- Cisco Community
- Technology and Support
- Wireless - Mobility
- Wireless - Mobility Knowledge Base
- Autonomous AP with EAP and NPS Windows 2008R2
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
07-30-2015 12:20 AM - edited 11-18-2020 03:11 AM
Introduction
User is trying to configure an autonomous AP with EAP authentication. The AP is a 1600 with software Version 15.2(2)JB2 and the RADIUS NPS is a Windows 2008R2.
When the client tries to authenticate, I get the following error on the AP:
Error
Jun 12 11:39:13.945: RADIUS: AAA Unsupported Attr: ssid [347] 2
Jun 12 11:39:13.945: RADIUS: AAA Unsupported Attr: service-type [345] 4 1
Jun 12 11:39:13.945: RADIUS: AAA Unsupported Attr: interface [222] 3
Debugs
Jun 12 11:39:13.945: RADIUS/ENCODE(00000062):Orig. component type = DOT11
Jun 12 11:39:13.945: RADIUS: AAA Unsupported Attr: ssid [347] 2
Jun 12 11:39:13.945: RADIUS: AAA Unsupported Attr: service-type [345] 4 1
Jun 12 11:39:13.945: RADIUS: AAA Unsupported Attr: interface [222] 3
Jun 12 11:39:13.945: RADIUS: 32 [ 2]
Jun 12 11:39:13.945: RADIUS(00000062): Config NAS IP: 172.16.254.116
Jun 12 11:39:13.945: RADIUS(00000062): Config NAS IPv6:
Jun 12 11:39:13.945: RADIUS/ENCODE(00000062): acct_session_id: 87
Jun 12 11:39:13.945: RADIUS(00000062): Config NAS IP: 172.16.254.116
Jun 12 11:39:13.945: RADIUS(00000062): sending
Jun 12 11:39:13.945: RADIUS(00000062): Send Access-Request to 172.16.0.32:1812 id 1645/16, len 176
Jun 12 11:39:13.945: RADIUS: authenticator 22 42 80 A5 A5 A3 1B 9C - 3C 79 68 45 58 6E BF 0D
Jun 12 11:39:13.945: RADIUS: User-Name [1] 28 "host/WM-WSUS-998.empresa.local"
Jun 12 11:39:13.945: RADIUS: Framed-MTU [12] 6 1400
Jun 12 11:39:13.945: RADIUS: Called-Station-Id [30] 22 "2C-3E-CF-0B-BF-60:1A"
Jun 12 11:39:13.945: RADIUS: Calling-Station-Id [31] 16 "001e.58a2.ba4b"
Jun 12 11:39:13.945: RADIUS: Service-Type [6] 6 Login [1]
Jun 12 11:39:13.945: RADIUS: Message-Authenticato[80] 18
Jun 12 11:39:13.945: RADIUS: FF FB F9 0F BB 98 02 E3 19 71 EC DF 94 D6 13 A6 [ q]
Jun 12 11:39:13.945: RADIUS: EAP-Message [79] 33
Jun 12 11:39:13.945: RADIUS: 02 02 00 1F 01 68 6F 73 74 2F 57 4D 2D 57 53 55 53 2D 39 39 38 [host/WM-WSUS-998]
Jun 12 11:39:13.945: RADIUS: 2E 63 62 61 2E 6C 6F 63 61 6C [ .empresa.local]
Jun 12 11:39:13.945: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
Jun 12 11:39:13.945: RADIUS: NAS-Port [5] 6 277
Jun 12 11:39:13.945: RADIUS: NAS-Port-Id [87] 5 "277"
Jun 12 11:39:13.945: RADIUS: NAS-IP-Address [4] 6 172.16.254.116
Jun 12 11:39:13.945: RADIUS: Nas-Identifier [32] 4 "ap"
Jun 12 11:39:13.945: RADIUS(00000062): Sending a IPv4 Radius Packet
Jun 12 11:39:13.945: RADIUS(00000062): Started 5 sec timeout
Jun 12 11:39:13.949: RADIUS: Received from id 1645/16 172.16.0.32:1812, Access-Reject, len 44
Jun 12 11:39:13.949: RADIUS: authenticator 7E 87 33 D9 2C 29 15 87 - 54 75 9A A2 A2 3E 63 08
Jun 12 11:39:13.949: RADIUS: EAP-Message [79] 6
Jun 12 11:39:13.949: RADIUS: 04 02 00 04
Jun 12 11:39:13.949: RADIUS: Message-Authenticato[80] 18
Jun 12 11:39:13.949: RADIUS: 89 B3 79 93 B1 C5 2B 9D 43 A2 65 AE 9C 04 91 A4 [ y+Ce]
Jun 12 11:39:13.953: RADIUS(00000062): Received from id 1645/16
Jun 12 11:39:13.953: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
Jun 12 11:39:13.953: %DOT11-7-AUTH_FAILED: Station 001e.58a2.ba4b Authentication failed
Jun 12 11:39:14.973: RADIUS/ENCODE(00000063):Orig. component type = DOT11
Jun 12 11:39:14.973: RADIUS: AAA Unsupported Attr: ssid [347] 2
Jun 12 11:39:14.973: RADIUS: AAA Unsupported Attr: service-type [345] 4 1
Jun 12 11:39:14.973: RADIUS: AAA Unsupported Attr: interface [222] 3
Jun 12 11:39:14.973: RADIUS: 32 [ 2]
Jun 12 11:39:14.973: RADIUS(00000063): Config NAS IP: 172.16.254.116
Jun 12 11:39:14.973: RADIUS(00000063): Config NAS IPv6:
Jun 12 11:39:14.973: RADIUS/ENCODE(00000063): acct_session_id: 88
Jun 12 11:39:14.973: RADIUS(00000063): Config NAS IP: 172.16.254.116
Jun 12 11:39:14.973: RADIUS(00000063): sending
Jun 12 11:39:14.973: RADIUS(00000063): Send Access-Request to 172.16.0.32:1812 id 1645/17, len 158
Jun 12 11:39:14.973: RADIUS: authenticator 1D BA 6B A3 29 E2 0C AE - AA AA EC FD 14 2F CD 24
Jun 12 11:39:14.973: RADIUS: User-Name [1] 19 "Empresa\User"
Jun 12 11:39:14.973: RADIUS: Framed-MTU [12] 6 1400
Jun 12 11:39:14.973: RADIUS: Called-Station-Id [30] 22 "2C-3E-CF-0B-BF-60:1A"
Jun 12 11:39:14.973: RADIUS: Calling-Station-Id [31] 16 "001e.58a2.ba4b"
Jun 12 11:39:14.973: RADIUS: Service-Type [6] 6 Login [1]
Jun 12 11:39:14.973: RADIUS: Message-Authenticato[80] 18
Jun 12 11:39:14.973: RADIUS: 27 0E 57 4F 94 F1 A4 C2 A2 D7 CE 18 7C 2A B9 AF [ 'WO|*]
Jun 12 11:39:14.973: RADIUS: EAP-Message [79] 24
Jun 12 11:39:14.973: RADIUS: 02 02 00 16 01 43 42 41 5C 50 65 64 72 6F 2E 41 6C 6D 65 69 64 [Empresa\User]
Jun 12 11:39:14.973: RADIUS: 61 [ a]
Jun 12 11:39:14.973: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
Jun 12 11:39:14.973: RADIUS: NAS-Port [5] 6 278
Jun 12 11:39:14.973: RADIUS: NAS-Port-Id [87] 5 "278"
Jun 12 11:39:14.973: RADIUS: NAS-IP-Address [4] 6 172.16.254.116
Jun 12 11:39:14.973: RADIUS: Nas-Identifier [32] 4 "ap"
Jun 12 11:39:14.973: RADIUS(00000063): Sending a IPv4 Radius Packet
Jun 12 11:39:14.973: RADIUS(00000063): Started 5 sec timeout
Jun 12 11:39:14.977: RADIUS: Received from id 1645/17 172.16.0.32:1812, Access-Challenge, len 90
Jun 12 11:39:14.977: RADIUS: authenticator B0 3A 94 27 69 48 8A 39 - 71 DB 7C A3 6F B1 47 19
Jun 12 11:39:14.977: RADIUS: Session-Timeout [27] 6 30
Jun 12 11:39:14.977: RADIUS: EAP-Message [79] 8
Jun 12 11:39:14.977: RADIUS: 01 03 00 06 19 20 [ ]
Jun 12 11:39:14.977: RADIUS: State [24] 38
Jun 12 11:39:14.977: RADIUS: 21 0E 03 C7 00 00 01 37 00 01 02 00 AC 10 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 7B 20 F6 EE [ !7 0{ ]
Jun 12 11:39:14.977: RADIUS: Message-Authenticato[80] 18
Jun 12 11:39:14.977: RADIUS: C3 8B 89 69 C7 7B 57 72 67 A5 8F B2 2C 84 44 7C [ i{Wrg,D|]
Jun 12 11:39:14.977: RADIUS(00000063): Received from id 1645/17
Jun 12 11:39:14.977: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
Jun 12 11:39:14.985: RADIUS/ENCODE(00000063):Orig. component type = DOT11
Jun 12 11:39:14.985: RADIUS: AAA Unsupported Attr: ssid [347] 2
Jun 12 11:39:14.985: RADIUS: AAA Unsupported Attr: service-type [345] 4 1
Jun 12 11:39:14.985: RADIUS: AAA Unsupported Attr: interface [222] 3
Jun 12 11:39:14.985: RADIUS: 32 [ 2]
Jun 12 11:39:14.985: RADIUS(00000063): Config NAS IP: 172.16.254.116
Jun 12 11:39:14.985: RADIUS(00000063): Config NAS IPv6:
Jun 12 11:39:14.985: RADIUS/ENCODE(00000063): acct_session_id: 88
Jun 12 11:39:14.985: RADIUS(00000063): Config NAS IP: 172.16.254.116
Jun 12 11:39:14.985: RADIUS(00000063): sending
Jun 12 11:39:14.985: RADIUS(00000063): Send Access-Request to 172.16.0.32:1812 id 1645/18, len 279
Jun 12 11:39:14.985: RADIUS: authenticator BE 87 70 F0 26 CF FC 41 - 02 10 8D 7C CD 40 D1 12
Jun 12 11:39:14.985: RADIUS: User-Name [1] 19 "Empresa\User"
Jun 12 11:39:14.985: RADIUS: Framed-MTU [12] 6 1400
Jun 12 11:39:14.985: RADIUS: Called-Station-Id [30] 22 "2C-3E-CF-0B-BF-60:1A"
Jun 12 11:39:14.985: RADIUS: Calling-Station-Id [31] 16 "001e.58a2.ba4b"
Jun 12 11:39:14.985: RADIUS: Service-Type [6] 6 Login [1]
Jun 12 11:39:14.985: RADIUS: Message-Authenticato[80] 18
Jun 12 11:39:14.985: RADIUS: 63 30 E2 67 34 27 2D 93 C2 BD 0E F8 B0 E2 2D EF [ c0g4'--]
Jun 12 11:39:14.985: RADIUS: EAP-Message [79] 107
Jun 12 11:39:14.985: RADIUS: 02 03 00 69 19 80 00 00 00 5F 16 03 01 00 5A 01 00 00 56 03 01 53 99 BB 5F 6E 1D 89 61 75 51 D9 7C C3 55 88 C7 E8 DF 37 E9 EB 1D 8C 21 09 0D 8C C5 59 47 [i_ZVS_nauQ|U7!YG]
Jun 12 11:39:14.985: RADIUS: AD B1 00 00 18 00 2F 00 35 00 05 00 0A C0 13 C0 14 C0 09 C0 0A 00 32 00 38 00 13 00 04 01 00 00 15 FF 01 00 01 00 00 0A 00 06 00 04 00 17 00 18 00 0B 00 02 01 00 [ /528]
Jun 12 11:39:14.985: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
Jun 12 11:39:14.985: RADIUS: NAS-Port [5] 6 278
Jun 12 11:39:14.985: RADIUS: NAS-Port-Id [87] 5 "278"
Jun 12 11:39:14.985: RADIUS: State [24] 38
Jun 12 11:39:14.985: RADIUS: 21 0E 03 C7 00 00 01 37 00 01 02 00 AC 10 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 7B 20 F6 EE [ !7 0{ ]
Jun 12 11:39:14.985: RADIUS: NAS-IP-Address [4] 6 172.16.254.116
Jun 12 11:39:14.989: RADIUS: Nas-Identifier [32] 4 "ap"
Jun 12 11:39:14.989: RADIUS(00000063): Sending a IPv4 Radius Packet
Jun 12 11:39:14.989: RADIUS(00000063): Started 5 sec timeout
Jun 12 11:39:19.597: RADIUS(00000063): Request timed out
Jun 12 11:39:19.597: RADIUS: Retransmit to (172.16.0.32:1812,1813) for id 1645/18
Jun 12 11:39:19.597: RADIUS(00000063): Started 5 sec timeout
