Cisco Wireless Users Can No Longer Authenticate to our Server 2012 Radius Server

Both my Cisco Virtual Wireless Controller and Windows Server 2012 serving as the radius server were rebooted after another admin updated the VMWare tools on them, I started getting calls users (laptops and mobile phones) could not connect to the wireless.

Checking logs on my vWLC console I saw a lot of: AAA Authentication Failure for Client MAC: 54:7c:69:49:ca:1e UserName:<USERNAME> User Type: WLAN USER Reason: Authentication failed

Checking NPS logs on the RADIUS server I started seeing information entries like this: 'The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.' and 'Reason The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.'

Application logs showed similar 'information' entries: Negotiation failed. No available EAP methods

I'll paste the full log entries below as well as screen shots of my Radius Client settings as well as Network Policies as well as Remote Connection Policies. After extensive Googling, most fixes point to a cert error, my cert doesn't expire until 2019 so I don't think is the problem but I'm not an expert at this.
travisryanAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Craig BeckConnect With a Mentor Commented:
You need a connection request policy or the server will reject all requests. Usually the default policy is fine but if you've edited it you need to make sure you have the correct authentication method configured. In your case you do so it should be ok.

The cert should be ok but some clients don't like using EAP with a wildcard. The issue on the Aruba forum relates to non-MS RADIUS servers.

Does your NPS server have a cert it can use from your internal CA?
0
 
travisryanAuthor Commented:
Full text on App Log entries:
APPLICATION LOG GENERAL

Negotiation failed. No available EAP methods

Open in new window

and
- System 
APPLICATION LOG DETAILS
  - Provider 

   [ Name]  Microsoft-Windows-EapHost 
   [ Guid]  {6EB8DB94-FE96-443F-A366-5FE0CEE7FB1C} 
 
   EventID 1004 
 
   Version 0 
 
   Level 4 
 
   Task 1 
 
   Opcode 0 
 
   Keywords 0x8000000000000000 
 
  - TimeCreated 

   [ SystemTime]  2018-01-13T00:06:36.299026700Z 
 
   EventRecordID 1264663 
 
   Correlation 
 
  - Execution 

   [ ProcessID]  888 
   [ ThreadID]  4300 
 
   Channel Application 
 
   Computer <RADIUS>.<DOMAIN>.com 
 
  - Security 

   [ UserID]  S-1-5-18 
 

 EventData 

Open in new window

0
 
travisryanAuthor Commented:
NPS log entries:
NETWORK POLICY AND ACCESS SERVICES GENERAL

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			NULL SID
	Account Name:			host/<COMPUTER>.DOMAIN.com
	Account Domain:			<DOMAIN>
	Fully Qualified Account Name:	<DOMAIN>\<COMPUTER>$

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		5c-83-8f-3f-da-70:<SSID>
	Calling Station Identifier:		a4-02-b9-c6-5f-a7

NAS:
	NAS IPv4 Address:		<CONTROLLER>
	NAS IPv6 Address:		-
	NAS Identifier:			<CONTROLLER NAME>
	NAS Port-Type:			Wireless - IEEE 802.11
	NAS Port:			1

RADIUS Client:
	Client Friendly Name:		WLC
	Client IP Address:			<CONTROLLER>

Authentication Details:
	Connection Request Policy Name:	Secure Wireless Connections
	Network Policy Name:		-
	Authentication Provider:		Windows
	Authentication Server:		<RADIUS SERVER>.DOMAIN.com
	Authentication Type:		EAP
	EAP Type:			-
	Account Session Identifier:		35613539343734642F61343A30323A62393A63363A35663A61372F31353238
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			22
	Reason:				The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

Open in new window

and
NETWORK POLICY AND ACCESS SERVICES DETAILS

+ System 

  - Provider 

   [ Name]  Microsoft-Windows-Security-Auditing 
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D} 
 
   EventID 6273 
 
   Version 1 
 
   Level 0 
 
   Task 12552 
 
   Opcode 0 
 
   Keywords 0x8010000000000000 
 
  - TimeCreated 

   [ SystemTime]  2018-01-12T23:40:01.054200500Z 
 
   EventRecordID 238408234 
 
   Correlation 
 
  - Execution 

   [ ProcessID]  476 
   [ ThreadID]  4076 
 
   Channel Security 
 
   Computer <RADIUS SERVER>.<DOMAIN>.com 
 
   Security 
 

- EventData 

  SubjectUserSid S-1-0-0 
  SubjectUserName host/<MACHINE NAME>.<DOMAIN>.com 
  SubjectDomainName <DOMAIN> 
  FullyQualifiedSubjectUserName <DOMAIN>\<MACHINE NAME>$ 
  SubjectMachineSID S-1-0-0 
  SubjectMachineName - 
  FullyQualifiedSubjectMachineName - 
  MachineInventory - 
  CalledStationID 5c-83-8f-3f-da-70:<SSID> 
  CallingStationID a4-02-b9-c6-5f-a7 
  NASIPv4Address <CONTROLLER IP> 
  NASIPv6Address - 
  NASIdentifier <CONTROLLER NAME> 
  NASPortType Wireless - IEEE 802.11 
  NASPort 1 
  ClientName WLC 
  ClientIPAddress <CONTROLLER IP> 
  ProxyPolicyName Secure Wireless Connections 
  NetworkPolicyName - 
  AuthenticationProvider Windows 
  AuthenticationServer <RADIUS SERVER>.<DOMAIN>.com 
  AuthenticationType EAP 
  EAPType - 
  AccountSessionIdentifier 35613539343734642F61343A30323A62393A63363A35663A61372F31353238 
  ReasonCode 22 
  Reason The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server. 
  LoggingResult Accounting information was written to the local log file. 

Open in new window

0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

 
travisryanAuthor Commented:
Radius client screenshots:
Radius client general settingsRadius client advanced settings
0
 
travisryanAuthor Commented:
Remote connection screenshots part 1:
Remote Connection policies general settingsRemote Connection policy overviewConnection Policy Conditions
0
 
travisryanAuthor Commented:
Remote connection policy part 2:
Remote Connection Policy settings>authenticationRemote Connection Policy forwarding authenticationRemote Connection Policy radius attribute
0
 
travisryanAuthor Commented:
Network Policies part 1:
Network Policy general viewNetwork Policy overviewNetwork Policy Conditions settings
0
 
travisryanAuthor Commented:
Network policy screenshots part 2:
Network policy constraints and authorization settingsNetwork policy>settings>radius standard settingsNetwork policy>settings>NAP enforcement
0
 
travisryanAuthor Commented:
Debug aaa events output:
*Dot1x_NW_MsgTask_7: Jan 12 18:31:06.813: a4:02:b9:c6:5f:a7 Created Cisco-Audit-Session-ID for the mobile: 6464010a000005143a45595a
*aaaQueueReader: Jan 12 18:31:06.813: a4:02:b9:c6:5f:a7 radiusServerFallbackPassiveStateUpdate: RADIUS server is ready <RADIUS SERVER> port 1812 index 0 active 1
*aaaQueueReader: Jan 12 18:31:06.813: 00:00:00:00:00:00 Found a server : <RADIUS SERVER> from the WLAN server list of radius server index 1
*aaaQueueReader: Jan 12 18:31:06.813: a4:02:b9:c6:5f:a7 Send Radius Auth Request with pktId:158 into qid:7 of server at index:0
*aaaQueueReader: Jan 12 18:31:06.813: a4:02:b9:c6:5f:a7 Sending the packet to v4 host <RADIUS SERVER>:1812 of length 319
*aaaQueueReader: Jan 12 18:31:06.813: a4:02:b9:c6:5f:a7 Successful transmission of Authentication Packet (pktId 158) to <RADIUS SERVER>:1812 from server queue 7, proxy state a4:02:b9:c6:5f:a7-03:00
*radiusTransportThread: Jan 12 18:31:06.820: a4:02:b9:c6:5f:a7 Access-Reject received from RADIUS server <RADIUS SERVER> (qid:7) with port:1812, pktId:158
*radiusTransportThread: Jan 12 18:31:06.820: a4:02:b9:c6:5f:a7 [Error] Client requested no retries for mobile A4:02:B9:C6:5F:A7
*radiusTransportThread: Jan 12 18:31:06.820: a4:02:b9:c6:5f:a7 Returning AAA Error 'Authentication Failed' (-4) for mobile a4:02:b9:c6:5f:a7
*aaaQueueReader: Jan 12 18:31:08.369: a4:02:b9:c6:5f:a7 radiusServerFallbackPassiveStateUpdate: RADIUS server is ready <RADIUS SERVER> port 1812 index 0 active 1
*aaaQueueReader: Jan 12 18:31:08.369: 00:00:00:00:00:00 Found a server : <RADIUS SERVER> from the WLAN server list of radius server index 1
*aaaQueueReader: Jan 12 18:31:08.369: a4:02:b9:c6:5f:a7 Send Radius Auth Request with pktId:159 into qid:7 of server at index:0
*aaaQueueReader: Jan 12 18:31:08.369: a4:02:b9:c6:5f:a7 Sending the packet to v4 host <RADIUS SERVER>:1812 of length 319
*aaaQueueReader: Jan 12 18:31:08.369: a4:02:b9:c6:5f:a7 Successful transmission of Authentication Packet (pktId 159) to <RADIUS SERVER>:1812 from server queue 7, proxy state a4:02:b9:c6:5f:a7-05:00
*radiusTransportThread: Jan 12 18:31:08.374: a4:02:b9:c6:5f:a7 Access-Reject received from RADIUS server <RADIUS SERVER> (qid:7) with port:1812, pktId:159
*radiusTransportThread: Jan 12 18:31:08.374: a4:02:b9:c6:5f:a7 [Error] Client requested no retries for mobile A4:02:B9:C6:5F:A7
*radiusTransportThread: Jan 12 18:31:08.374: a4:02:b9:c6:5f:a7 Returning AAA Error 'Authentication Failed' (-4) for mobile a4:02:b9:c6:5f:a7
*aaaQueueReader: Jan 12 18:31:08.769: ac:37:43:4b:99:8e radiusServerFallbackPassiveStateUpdate: RADIUS server is ready <RADIUS SERVER> port 1812 index 0 active 1
*aaaQueueReader: Jan 12 18:31:08.769: 00:00:00:00:00:00 Found a server : <RADIUS SERVER> from the WLAN server list of radius server index 1
*aaaQueueReader: Jan 12 18:31:08.769: ac:37:43:4b:99:8e Send Radius Auth Request with pktId:115 into qid:14 of server at index:0
*aaaQueueReader: Jan 12 18:31:08.769: ac:37:43:4b:99:8e Sending the packet to v4 host <RADIUS SERVER>:1812 of length 269
*aaaQueueReader: Jan 12 18:31:08.769: ac:37:43:4b:99:8e Successful transmission of Authentication Packet (pktId 115) to <RADIUS SERVER>:1812 from server queue 14, proxy state ac:37:43:4b:99:8e-03:00
*radiusTransportThread: Jan 12 18:31:08.774: ac:37:43:4b:99:8e Access-Reject received from RADIUS server <RADIUS SERVER> (qid:14) with port:1812, pktId:115
*radiusTransportThread: Jan 12 18:31:08.774: ac:37:43:4b:99:8e [Error] Client requested no retries for mobile AC:37:43:4B:99:8E
*radiusTransportThread: Jan 12 18:31:08.774: ac:37:43:4b:99:8e Returning AAA Error 'Authentication Failed' (-4) for mobile ac:37:43:4b:99:8e
*aaaQueueReader: Jan 12 18:31:09.919: a4:02:b9:c6:5f:a7 radiusServerFallbackPassiveStateUpdate: RADIUS server is ready <RADIUS SERVER> port 1812 index 0 active 1
*aaaQueueReader: Jan 12 18:31:09.919: 00:00:00:00:00:00 Found a server : <RADIUS SERVER> from the WLAN server list of radius server index 1
*aaaQueueReader: Jan 12 18:31:09.919: a4:02:b9:c6:5f:a7 Send Radius Auth Request with pktId:160 into qid:7 of server at index:0
*aaaQueueReader: Jan 12 18:31:09.919: a4:02:b9:c6:5f:a7 Sending the packet to v4 host <RADIUS SERVER>:1812 of length 319
*aaaQueueReader: Jan 12 18:31:09.920: a4:02:b9:c6:5f:a7 Successful transmission of Authentication Packet (pktId 160) to <RADIUS SERVER>:1812 from server queue 7, proxy state a4:02:b9:c6:5f:a7-07:00
*radiusTransportThread: Jan 12 18:31:09.926: a4:02:b9:c6:5f:a7 Access-Reject received from RADIUS server <RADIUS SERVER> (qid:7) with port:1812, pktId:160
*radiusTransportThread: Jan 12 18:31:09.926: a4:02:b9:c6:5f:a7 [Error] Client requested no retries for mobile A4:02:B9:C6:5F:A7
*radiusTransportThread: Jan 12 18:31:09.926: a4:02:b9:c6:5f:a7 Returning AAA Error 'Authentication Failed' (-4) for mobile a4:02:b9:c6:5f:a7
*aaaQueueReader: Jan 12 18:31:13.888: ac:37:43:4b:99:8e radiusServerFallbackPassiveStateUpdate: RADIUS server is ready <RADIUS SERVER> port 1812 index 0 active 1
*aaaQueueReader: Jan 12 18:31:13.888: 00:00:00:00:00:00 Found a server : <RADIUS SERVER> from the WLAN server list of radius server index 1
*aaaQueueReader: Jan 12 18:31:13.888: ac:37:43:4b:99:8e Send Radius Auth Request with pktId:116 into qid:14 of server at index:0
*aaaQueueReader: Jan 12 18:31:13.888: ac:37:43:4b:99:8e Sending the packet to v4 host <RADIUS SERVER>:1812 of length 269
*aaaQueueReader: Jan 12 18:31:13.888: ac:37:43:4b:99:8e Successful transmission of Authentication Packet (pktId 116) to <RADIUS SERVER>:1812 from server queue 14, proxy state ac:37:43:4b:99:8e-04:00
*radiusTransportThread: Jan 12 18:31:13.892: ac:37:43:4b:99:8e Access-Reject received from RADIUS server <RADIUS SERVER> (qid:14) with port:1812, pktId:116
*radiusTransportThread: Jan 12 18:31:13.893: ac:37:43:4b:99:8e [Error] Client requested no retries for mobile AC:37:43:4B:99:8E
*radiusTransportThread: Jan 12 18:31:13.893: ac:37:43:4b:99:8e Returning AAA Error 'Authentication Failed' (-4) for mobile ac:37:43:4b:99:8e
*apfReceiveTask: Jan 12 18:31:17.878: 8c:18:d9:f9:7a:1f Sending Accounting request (2) for station 8c:18:d9:f9:7a:1f
*apfReceiveTask: Jan 12 18:31:20.122: a4:02:b9:c6:5f:a7 Sending Accounting request (2) for station a4:02:b9:c6:5f:a7
*aaaQueueReader: Jan 12 18:31:20.122: a4:02:b9:c6:5f:a7 Doing AAA Cleanup for mobile (in AAA: 164)02:b9:c6:5f:a7:00
*apfReceiveTask: Jan 12 18:31:23.998: ac:37:43:4b:99:8e Sending Accounting request (2) for station ac:37:43:4b:99:8e
*aaaQueueReader: Jan 12 18:31:23.998: ac:37:43:4b:99:8e Doing AAA Cleanup for mobile (in AAA: 172)37:43:4b:99:8e:00
*apfReceiveTask: Jan 12 18:31:54.598: 54:7c:69:49:ca:1e Sending Accounting request (2) for station 54:7c:69:49:ca:1e
*Dot1x_NW_MsgTask_7: Jan 12 18:32:21.487: a4:02:b9:c6:5f:a7 Created Cisco-Audit-Session-ID for the mobile: 6464010a000005158545595a

Open in new window

0
 
travisryanAuthor Commented:
debug dot11 mobile output:
*apfMsConnTask_1: Jan 12 18:37:54.533: 08:11:96:27:8c:fc Re-applying interface policy for client

*apfMsConnTask_1: Jan 12 18:37:54.533: 08:11:96:27:8c:fc Setting the NAS Id to AP group specific Id '<CONTROLLER NAME>'
*apfMsConnTask_1: Jan 12 18:37:54.533: 08:11:96:27:8c:fc processSsidIE  statusCode is 0 and status is 0
*apfMsConnTask_1: Jan 12 18:37:54.533: 08:11:96:27:8c:fc processSsidIE  ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_1: Jan 12 18:37:54.533: 08:11:96:27:8c:fc STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_1: Jan 12 18:37:54.533: 08:11:96:27:8c:fc suppRates  statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_1: Jan 12 18:37:54.533: 08:11:96:27:8c:fc STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_1: Jan 12 18:37:54.533: 08:11:96:27:8c:fc extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_1: Jan 12 18:37:54.533: 08:11:96:27:8c:fc Assigning flex webauth ACL ID :65535 for vlan : 1
*apfMsConnTask_1: Jan 12 18:37:54.533: 08:11:96:27:8c:fc Updating AID for REAP AP Client 70:70:8b:c7:c5:90 - AID ===> 2
*apfMsConnTask_1: Jan 12 18:37:54.533: 08:11:96:27:8c:fc  apfVapSecurity=0x4000 L2=16384 SkipWeb=0
*apfMsConnTask_1: Jan 12 18:37:54.533: 08:11:96:27:8c:fc  AuthenticationRequired = 1
*apfMsConnTask_1: Jan 12 18:37:54.533: 70:70:8b:c7:c5:90 Stats update for online user count

*apfMsConnTask_1: Jan 12 18:37:54.533: 08:11:96:27:8c:fc apfPemAddUser2:session timeout forstation 08:11:96:27:8c:fc - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is  0
*apfMsConnTask_1: Jan 12 18:37:54.533: 08:11:96:27:8c:fc Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_1: Jan 12 18:37:54.533: 08:11:96:27:8c:fc Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0

*apfMsConnTask_1: Jan 12 18:37:54.533: 08:11:96:27:8c:fc Sending assoc-resp with status 0 station:08:11:96:27:8c:fc AP:70:70:8b:c7:c5:90-00 on apVapId 1
*apfMsConnTask_1: Jan 12 18:37:54.533: 08:11:96:27:8c:fc Sending Assoc Response (status: '0') to station on AP AP7070.8b84.05d0 on BSSID 70:70:8b:c7:c5:90 ApVapId 1 Slot 0, mobility role 0
*spamApTask7: Jan 12 18:37:54.533: 08:11:96:27:8c:fc Add SGT:0 to AP 70:70:8b:c7:c5:90
*spamApTask7: Jan 12 18:37:54.533: 08:11:96:27:8c:fc Add CTS mobile SGT - Encoded the capwap payload for the mobile with SGT 0
*spamApTask7: Jan 12 18:37:54.534: 08:11:96:27:8c:fc Successful transmission of LWAPP Add-Mobile to AP 70:70:8b:c7:c5:90
*spamApTask7: Jan 12 18:37:54.534: 08:11:96:27:8c:fc Setting ADD_MOBILE (idx 0, seqno 0, action 1, count 476309433) ack state for STA on AP 70:70:8b:c7:c5:90
*apfOpenDtlSocket: Jan 12 18:37:54.536: 08:11:96:27:8c:fc Recevied management frame ACTION              on BSSID 70:70:8b:c7:c5:90 destination addr 70:70:8b:c7:c5:90
*spamApTask7: Jan 12 18:37:54.536: 08:11:96:27:8c:fc Received ADD_MOBILE ack - Initiating 1x to STA 08:11:96:27:8c:fc (idx 23)
*spamApTask7: Jan 12 18:37:54.536: 08:11:96:27:8c:fc APF Initiating 1x to STA 08:11:96:27:8c:fc
*Dot1x_NW_MsgTask_4: Jan 12 18:37:54.536: 08:11:96:27:8c:fc dot1xProcessInitiate1XtoMobile to mobile station 08:11:96:27:8c:fc (mscb 1, msg 1)
*apfReceiveTask: Jan 12 18:38:03.026: 54:7c:69:49:ca:1e Scheduling deletion of Mobile Station:  (callerId: 46) in 60 seconds
*apfReceiveTask: Jan 12 18:38:03.026: 54:7c:69:49:ca:1e pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*spamApTask4: Jan 12 18:38:03.027: 54:7c:69:49:ca:1e Setting DEL_MOBILE (seqno 0, action 6) ack state for STA on AP 5c:83:8f:57:45:b0
*spamApTask4: Jan 12 18:38:03.027: 54:7c:69:49:ca:1e Delete Mobile request sent to the AP <AP IP>:53532

