Server 2012 R2 Radius server and Cisco AP

Julian Haines
Julian Haines used Ask the Experts™

I am trying to get my Cisco AP to authenticate with a Windows 2012 R2 server, i have setup following an online guide.

When a windows 7 client tries to connect to the SSID it fails and when i look in the radius logs it says client authentication failed EAP is not supported by the client.

Any thoughts i have tried a few changes and thought it may be certificate related but cant see any errors, the certificate is allocated from my local CA server.

i dont have access to my server at the moment but will post the logs tomorrow.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Peter HutchisonSenior Network Systems Specialist

Is the local CA root certificate installed on the Windows 7 client?
Are you using EAP or PEAP for access?
Julian HainesSenior IT Administrator



On my Cisco AP I am getting

1      Mar 7 09:13:34.842      Warning      Packet to client 5891.cf1a.d3a8 reached max retries, removing the client
2      Mar 7 09:13:34.838      Debugging      Station 5891.cf1a.d3a8 Authentication failed
3      Mar 7 09:13:03.198      Debugging      Station 5891.cf1a.d3a8 Authentication failed
4      Mar 7 09:13:01.334      Information      Interface Dot11Radio0, Deauthenticating Station 5891.cf1a.d3a8 Reason: Sending station has left the BSS
5      Mar 7 09:12:55.607      Information      Interface Dot11Radio0, Station ASL-Private 5891.cf1a.d3a8 Associated KEY_MGMT[NONE]
6      Mar 7 09:12:54.723      Debugging      Station 5891.cf1a.d3a8 Authentication failed

On my Windows 2012 R2 server NPS

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

      Security ID:                  ASL-LAN\jhaines
      Account Name:                  ASL-LAN\jhaines
      Account Domain:                  ASL-LAN
      Fully Qualified Account Name:      ASL-LAN\jhaines

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            005f.861f.f820:AWN-SSC
      Calling Station Identifier:            5891.cf1a.d3a8

      NAS IPv4 Address:  
      NAS IPv6 Address:            -
      NAS Identifier:                  ASL-Private
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  330

RADIUS Client:
      Client Friendly Name:            ASL-AP1
      Client IP Address:        

Authentication Details:
      Connection Request Policy Name:      ASL01 - Policy
      Network Policy Name:            ASL01 - Policy
      Authentication Provider:            Windows
      Authentication Server:            ASL-SSC11.asl.lan
      Authentication Type:            EAP
      EAP Type:                  -
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  22
      Reason:                        The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
Peter HutchisonSenior Network Systems Specialist

How have you configured your Connection Request Policy?
Type of network access server? Unspecfied would suite wireless APs
Conditions? NAS Port Type if set?
Settings? Usually authenticate requests on this server (if server is joined to AD, then it will use user's AD account).

What Network Policies have you set?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Julian HainesSenior IT Administrator



I am still having issues getting this working,

1. My Cisco AP is setup to use "network EAP" for the SSID on native VLAN

2. My Windows 2012 R2 NPS server is setup with

a. Radius Client pointing to my Cisco AP

b. Connection request policy with condition "NAS IPv4 Address" & Auth method "Protected EAP (PEAP)"

c. Network policy with condition "Domain Admins Only" & Auth method "Protected EAP (PEAP)"
Senior Network Systems Specialist
I fell foul of the NAS IPv4 Address condition as it can be confused with the IP address of the client, it is for the Network Access Service (e.g. Cisco AP) not for the Windows Client. Try changing this condition for something else.
Julian HainesSenior IT Administrator


I think I have figured it out my CA server is a standalone and I have read that NPS EAP required an Enterprise CA server which can issues EAP compatible certificate.

Julian HainesSenior IT Administrator


Thanks is was to do with the conditions I have got working.,

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial