RADIUS connection to Win Server 2016

Aldo Barani
Aldo Barani used Ask the Experts™
on
I had this question after viewing RADIUS Authentication Problem in Windows Server 2016.

Same issue; I am trying to connect handheld devices for internet access.   Struggling for a week with no success.   Have gone through all the steps, installed certificate, etc.
Always receiving an Authentication problem.
I checked the event logs and could not find anything relevant, maybe I am looking in the wrong place?   Nothing RADIUS related.
Please help if you can.
Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
Default configuration has event logs are created when NPS handles a radius request, success or fail.

If you aren't seeing logs then you might not be looking closely enough. Or the default event log settings were changed. Or the radius client is not configured to point to the right server/port.

It's going to be one of those things.
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
Are you using EAP or PEAP authentication for the session on the phones? EAP requires device and user certificates for each phone and those have to be distributed.

Author

Commented:
I'm using PEAP; I am using a 3rd party RADIUS server for years, however the plan is to migrate all domain users to the Windows based RADIUS and use the 3rd party for IoS clients and guest users; however, after struggling for 1 week with no results in sight that does not seem likely to happen.  Something is wrong, but I cannot find what since there is no log to shed some light on the authentication problem.   The 3rd party RADIUS allows flawless access to the users registered on the AD.
I have a RADIUS configured in the NPS, and also defined Connexion Request policy and  Network policy for the wireless connexions.
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Author

Commented:
Cliff, thanks for the suggestion.
I'm not an IT practitioner, even though I do IT work, and my knowledge is limited.
I cannot find any event related to RADIUS authentication, maybe there is none; I've never used the Event Viewer before and my queries are rejected, either for too many records or for some other reason.   But perusing through the events I cannot find anything relevant.   If you can direct me how to look for user authentication failure through the RADIUS client requests, I will do it.
Hiring some consultant is out of question, it will take ours just to understand what's going on and I do not have a budget for that.  So I will have to fix it myself or drop it and move on.
To the best of my knowledge, all configurations are right but it won't connect.
Distinguished Expert 2018
Commented:
The security log would be where to look, and if you have a device handy, you know what time range to look in.

As for the rest, you admit your knowledge is limited (nothing wrong with that), and that is exactly the *right* time to hire a consultant.  I say this having no skin in the game. While I sometimes accept gigs via EE, I have more work than I need right now and would not be able to take on the project myself at this time. So my suggestion to grab a consultant is for you, not me.  No ulterior motives there.

One of two things is true:

The configuration is *very* wrong in which case, yes, it'll take a consultant hours...but that's what is needed.
or 2) it is fairly standard and an experienced expert won't take hours. They don't need to know the intricacies of your network to fix the problem.  If things are even close to the right setup, it's a 15-30 minute affair with minimal input.  If that's too much to ask then you are probably on the right track to drop it and move on. You've probably spent more in labor than the project is worth already.

-Cliff

Author

Commented:
I just could not drop it... Anyway, it works now!   The configuration was fine, the certificate in the right store; by chance I discovered that when the 3rd party RADIUS server is switched off, the AD users could connect through the NPS RADIUS client; switch the external RADIUS on, and all AD users are disconnected and could not reconnect until the external RAD is off again.   However, the 3rd party RADIUS users are not affected.
The two RADIUS servers run on different computers and obviously have different IPs; they are both setup in the Cisco controller, with different secrets.   The clients connected through the 3rd party RAD are not domain users.
I can't identify the cause from the event logs.
Any ideas what could cause this condition?
Thanks.
Distinguished Expert 2018

Commented:
If the client is talking to the 3rd party radius server and that server is responding that the user doesn't exist the client has no reason to fall back to anither server. That's 100% a client configuration issue  not an NPS problem.

Author

Commented:
Makes sense, however it works just one way since the 3rd party radius takes precedence; so I will have to check the configuration.
Thanks

Author

Commented:
You were correct, it is documented by Cisco.
Thanks.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial