Cisco 2504 RADIUS SSID authentication

Dear All

I hope someone can help

What I’m trying to achieve
We currently have a Cisco WLC 2504 controller running our Wi-Fi network. We have been running 2 networks  (Guest & Corp) with PSK for all users to type in manually. What I would like to do now is change the Corp Wi-Fi to use the staff’s AD username and password instead of the pre-shared key to connect whatever device they use (Mobile, Tablet, Laptop). We don’t have a certificate infrastructure and we only want to use is their AD user name authentication

What I have done
I’ve installed a NAP server (Windows 2012 r2) and followed the “RADIUS server for 802.1X Wireless or Wired Connections” wizard as recommend and I’ve setup a new SSID on the WLC to use the RADIUS server. This all seems fine and when I run the “test aaa radius” command it comes back with success. All good so far!

Issue I require help with
When I try to connect a client to the Wi-Fi it fails. The logs on the controller says the authentication has failed and I don’t know why.

Below is the two entries that come up on the controller.

I get two failures when I try to connect from a laptop one for the host and one for the user account

AAA Authentication Failure for Client MAC: a8:08:cf:b4:a7:w5 UserName:DOMAIN\USER User Type: WLAN USER Reason: Authentication failed
AAA Authentication Failure for Client MAC: a8:08:cf:b4:a7:dw5 UserName:host/HASTNAME.domain.local User Type: WLAN USER Reason: Authentication failed

If anyone could help or guide me it would be greatly appreciated
Kevin TurnbullIT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mikecrCommented:
To use PEAP you need to have a certificate. You can either create a self signed one or purchase one from some place like GoDaddy. The certificate then gets installed on the Radius server and also the clients who then put it in their trusted root store. You can do that automatically by using AD group policy. Using the certificate creates a tunnel to pass your AD user authentication. Without it, it won't work.
0
Kevin TurnbullIT ManagerAuthor Commented:
Thanks for your reply Mikecr

I've install certificate services on my domain controller and used that cert in peap. I've also added out DC cert into the trusted root within the laptop but unfortunitally I'm still getting the same error
0
mikecrCommented:
Did you configure the polices needed in NPS? Here is a step by step guide to configuring this and getting it to work.

https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

Kevin TurnbullIT ManagerAuthor Commented:
I've followed the link's instrutctions step by step but I'm still unable to connect with the same denys in the WLC logs


Log      System Time      Trap
0      Tue Sep 25 10:43:39 2018      AAA Authentication Failure for Client MAC: a8:02:cf:b4:c7:d9 UserName: <DOMAIN\user> User Type: WLAN USER Reason: Authentication failed
1      Tue Sep 25 10:43:34 2018      AAA Authentication Failure for Client MAC: a8:02:cf:b4:c7:d9 UserName:host/<hastname> User Type: WLAN USER Reason: Authentication failed
0
mikecrCommented:
Can you post the certificate that you're using so that we can see how it's configured?
0
Kevin TurnbullIT ManagerAuthor Commented:
Unfortunitally I wont be able to do that but I could post specific about the cert. If three anything specific you are looking for?
0
mikecrCommented:
On the configuration of the wireless policy, you chose the certificate that you created? On the client side did you put that same certificate into the Trusted root certificate store?
0
Kevin TurnbullIT ManagerAuthor Commented:
Yes I've used the same cert for both
0
mikecrCommented:
Can you post the radius log and highlight the account in question? Are you authenticating just the user account or the computer account as well?
0
Kevin TurnbullIT ManagerAuthor Commented:
Hi Mikecr

I recreated everything in my test lab and it worked correctly, after investigating a bit further I found there was an issue with my RADIUS server. Reinstalled my RADIUS server and everything started working.

Thanks for all your help and guidance I really apprecaite it!
0
mikecrCommented:
No problem, please stop back if we can help you further!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.