topic AiroNet 1140 Authentication Issues Windows Server 2008 NPS in Wireless

AiroNet 1140 Authentication Issues Windows Server 2008 NPS

puntgorda — Sun, 04 Jul 2021 04:31:52 GMT

Hello,

We have an AiroNet 1140 AP that we are trying to configure RADIUS authentication. Our RADIUS server is a Microsoft Windows Server 2008 NPS server. Unfortunately, our Wi-Fi clients are unable to authenticate. We appear to have everything configured on the AP and RADIUS server correctly, but we receive the following errors from the debug on the AP. Doug

*Mar 14 05:46:58.413: RADIUS/DECODE: No response from radius-server; parse response; FAIL

*Mar 14 05:46:58.413: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response;

FAIL

*Mar 14 05:46:58.413: RADIUS/DECODE: No response from radius-server; parse response; FAIL

*Mar 14 05:46:58.413: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response;

FAIL

AiroNet 1140 Authentication Issues Windows Server 2008 NPS

Stephen Rodriguez — Tue, 07 Feb 2012 20:00:20 GMT

that tells me that the NPS is either ignoring the request, or not receiving it. In the NPS, you defined the AP as a NAS/Client?

Can you post the config from the AP. I'd also like to see the NPS config.

Steve

AiroNet 1140 Authentication Issues Windows Server 2008 NPS

puntgorda — Wed, 08 Feb 2012 19:05:35 GMT

Hi Steve, Here is the config for the AP. Some screenshots of the NPS config are below, too. Please let me know if you need more information from our NPS server. Thanks, Doug

ap#sh run
Building configuration...

Current configuration : 2971 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
logging rate-limit console 9
enable secret 5 $1$1IPZ$WkdzqdeeGvEPvQLCHfGXU.
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.20.2.96 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
server 10.20.2.96 auth-port 1645 acct-port 1646
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
!
dot11 syslog
!
dot11 ssid wifi
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa
!
!
!
username pg_ap privilege 15 secret 5 $1$rg0/$hTYIn.lysNUfxhzxqXonl/
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid wifi
!
antenna gain 0
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7.
m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid wifi
!
antenna gain 0
dfs band 3 block
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11
. m12. m13. m14. m15.
channel dfs
station-role root access-point
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.40.0.200 255.255.0.0
no ip route-cache
!
ip default-gateway 10.40.0.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
no authentication mac
nas 10.20.2.96 key 7 003555402B5F012F3D007B16062C46430759550B3A232F7E0A1636472C01402573
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.20.2.96 auth-port 1645 acct-port 1646 key 7 08100A08261D0F3E202A3B5C251E677C26
677B1C171E08576F7A4C077F19403C337F0C7C7D035B172550305F756934172E327A1B13250C154D4C3F1319305C3514
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end

ap#

AiroNet 1140 Authentication Issues Windows Server 2008 NPS

daviwatk — Wed, 08 Feb 2012 19:31:10 GMT

Hello,

Do you have any logs at the NPS server itself? Attempt to authenticate again and then immediately open your 2008 server manager and navigate to...

Diagnostics > Event Viewer > Custome Views > Server Roles > Network Policy and Access Services

and

Diagnostics > Event Viewer > Windows Logs > Security

Do you see any relevant entries for NPS as to why this request was rejected or client not authenticated?

I see the AP is also configured as a local radius server. This "should" not be a problem since your eap_methods is calling your rad_eap group, which is pointing back to NPS, however you might remove it for the sake of cleanliness of the config.

radius-server local

no authentication mac

nas 10.20.2.96 key 7 003555402B5F012F3D007B16062C46430759550B3A232F7E0A1636472C01402573

Lastly, on your NPS config, you may consider removing any "EAP Types" from the "settings" of the "Connection Request Policy" and only include them in the "constraints" of the actual "Network Policy"

Remove local radius config, connect a client, and post relevant NPS logs from event viewer.

AiroNet 1140 Authentication Issues Windows Server 2008 NPS

puntgorda — Wed, 08 Feb 2012 20:29:00 GMT

Hi David,

Here is an event in the NPS log. Doug

Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

AiroNet 1140 Authentication Issues Windows Server 2008 NPS

daviwatk — Wed, 08 Feb 2012 21:07:10 GMT

So, since you are using PEAP on the server; make sure your client is configured as such (not smart card/etc)

MS further descrbes EAP Reason Code: 22 as...

Network Policy Server was unable to negotiate the use of an Extensible Authentication Protocol (EAP) type with the client computer

Did you remove the EAP types from the "connection request policy" and only use them in the conditions of the "network" policy?

AiroNet 1140 Authentication Issues Windows Server 2008 NPS

puntgorda — Fri, 10 Feb 2012 13:33:51 GMT

Hello,

It turned out the issue was with the certificate on the NPS server. I replaced it and all is well. Thank you, Doug