-</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">52-D9-E7-A5-10-3A:test</Data>
    <Data Name="CallingStationID">A4-34-D9-67-FA-43</Data>
    <Data Name="NASIPv4Address"></Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">44d9e7a4103a</Data>
    <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
    <Data Name="NASPort">0</Data>
    <Data Name="ClientName">MPAP3 - IT Suite</Data>
    <Data Name="ClientIPAddress"></Data>
    <Data Name="ProxyPolicyName">IT Suite</Data>
    <Data Name="NetworkPolicyName">New</Data>
    <Data Name="AuthenticationProvider">Windows</Data>
    <Data Name="AuthenticationServer">MARAD001.corporate.local</Data>
    <Data Name="AuthenticationType">PEAP</Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">-</Data>
    <Data Name="ReasonCode">265</Data>
    <Data Name="Reason">The certificate chain was issued by an authority that is not trusted.</Data>
    <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
Top Expert 2014
Hi Nathan, is this a duplicate of the other question you have open?

I too am a WLAN professional and poohke raises some good points. If your NPS is on your domain on a member server and yiur CA is local (as per your other post) the NPS will have a CA cert and a computer cert already that should be good. This leads me to believe that the clients either arent configured correctly or they're using a cert from a different CA.

Looking at the log again it seems that your client tried to use PEAP with a cert instead of EAP-MSCHAPv2. Check the client config.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial