RADIUS Clients Not Connecting
I came in this morning and noticed my DC was lagging behind on time. Not a big deal; I changed the time, ran a gpupdate /force on all my servers and told the staff to reboot to get the correct time (not many people there early in the morning so only a few folks with the issue). As more people arrived in the office around an hour later, I received reports of people not able to access the Enterprise Wi-Fi (RADIUS server using Windows NPS). I rebooted the single Wireless AP covering the whole office and the Domain Controller (only one in the building; trust me, I've tried fighting the battle to get a second DC installed to no avail). I can't seem to make heads or tails of RADIUS logs, but when connecting to the Wi-Fi, Windows 10 (client machine) spits back "Can't Connect to this Network." I've not been able to find any logs locally or on the server that are of much benefit. I've reset the shared secret between the DC and the Wireless AP to no avail. Any guidance would be greatly appreciated. Below is a grab from the logs; I've altered my actual domain name to read DOMAIN and my Domain Controller's actual name to read DC for security.
<Event><Timestamp data_type="4">07/01/2019 09:02:41.420</Timestamp><Computer-Name data_type="1">DC</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">DOMAIN\droberts</User-Name><NAS-IP-Address data_type="3">127.0.0.1</NAS-IP-Address><NAS-Port data_type="0">0</NAS-Port><Called-Station-Id data_type="1">BA-F8-A3-25-F6-F9:Core</Called-Station-Id><Calling-Station-Id data_type="1">B4-6B-FC-35-92-D3</Calling-Station-Id><Framed-MTU data_type="0">1400</Framed-MTU><NAS-Port-Type data_type="0">19</NAS-Port-Type><Connect-Info data_type="1">CONNECT 0Mbps 802.11b</Connect-Info><Client-IP-Address data_type="3">10.68.0.3</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">NAP203</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Domain Wireless</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">DOMAIN\droberts</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">DOMAIN\droberts</Fully-Qualifed-User-Name><Class data_type="1">311 1 10.68.0.26 06/12/2019 00:55:35 6566</Class><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">Domain Wireless</NP-Policy-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>ASKER
Jakob - Can you please send instructions on how to request and assign a new certificate? I reassigned the certificate to no avail. Thanks!
ASKER
Follow-up note: when I go to Event Viewer > Custom Views > Server Roles ? Network Policy and Access Services, the only logs I have are for event ID 4400; no other logs regarding errors connecting.
ASKER
When attempting to connect from a client I get the following error:
Wireless 802.1x authentication failed.
Network Adapter: Killer Wireless-n/a/ac 1535 Wireless Network Adapter
Interface GUID: {1ede0530-7020-4d53-8ba3-7
Local MAC Address: 9C:B6:D0:1F:E3:51
Network SSID: COMPANY WIFI
BSS Type: Infrastructure
Peer MAC Address: BA:F8:A3:25:F6:F9
Identity: domain\droberts
User: David
Domain: LOCAL-MACHINE
Reason: Explicit Eap failure received
Error: 0x40420110
EAP Reason: 0x40420110
EAP Root cause String: Network authentication failed due to a problem with the user account
EAP Error: 0x40420110
This would indicate that the user is not allowed to use the Wireless however, I've verified the user is apart of the Wireless Security Group in AD. Additionally, after that error, I get a follow-up error.
Wireless security failed.
Network Adapter: Killer Wireless-n/a/ac 1535 Wireless Network Adapter
Interface GUID: {1ede0530-7020-4d53-8ba3-7
Local MAC Address: 9C:B6:D0:1F:E3:51
Network SSID: COMPANY WIFI
BSS Type: Infrastructure
Peer MAC Address: BA:F8:A3:25:F6:F9
Reason: Explicit Eap failure received
Error: 0x40420110
Then I get this log.
Wireless security stopped.
Network Adapter: Killer Wireless-n/a/ac 1535 Wireless Network Adapter
Interface GUID: {1ede0530-7020-4d53-8ba3-7
Local MAC Address: 9C:B6:D0:1F:E3:51
Network SSID: COMPANY WIFI
BSS Type: Infrastructure
Security Hint: The operation was successful.
Then I get this final error.
WLAN AutoConfig service failed to connect to a wireless network.
Network Adapter: Killer Wireless-n/a/ac 1535 Wireless Network Adapter
Interface GUID: {1ede0530-7020-4d53-8ba3-7
Connection Mode: Connection to a secure network without a profile
Profile Name: COMPANY WIFI
SSID: COMPANY WIFI
BSS Type: Infrastructure
Failure Reason:The specific network is not available.
RSSI: -60
Any help anyone could give me would be greatly appreciated. I've renewed the cert on my local CA and reapplied it in the Network Policy, but it doesn't seem to have done anything.
Wireless 802.1x authentication failed.
Network Adapter: Killer Wireless-n/a/ac 1535 Wireless Network Adapter
Interface GUID: {1ede0530-7020-4d53-8ba3-7
Local MAC Address: 9C:B6:D0:1F:E3:51
Network SSID: COMPANY WIFI
BSS Type: Infrastructure
Peer MAC Address: BA:F8:A3:25:F6:F9
Identity: domain\droberts
User: David
Domain: LOCAL-MACHINE
Reason: Explicit Eap failure received
Error: 0x40420110
EAP Reason: 0x40420110
EAP Root cause String: Network authentication failed due to a problem with the user account
EAP Error: 0x40420110
This would indicate that the user is not allowed to use the Wireless however, I've verified the user is apart of the Wireless Security Group in AD. Additionally, after that error, I get a follow-up error.
Wireless security failed.
Network Adapter: Killer Wireless-n/a/ac 1535 Wireless Network Adapter
Interface GUID: {1ede0530-7020-4d53-8ba3-7
Local MAC Address: 9C:B6:D0:1F:E3:51
Network SSID: COMPANY WIFI
BSS Type: Infrastructure
Peer MAC Address: BA:F8:A3:25:F6:F9
Reason: Explicit Eap failure received
Error: 0x40420110
Then I get this log.
Wireless security stopped.
Network Adapter: Killer Wireless-n/a/ac 1535 Wireless Network Adapter
Interface GUID: {1ede0530-7020-4d53-8ba3-7
Local MAC Address: 9C:B6:D0:1F:E3:51
Network SSID: COMPANY WIFI
BSS Type: Infrastructure
Security Hint: The operation was successful.
Then I get this final error.
WLAN AutoConfig service failed to connect to a wireless network.
Network Adapter: Killer Wireless-n/a/ac 1535 Wireless Network Adapter
Interface GUID: {1ede0530-7020-4d53-8ba3-7
Connection Mode: Connection to a secure network without a profile
Profile Name: COMPANY WIFI
SSID: COMPANY WIFI
BSS Type: Infrastructure
Failure Reason:The specific network is not available.
RSSI: -60
Any help anyone could give me would be greatly appreciated. I've renewed the cert on my local CA and reapplied it in the Network Policy, but it doesn't seem to have done anything.
try to reenable logging on NPS server: (run CMD as administrator)
auditpol /set /subcategory:"Network Policy Server" /success:disable /failure:disable
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
restart NPS service
New Certificate:
start run MMC - add snap in certificate - my computer
go to certificates - personal - right click and choose SUBMIT NEW REQUEST. Choose the RAS/IAS template and go through wizrd. If the only option is server or computer template, you can choose these instead. No problem.
then reassign in NPS Sever
auditpol /set /subcategory:"Network Policy Server" /success:disable /failure:disable
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
restart NPS service
New Certificate:
start run MMC - add snap in certificate - my computer
go to certificates - personal - right click and choose SUBMIT NEW REQUEST. Choose the RAS/IAS template and go through wizrd. If the only option is server or computer template, you can choose these instead. No problem.
then reassign in NPS Sever
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
glad you had it fixed - i told you that you had to verify cert in NPS. And as for TLS communication - as soon as the time is +5 minutes askew, all TLS secured communication is broken
time in AD is essential :-)
time in AD is essential :-)
I'd try to reassign the certificate in Network Policies - or possibly request and assign a new certificate. but the first trick is easiest to test first