*apfReceiveTask: Jan 12 18:38:03.029: 5c:83:8f:57:45:b0 apfMsUpdateDeleteAck Del MN ACK Received for client with AID = 0 slot = 0
*apfReceiveTask: Jan 12 18:38:07.718: ac:37:43:4b:99:8e Deleting mobile on AP 5c:83:8f:3f:da:70(1)
*apfReceiveTask: Jan 12 18:38:07.718: ac:37:43:4b:99:8e apf_ms.c:5423 Clearing the SGT 0 of mobile
*apfReceiveTask: Jan 12 18:38:07.718: ac:37:43:4b:99:8e Decrement the SGT 0 policy count reference by the clients 5
*apfOpenDtlSocket: Jan 12 18:38:15.054: ac:37:43:4b:99:8e Recevied management frame ASSOCIATION REQUEST  on BSSID 5c:83:8f:57:fe:70 destination addr 5c:83:8f:57:fe:70
*apfMsConnTask_1: Jan 12 18:38:15.055: ac:37:43:4b:99:8e Adding mobile on LWAPP AP 5c:83:8f:57:fe:70(0)
*apfMsConnTask_1: Jan 12 18:38:15.055: ac:37:43:4b:99:8e Association received from mobile on BSSID 5c:83:8f:57:fe:bf AP AP188b.9dbc.d7f4
*apfMsConnTask_1: Jan 12 18:38:15.055: ac:37:43:4b:99:8e Station:  AC:37:43:4B:99:8E  11v BSS Transition not enabled on the AP  5C:83:8F:57:FE:70
*apfMsConnTask_1: Jan 12 18:38:15.055: ac:37:43:4b:99:8e Global 200 Clients are allowed to AP radio

*apfMsConnTask_1: Jan 12 18:38:15.055: ac:37:43:4b:99:8e Max Client Trap Threshold: 0  cur: 0

*apfMsConnTask_1: Jan 12 18:38:15.055: ac:37:43:4b:99:8e Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_1: Jan 12 18:38:15.055: ac:37:43:4b:99:8e Applying Interface(<INT NAME>) policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_1: Jan 12 18:38:15.055: ac:37:43:4b:99:8e Re-applying interface policy for client

Open in new window

0
 
travisryanAuthor Commented:
That's all the outputs I can think to post right now. Feel free to ask any questions/for other screenshots/debugs.
0
 
travisryanAuthor Commented:
Additionally. I've just restored the Radius server to a snapshot before the update...and I'm still having the problem. I then went and deleted out and recreated the Radius client config, remote connection policy config and the network policy config....still having the problem. I am really stumped.
0
 
Craig BeckCommented:
The error is pretty conclusive usually. The EAP method the client is using can't be processed by the server. That usually indicates that the client is using an EAP method not allowed in the policy.

What 802.1x config do you have on your client devices?
0
 
travisryanAuthor Commented:
Craig, good to see you. You helped solve something very similar not too long ago:  https://www.experts-exchange.com/questions/28929024/Cisco-Wireless-Server-2008-EAP-authentication-error.html

What specifically do you mean by 802.1x config?
0
 
travisryanAuthor Commented:
Android devices I have it set to use PEAP and MS-CHAPv2.
0
 
travisryanAuthor Commented:
Caveat: none of this should've changed from the before the maintenance so I don't know I'd have to change it now. That being said, there three screens have caused me the most issues. Areas highlighted in red there's options for CHAPv2 in a few places and you only select it sometimes. Also there's the issue of in the config guide you set authentication in the Network Policy conditions, but the way mine is set, the authentication is in the constraints.
Connection Request Policy Auth MethodsNetwork Policy ConditionsNetwork Policy Constraints
0
 
Craig BeckCommented:
Ok so in the less secure methods window just untick everything. They are not required.

