RADIUS Authentication Problem in Windows Server 2016

MIcheal S
MIcheal S used Ask the Experts™
on
I have configured AD and NPAS in the same server , added couple of RADIUS clients and created few Domain Users, added those user as a member of RAS and IAS Groups. Even though i have registered NPAS in AD for some reason it is failing to authenticate with NPAS.
Kinldy suggest.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Commented:
Check those event logs. Windows' RADIUS implementation is *very* good at logging issues and will tell you of any errors.  For example, if you didn't get the key matched between the RADIUS server and client (such as a WAP or VPN appliance) then it'll log that. If the keys match but authentication is failing because of group membership, it'll log that.  The codes and descriptions are descriptive enough for you to easily pinpoint the issue.
In Logs , I am able to see the connection between the NPAS and the RADIUS Clients (WAP) are fine. but still authentication is not successfull. Where do we see the respective logs.
Distinguished Expert 2018
Commented:
In event viewer, client and server.
Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

Thank you Cliff Galiher, Found some Event ID's in NPS , i will try to figure it out.
Hi Cliff , I think to enable EAP-PEAP authentication I must have to use SSL Certificates. I have not configured my server as a ADCS role. Instead i have third party SSL certificates. Kindly suggest , how to import the third party SSL certificates to be used for EAP-PEAP?

Thanks in advance.
Distinguished Expert 2018
Commented:
All EAP authentication methods require some PKI certificates. PEAP only requires one on the server that the client trusts.

If you have a 3rd party certificate with the machine name and supports the server authentication role, that'll be ins. Add it to the machine personal store using the certificates MMC. Then in the NPS console when configuring the policy, where you set the authentication type, you select the server certificate used. All suitable certificates in the store will be available. Note that the private key must be in the store as well. That means either generating the signing request on that machine, which generates a private key, or exporting the certificate WITH the private key from another machine... which can put the private key at risk of disclosure if not moved properly.

Note that this isn't unique to NPS. Most of this is basic PKI management.
Hi Cliff,  As per you suggestion  i have added the third party certificate to the machine personal store using the certificates MMC. Then in the NPS console when configuring the policy authentication type EAP-PEAP also the certificate appears. But i do not know how to import the Private Key file.
Hi Cliff, Configured ADCS , Created a certificate , it worked. Thanks Cliff

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial