The Acronis Global Cyber Summit 2019 will be held at the Fontainebleau Miami Beach Resort on October 13–16, 2019, and it promises to be the must-attend event for IT infrastructure managers, CIOs, service providers, value-added resellers, ISVs, and developers.
Server 2012 R2 Radius server and Cisco AP
hi,
I am trying to get my Cisco AP to authenticate with a Windows 2012 R2 server, i have setup following an online guide.
When a windows 7 client tries to connect to the SSID it fails and when i look in the radius logs it says client authentication failed EAP is not supported by the client.
Any thoughts i have tried a few changes and thought it may be certificate related but cant see any errors, the certificate is allocated from my local CA server.
i dont have access to my server at the moment but will post the logs tomorrow.
thanks
julian
I am trying to get my Cisco AP to authenticate with a Windows 2012 R2 server, i have setup following an online guide.
When a windows 7 client tries to connect to the SSID it fails and when i look in the radius logs it says client authentication failed EAP is not supported by the client.
Any thoughts i have tried a few changes and thought it may be certificate related but cant see any errors, the certificate is allocated from my local CA server.
i dont have access to my server at the moment but will post the logs tomorrow.
thanks
julian
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Hi,
On my Cisco AP I am getting
1 Mar 7 09:13:34.842 Warning Packet to client 5891.cf1a.d3a8 reached max retries, removing the client
2 Mar 7 09:13:34.838 Debugging Station 5891.cf1a.d3a8 Authentication failed
3 Mar 7 09:13:03.198 Debugging Station 5891.cf1a.d3a8 Authentication failed
4 Mar 7 09:13:01.334 Information Interface Dot11Radio0, Deauthenticating Station 5891.cf1a.d3a8 Reason: Sending station has left the BSS
5 Mar 7 09:12:55.607 Information Interface Dot11Radio0, Station ASL-Private 5891.cf1a.d3a8 Associated KEY_MGMT[NONE]
6 Mar 7 09:12:54.723 Debugging Station 5891.cf1a.d3a8 Authentication failed
On my Windows 2012 R2 server NPS
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: ASL-LAN\jhaines
Account Name: ASL-LAN\jhaines
Account Domain: ASL-LAN
Fully Qualified Account Name: ASL-LAN\jhaines
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 005f.861f.f820:AWN-SSC
Calling Station Identifier: 5891.cf1a.d3a8
NAS:
NAS IPv4 Address: 192.168.202.201
NAS IPv6 Address: -
NAS Identifier: ASL-Private
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 330
RADIUS Client:
Client Friendly Name: ASL-AP1
Client IP Address: 192.168.202.201
Authentication Details:
Connection Request Policy Name: ASL01 - Policy
Network Policy Name: ASL01 - Policy
Authentication Provider: Windows
Authentication Server: ASL-SSC11.asl.lan
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
On my Cisco AP I am getting
1 Mar 7 09:13:34.842 Warning Packet to client 5891.cf1a.d3a8 reached max retries, removing the client
2 Mar 7 09:13:34.838 Debugging Station 5891.cf1a.d3a8 Authentication failed
3 Mar 7 09:13:03.198 Debugging Station 5891.cf1a.d3a8 Authentication failed
4 Mar 7 09:13:01.334 Information Interface Dot11Radio0, Deauthenticating Station 5891.cf1a.d3a8 Reason: Sending station has left the BSS
5 Mar 7 09:12:55.607 Information Interface Dot11Radio0, Station ASL-Private 5891.cf1a.d3a8 Associated KEY_MGMT[NONE]
6 Mar 7 09:12:54.723 Debugging Station 5891.cf1a.d3a8 Authentication failed
On my Windows 2012 R2 server NPS
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: ASL-LAN\jhaines
Account Name: ASL-LAN\jhaines
Account Domain: ASL-LAN
Fully Qualified Account Name: ASL-LAN\jhaines
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 005f.861f.f820:AWN-SSC
Calling Station Identifier: 5891.cf1a.d3a8
NAS:
NAS IPv4 Address: 192.168.202.201
NAS IPv6 Address: -
NAS Identifier: ASL-Private
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 330
RADIUS Client:
Client Friendly Name: ASL-AP1
Client IP Address: 192.168.202.201
Authentication Details:
Connection Request Policy Name: ASL01 - Policy
Network Policy Name: ASL01 - Policy
Authentication Provider: Windows
Authentication Server: ASL-SSC11.asl.lan
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
How have you configured your Connection Request Policy?
Type of network access server? Unspecfied would suite wireless APs
Conditions? NAS Port Type if set?
Settings? Usually authenticate requests on this server (if server is joined to AD, then it will use user's AD account).
What Network Policies have you set?
Type of network access server? Unspecfied would suite wireless APs
Conditions? NAS Port Type if set?
Settings? Usually authenticate requests on this server (if server is joined to AD, then it will use user's AD account).
What Network Policies have you set?
Hi,
I am still having issues getting this working,
1. My Cisco AP is setup to use "network EAP" for the SSID on native VLAN
2. My Windows 2012 R2 NPS server is setup with
a. Radius Client pointing to my Cisco AP
b. Connection request policy with condition "NAS IPv4 Address" & Auth method "Protected EAP (PEAP)"
c. Network policy with condition "Domain Admins Only" & Auth method "Protected EAP (PEAP)"
I am still having issues getting this working,
1. My Cisco AP is setup to use "network EAP" for the SSID on native VLAN
2. My Windows 2012 R2 NPS server is setup with
a. Radius Client pointing to my Cisco AP
b. Connection request policy with condition "NAS IPv4 Address" & Auth method "Protected EAP (PEAP)"
c. Network policy with condition "Domain Admins Only" & Auth method "Protected EAP (PEAP)"
I fell foul of the NAS IPv4 Address condition as it can be confused with the IP address of the client, it is for the Network Access Service (e.g. Cisco AP) not for the Windows Client. Try changing this condition for something else.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
I think I have figured it out my CA server is a standalone and I have read that NPS EAP required an Enterprise CA server which can issues EAP compatible certificate.
Julian
Julian
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
Are you using EAP or PEAP for access?