The configuration you have (PEAP with secured password) is fine, but check the certificate. Are you able to select more than one? I notice the current cert is signed by a 3rd-party CA. Is that how it has always been?
0
 
travisryanAuthor Commented:
-Everything in the less secure methods is unchecked (Network policy and connection request).
-Network policy and Connection request policies only have EAP-MSCHAPv2 option available in the 'EAP TYPES' box.
-Network policy cert is a Domain Controller signed cert and has been that way since the beginning. Connection request policy cert is a third party wildcard and has been that way for months now.
0
 
travisryanAuthor Commented:
In addition to troubleshooting this server I'm recreating NPS, Radius, certs and all that on another server but it's a huge pain in the keister. Any questions/comments troubleshooting this current server are welcome.
0
 
travisryanAuthor Commented:
Digging more into my current server logs while waiting for a new cert for the 2nd Radius server, here's what I found in the EapHost logs:
GENERAL

Skipping: Unable to add EAP method. Friendly name not present. TypeId(21), AuthorId(311), VendorId(0), VendorType(0)
--
DETAILS

- System 

  - Provider 

   [ Name]  Microsoft-Windows-EapHost 
   [ Guid]  {6EB8DB94-FE96-443F-A366-5FE0CEE7FB1C} 
 
   EventID 3026 
 
   Version 0 
 
   Level 2 
 
   Task 3 
 
   Opcode 0 
 
   Keywords 0x4000000000000000 
 
  - TimeCreated 

   [ SystemTime]  2018-01-13T20:30:19.608869100Z 
 
   EventRecordID 107 
 
   Correlation 
 
  - Execution 

   [ ProcessID]  520 
   [ ThreadID]  4788 
 
   Channel Microsoft-Windows-EapHost/Operational 
 
   Computer owldc3.oscarwinski.com 
 
  - Security 

   [ UserID]  S-1-5-21-265503261-1090121094-3735137603-500 
 

- EventData 

  TypeId 21 
  AuthorId 311 
  VendorId 0 
  VendorType 0 
===

Open in new window

0
 
travisryanAuthor Commented:
Googling around on the above entry I boiled results down to two relevant links:

One that directly relates to my situation (Craig solved that one too, unfortunately I think his solution doesn't solve my issue)- https://www.experts-exchange.com/questions/28263990/RADIUS-Authentication-Not-Working.html

One that is epic in length and I'm still processing:
https://social.technet.microsoft.com/Forums/Lync/en-US/25d55813-c9f6-43b2-a342-42e7103de545/eaptls-with-certificate-nps-and-client-not-connecting?forum=winserverNAP
0
 
Craig BeckCommented:
The connection request policy should never need to be touched. The MS guides tell you to configure a secure wireless policy but unless you are proxying its pointless.

The network request policy is where the magic happens so if your connection request policy is wrong the network policy will never be met.

Can you post the custom NPS log for a failed attempt please?
0
 
travisryanAuthor Commented:
Craig, second comment from the top is an nps log entry.
0
 
travisryanAuthor Commented:
I was getting s-channel errors in the system logs so I thought the certificate might have gone corrupt. I replaced it with a fresh one. I don't have the s-channel error or the EAP host message anymore but it's still not working and I'm still getting errors.

This in the NPS log:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Open in new window


This in the NPS server events log:
An Access-Request message was received from RADIUS client <wlc controller IP> with a Message-Authenticator attribute that is not valid.

Open in new window

0
 
Craig BeckCommented:
Reset the shared-secret at the NPS nand WLC.
0
 
travisryanAuthor Commented:
After changing the shared secret my android phones can get on but several windows laptops cannot. Cisco wireless log sez:
AAA Authentication Failure for Client MAC: <redacted> UserName:host/<computer.domain>.com User Type: WLAN USER Reason: Authentication failed

Open in new window


My phone in NPS logs on (new) Radius server:
Network Policy Server granted full access to a user because the host met the defined health policy.