Jun 12 11:39:23.981: RADIUS(00000063): Request timed out
Jun 12 11:39:23.981: RADIUS: Retransmit to (172.16.0.32:1812,1813) for id 1645/18
Jun 12 11:39:23.981: RADIUS(00000063): Started 5 sec timeout
Jun 12 11:39:28.365: RADIUS(00000063): Request timed out
Jun 12 11:39:28.365: RADIUS: Retransmit to (172.16.0.32:1812,1813) for id 1645/18
Jun 12 11:39:28.365: RADIUS(00000063): Started 5 sec timeout
Jun 12 11:39:33.005: RADIUS(00000063): Request timed out
Jun 12 11:39:33.005: RADIUS: Retransmit to (172.16.0.32:1812,1813) for id 1645/18
Jun 12 11:39:33.005: RADIUS(00000063): Started 5 sec timeout
Jun 12 11:39:37.389: RADIUS(00000063): Request timed out
Jun 12 11:39:37.389: RADIUS: Fail-over denied to (172.16.0.32:1812,1813) for id 1645/18
Jun 12 11:39:37.389: RADIUS: No response from (172.16.0.32:1812,1813) for id 1645/18
Jun 12 11:39:37.389: RADIUS/DECODE: No response from radius-server; parse response; FAIL
Jun 12 11:39:37.389: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
NPS - Event Viewer
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: Empresa\WM-WSUS-998$
Account Name: host/WM-WSUS-998.empresa.local
Account Domain: EMPRESA
Fully Qualified Account Name: EMPRESA\WM-WSUS-998$
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 2C-3E-CF-0B-BF-60:1A
Calling Station Identifier: 001e.58a2.ba4b
NAS:
NAS IPv4 Address: 172.16.254.116
NAS IPv6 Address: -
NAS Identifier: Aironet
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 342
RADIUS Client:
Client Friendly Name: Cisco Aironet - 1A
Client IP Address: 172.16.254.116
Authentication Details:
Connection Request Policy Name: Empresa - Wireless
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: dc02.empresa.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 48
Reason: The connection request did not match any configured network policy.
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
Solution
configured one more option in Connection Request Policies - My Policy:
Settings Value
Authentication Provider Local Computer
Extensible Authentication Protocol Method Microsoft: Protected EAP (PEAP)
Override Authentication Disabled
Extensible Authentication Protocol Configuration Configure
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
In Network Policies - My Policy
Settings Value
Authentication Method EAP
Access Permission Grand Access
Update Noncompliant Client True
NAP Enforcement Allow full network access
Extensible Authentication Protocol Method Microsoft: Protected EAP (PEAP)
Extensible Authentication Protocol Configuration Configure
Extended State <Blank>
BAP Percentage of Capacity ReduceMultink if server reaches 50% for 2 minutes
Encryption Basic encryption (MPPE 40-bit), Strong encryption (MPPE 56-bit), Strongest encryption (MPPE 128-bit)
Encryption Policy Enabled
NAS Port Type Wireless - IEEE 802.11
Source
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: