topic Re: 802.1X EAP failure with Windows AD Radius - Help! in Wireless

802.1X EAP failure with Windows AD Radius - Help!

ElectroDan — Thu, 15 Nov 2018 14:29:24 GMT

Okay so I've spent several DAYS on this and seem to be getting nowhere 😕 I'm starting to get fairly frustrated having followed numerous guides exactly.

I used this to setup the Meraki side:

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise

This is the latest guide I followed:

http://www.cracknells.co.uk/servers-side/configuring-radius-authentication-for-a-wireless-network-802-1x-eap/

No matter what I try though, I can't get my phone or laptop to connect, nor get the Test function to succeed from the SSID > Radius Servers section.

When I click Test, I get:
Total APs: 14
APs failed: 14

I have Accounting enabled on the Windows Server (which is now a DC running Server 2016. I had been running 2012 R2 but decided to wipe it and install 2016 afresh as though maybe RADIUS worked better!). The NPS Account log shows this when I click the Test button:

<Event><Timestamp data_type="4">11/15/2018 14:15:21.607</Timestamp><Computer-Name data_type="1">MY-DC03</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 10.33.102.23 11/15/2018 13:06:56 231</Class><Client-IP-Address data_type="3">10.32.108.21</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Meraki - AP1</Client-Friendly-Name><Session-Timeout data_type="0">30</Session-Timeout><Proxy-Policy-Name data_type="1">Meraki Staff Secure Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">MYDOMAIN\JohnDoe</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">MYDOMAIN\JohnDoe</Fully-Qualifed-User-Name><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">Meraki Staff Secure Wireless Connections</NP-Policy-Name><Packet-Type data_type="0">11</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

I get pretty much the same error logged when trying to connect from my laptop. I also see this in the Meraki event log:

Nov 15 14:24:57	Purchasing	Radius_Test	ITSPARE01	802.11 association	channel: 40, rssi: 29
Nov 15 14:24:57	Purchasing	Radius_Test	ITSPARE01	802.11 disassociation	unknown reason
Nov 15 14:24:57	Purchasing	Radius_Test	ITSPARE01	802.1X deauthentication	radio: 1, vap: 4, client_mac: 84:3A:4B:56:F4:5C more »
Nov 15 14:24:48	Purchasing	Radius_Test	ITSPARE01	802.1X deauthentication	radio: 1, vap: 4, client_mac: 84:3A:4B:56:F4:5C more »
Nov 15 14:24:48	Purchasing	Radius_Test	ITSPARE01	802.11 association	channel: 40, rssi: 28
Nov 15 14:24:47	Purchasing	Radius_Test	ITSPARE01	802.11 disassociation	unspecified reason
Nov 15 14:24:47	Purchasing	Radius_Test	ITSPARE01	802.1X deauthentication	radio: 1, vap: 4, client_mac: 84:3A:4B:56:F4:5C more »
Nov 15 14:24:47	Purchasing	Radius_Test	ITSPARE01	802.1X EAP failure	radio: 1, vap: 4, client_mac: 84:3A:4B:56:F4:5C more »
Nov 15 14:24:47	Purchasing	Radius_Test	ITSPARE01	802.1X deauthentication	radio: 1, vap: 4, client_mac: 84:3A:4B:56:F4:5C more »
Nov 15 14:24:47	Purchasing	Radius_Test	ITSPARE01	802.11 association	channel: 40, rssi: 29

Any ideas?

Re: 802.1X EAP failure with Windows AD Radius - Help!

kYutobi — Thu, 15 Nov 2018 14:47:02 GMT

Hello Dan,

Did you add the AP's to the RADIUS clients? They need to be added so that RADIUS can work.

Re: 802.1X EAP failure with Windows AD Radius - Help!

ElectroDan — Thu, 15 Nov 2018 14:55:14 GMT

Yes, all of my Meraki AP's were added with their IP addresses. I created a Shared Secret template first, which I applied to all APs when adding them as RADIUS Clients.

Re: 802.1X EAP failure with Windows AD Radius - Help!

kYutobi — Thu, 15 Nov 2018 15:14:01 GMT

Does NPS server have a certificate installed & configured in the NPS policy? I'm just making sure I get all the common denominators as I ask you this by the way.

Re: 802.1X EAP failure with Windows AD Radius - Help!

Nolan Herring — Thu, 15 Nov 2018 15:19:26 GMT

Assuming then your access points have static IP addresses? I find its easier to simply add the /24 the AP's sit on. Also assuming the access points can reach the NPS server? Pings work etc.

Re: 802.1X EAP failure with Windows AD Radius - Help!

ElectroDan — Thu, 15 Nov 2018 15:21:25 GMT

All AP's are set to DHCP but have a reservation set on the DHCP server. NPS server can ping all AP's no problem.

Re: 802.1X EAP failure with Windows AD Radius - Help!

ElectroDan — Thu, 15 Nov 2018 15:24:42 GMT

Yes, I have a certificate selected in NPS > Network Policies > My Meraki Policy > Constraints > Auth Methods > Microsoft PEAP > (Edit), issued by the server I installed the CA role on. I suspect it could be failing to do with this? I think at some point I created a Group Policy to deploy that certificate to client PC's, perhaps something is amiss with that but I can't seem to get enough info from any logs.

Re: 802.1X EAP failure with Windows AD Radius - Help!

kYutobi — Thu, 15 Nov 2018 15:32:13 GMT

Check on this thread please and see if the problem might be there:

https://community.meraki.com/t5/Wireless-LAN/authentication-fails-in-windows-7-with-802-1X-with-Meraki-RADIUS/m-p/11730#M1966

Re: 802.1X EAP failure with Windows AD Radius - Help!

ElectroDan — Thu, 15 Nov 2018 17:10:34 GMT

Thanks, I did come across that thread previously (with all the Spanish screenshots!) but I think I need to get the Test button working from the Meraki dashboard > Access Control for SSID first, before I then troubleshoot client PC's, would you agree?

Re: 802.1X EAP failure with Windows AD Radius - Help!

Nolan Herring — Thu, 15 Nov 2018 17:13:01 GMT

I'm torn because I've seen instances where the AP fails that test, but radius still works. So at this point I would say try it and ignore those test results and see what happens.

Re: 802.1X EAP failure with Windows AD Radius - Help!

ElectroDan — Thu, 15 Nov 2018 17:16:04 GMT

Okay I'll give it a go. Our clients are all Windows 10. At the moment when I try to connect to the Radius SSID it prompts me for credentials, with a tickbox to 'use my Windows user account', which if I tick fills in the boxes with my AD credentials. It check network requirements after clicking OK, but the credentials prompt just comes back again.

Re: 802.1X EAP failure with Windows AD Radius - Help!

Philip D'Ath — Thu, 15 Nov 2018 20:13:56 GMT

Does anything appear for NPS in the Windows Security Event log on the NPS server. It will usually say why the request has been denied.

Re: 802.1X EAP failure with Windows AD Radius - Help!

aekinaka_red — Tue, 20 Nov 2018 21:06:00 GMT

ElectroDan-

Interesting to read your post, i'm in pretty much the same boat. So I can sympathize with your struggles, I'm dealing with almost the same thing. One thing I wanted to mention is to be sure that your NPS Network Policy is configured per the Meraki Documentation for 802.1X authentication (in addition to having your RADIUS Clients portion configured) since I found it needed both in order to test from the Meraki Dashboard. Check the following:

- The right certificate is selected under the NPS Policy > Constraints Tab > Microsoft: Protected EAP (PEAP) options > Edit Protected PEAP Properties

- The "Conditions" allow the proper AD user groups to authenticate ex: DOMAIN\Domain Users

So, i've gone through much of what you've already outlined and get the same interesting behavior. Macs and Apple IOS devices can successfully authenticate against AD using RADIUS, but only after they "Trust" the AD CS certificate used on our Domain.

Our workstation environment consists of almost exclusively Windows 10 PC's and they all seem to do the same thing when a user tries to connect to wifi in the building:

1) Get prompted to authenticate (check "use my windows user account" or manually type in AD creds)

2) Windows prompts about the certificate. The thumbprint matches a cert issued by a trusted AD intermediate CA, user accepts

3) Immediately get a prompt "Can't connect to this network"

NPS doesn't give any useful output, and I know its validating accounts since iPhones and Mac OSX computers are able to get onto the wireless network.

There are never any reject or denied message in NPS logging (see below)

Network Policy Server granted access to a user.
User:
Security ID: DOMAIN\user.name
Account Name: user.name
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\user.name
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: E2-CB-AC-B5-5B-0A:SSID NAME
Calling Station Identifier: 80-B0-3D-7F-EA-EA
NAS:
NAS IPv4 Address: 10.2.X.X
NAS IPv6 Address: -
NAS Identifier: 0bb3dca34b449637d61c5e0a6f2590af2dc7d2e9eff19b8a
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
RADIUS Client:
Client Friendly Name: Meraki APs
Client IP Address: 10.2.X.X
Authentication Details:
Connection Request Policy Name: Meraki
Network Policy Name: Meraki
Authentication Provider: Windows
Authentication Server: DOMAINDC01.domain.local
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: 46353632394546364635453539383730
Logging Results: Accounting information was written to the local log file.

I'm at a loss. I think this is a certificate issue on the windows end stations, but i am not sure how to fix this. I'd like to avoid having to push out a GPO to get this going. We have a large traveling workforce that doesn't always get GPO updates in a timely manner because they are off the domain most of the time.

UPDATE:

I was able to get this resolved / working. Make sure that Wireless > Access Control > 802.11r is set to "Adaptive" (not Enabled). I think at one point we had turned this on. The tooltip description of what 802.11r made me think it only applied to old systems, not the Windows 10 computers we were having problems with.

802.11r technology reduces overhead when a client roams from one AP to another, delivering a more seamless transition. "Enabled" will activate 802.11r for devices that support it, though some legacy clients may not be able to join the network. "Adaptive" enables a custom version of 802.11r just for Apple iOS devices. Very few devices will have compatibility challenges with the "Adaptive" mode.

The description is misleading in that I didn't think it applied to our Windows 10 systems since they're not really legacy devices, yet. 😉

Re: 802.1X EAP failure with Windows AD Radius - Help!

ElectroDan — Thu, 22 Nov 2018 10:49:23 GMT

I've had a go at that, however the link for rootsupd.exe is dead. I'll need to find an alternative.

Re: 802.1X EAP failure with Windows AD Radius - Help!

ElectroDan — Thu, 22 Nov 2018 11:04:57 GMT

Okay so the Security Event Log shows this on the NPS server. I'm guessing it's trying to authenticate the computer rather than the user?:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: MYDOMAIN\ITSPARE01$
Account Name: host/ITSPARE01.mydomain.local
Account Domain: MYDOMAIN
Fully Qualified Account Name: mydomain.local/Mydomain/UK/Computers/ITSPARE01

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 9A-15-54-AB-52-67:Radius_Test
Calling Station Identifier: 84-3A-4B-56-F4-5C

NAS:
NAS IPv4 Address: 10.32.108.26
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: -

RADIUS Client:
Client Friendly Name: Meraki - Purchasing
Client IP Address: 10.32.108.26

Authentication Details:
Connection Request Policy Name: Meraki Staff Secure Wireless Connections
Network Policy Name: Connections to other access servers
Authentication Provider: Windows
Authentication Server: DC03.mydomain.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: 33364144324231353946353331303231
Logging Results: Accounting information was written to the local log file.
Reason Code: 65
Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.

Re: 802.1X EAP failure with Windows AD Radius - Help!

ElectroDan — Thu, 22 Nov 2018 11:06:51 GMT

I was really hopeful with your suggestion on 802.11r, however I don't seem to have an 802.11r section in my dashboard! Searching for it just takes me to the Access Control page but the nearest thing to that on the page is 802.11w.

Re: 802.1X EAP failure with Windows AD Radius - Help!

ElectroDan — Thu, 22 Nov 2018 12:23:17 GMT

Okay, so working through the Event Viewer Security log, seems my user account is blocked from dial-in in my AD user properties. I don't recall this being mention in ANY of the guides I've read?!

I've opened my AD user properties, navigated to the Dial-in tab, changed Network Access Permission to 'Control access through NPS Network Policy', then rebooted my laptop but no joy. I then changed it to 'Allow access' but still no joy. I made these changes on my local domain controller, but I'll try again in an hour or so in case it's referring to another DC for some reason.

Re: 802.1X EAP failure with Windows AD Radius - Help!

ElectroDan — Thu, 22 Nov 2018 14:29:36 GMT

Have gotten a bit further.

With my user profile in AD set to 'Allow access' under the Dial-in tab, and the computer account having always been set to 'Control access through NPS Network Policy', I now see in Event Viewer on the NPS server:

Network Policy Server denied access to a user.

Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.

Re: 802.1X EAP failure with Windows AD Radius - Help!

ElectroDan — Thu, 22 Nov 2018 14:52:58 GMT

I've now found out that if I remove the Machine Group from NPS > Policies > Network Policies > MyPolicy > Conditions, I don't get anything logged in the Security Event Log.

Once I add that back in, I see log entries again.

Still failing though with:

Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.

Re: 802.1X EAP failure with Windows AD Radius - Help!

aekinaka_red — Thu, 22 Nov 2018 17:41:15 GMT

Strange that there is no 802.11r options in your Dashboard. I'm not sure how Meraki includes / excludes features (AP type? Licensing?). Like I said, this was the fix for us.

I'm looking at your NPS logs and its definitely trying to authenticate a computer account (as opposed to a user security group), is this by design? You will need to have a matching NPS policy which allows the AD computer group(s) under NPS > Policies > Network Policies > (policy name) > Properties > "Conditions" Tab.

I didn't realize that you can have Dial-in properties on computer accounts too. I suspect that this is also set to "Control access through NPS Network Policy".

It may be necessary to create a GPO as outlined here: https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise#(Optional)_Deploy_a_PEAP_Wireless_Profile_using_Group_Policy

In order for these machine accounts to manually trust your Active Directory root and intermediate CAs and boot up with the correct wireless profile with SSID configured, etc.

Are you applying a GPO like this to the OU that contains the computer accounts that are trying to connect?