Open in new window


My laptop in NPS logs on (new) Radius server:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			NULL SID
	Account Name:			host/<mylaptop.domain>.com
	Account Domain:			<domain>
	Fully Qualified Account Name:	<domain\my laptop>$

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		5c-83-8f-3f-da-70:<ssid>
	Calling Station Identifier:		98-5f-d3-5b-37-f1

NAS:
	NAS IPv4 Address:		<controller ip>
	NAS IPv6 Address:		-
	NAS Identifier:			<controller>
	NAS Port-Type:			Wireless - IEEE 802.11
	NAS Port:			1

RADIUS Client:
	Client Friendly Name:		vWLC
	Client IP Address:			<controller ip>

Authentication Details:
	Connection Request Policy Name:	Cisco Wireless
	Network Policy Name:		-
	Authentication Provider:		Windows
	Authentication Server:		<new radius.domain>.com
	Authentication Type:		PEAP
	EAP Type:			-
	Account Session Identifier:		35613562366331302F39383A35663A64333A35623A33373A66312F34323331
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			16
	Reason:				Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Open in new window

0
 
travisryanAuthor Commented:
Windows system log sez:

General
An Access-Request message was received from RADIUS client <CONTROLLER IP> with a Message-Authenticator attribute that is not valid.

Open in new window


Details
- System 

  - Provider 

   [ Name]  NPS 
 
  - EventID 18 

   [ Qualifiers]  49152 
 
   Level 2 
 
   Task 0 
 
   Keywords 0x80000000000000 
 
  - TimeCreated 

   [ SystemTime]  2018-01-14T14:35:12.000000000Z 
 
   EventRecordID 124529 
 
   Channel System 
 
   Computer <RADIUS SERVER.DOMAIN>com 
 
   Security 
 

- EventData 

   <CONTROLLER IP>

Open in new window

0
 
travisryanAuthor Commented:
Message on Windows 10 laptop: Can't connect to this network.

Tried both one that's been on the Cisco Wireless before and one that hasn't. Same message. Oddly enough I can't forget the networks in the settings either.
0
 
travisryanAuthor Commented:
I'm really hoping this isn't the case, but I found an article talking about wildcard certs causing an issue: https://community.aerohive.com/aerohive/topics/windows-clients-will-not-authenticate-to-radius

Not sure why it would've been working fine on Friday morning but after a reboot and no visible updates in the update history it's not working, not even on a new server but I'm not counting anything out at this point.
0
 
Craig BeckCommented:
Does your NPS policy allow Domain Computers as well as Domain Users?
0
 
travisryanAuthor Commented:
Network Policy Overview
Net Pol Overview
0
 
travisryanAuthor Commented:
Network Policy Settings
Yes
0
 
travisryanAuthor Commented:
Connection Request policy overview
ConReqPol_Overview.JPG
0
 
travisryanAuthor Commented:
Connection Request Policy Settings
ConReqPol_Settings.JPG
0
 
travisryanAuthor Commented:
Going back over the original NPS guide ( https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html#anc10 ) then checking the two laptops, I don't see my new wildcard wireless cert in the Trusted Root Cert Authorities folder nor in the Third-Party Root Cert Authorities folder. But then again on the laptop that connected into the old radius server, I don't see the old cert in there either.

Seperately, in my network policy conditions I don't have "Authentication Type: EAP" added in eventhough the guide says to. Adding this and removing this at different times in the troubleshooting process didn't seem to help anything. Let me know if I'm wrong as I am out of my depth on Windows Server issues.
0
 
travisryanAuthor Commented:
The connection request policy should never need to be touched. The MS guides tell you to configure a secure wireless policy but unless you are proxying its pointless.

The network request policy is where the magic happens so if your connection request policy is wrong the network policy will never be met.

Should I just delete out my connection request policy I made then?
0
 
travisryanAuthor Commented:
Connection Policy disabled, still could not connect in on laptops.
0
 
travisryanAuthor Commented:
After the epic amount of troubleshooting that went into this, switching it to a self signed cert worked. I'm pretty sure the wildcard cert was working before but trying it on the new Radius server and back on the old one, no go. Now the self signed cert on the new Radius and the old Radius work.

Thanks for all of your help Craig.
0
 
travisryanAuthor Commented:
Self signed cert for the win.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.