cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4243
Views
0
Helpful
2
Replies

Clients through AP error authenticating to NPS RADIUS

ayussuf
Level 1
Level 1

See below config. All IP Addresses are correct and I have other AP which works. However, this one does not. They are using the same RADIUS settings.

On the client machine I am getting a EAP/TTLS box asking for Domain/Username and Password (Token). If I add my username and passord. it still does not authenticate.

The client settigns is correct too since the same computer can connect to oother AP using the User credentials.

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname FRD-WAP01-1

!

aaa new-model

!

!

aaa group server radius rad_eap

server 172.16.0.43 auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!        

aaa session-id common

clock timezone -0500 -5

clock summer-time -0400 recurring

ip domain name aa.corp

ip name-server 172.16.1.53

ip name-server 172.16.1.50

!        

!        

ip dhcp-server 172.16.1.50

ip dhcp-server 172.16.1.53

!        

dot11 ssid Test

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa version 2

   guest-mode

!        

power inline negotiation prestandard source

!        

!        

username Cisco password 7 01300F175804

!        

bridge irb

!        

!        

interface Dot11Radio0

no ip address

no ip route-cache

!       

encryption mode ciphers aes-ccm

!       

ssid Test

!       

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

ssid Test

!

dfs band 3 block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 172.16.0.81 255.255.0.0

ip helper-address 172.16.1.50

ip helper-address 172.16.1.53

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

radius-server attribute 32 include-in-access-req format %h

radius-server host 172.16.0.43 auth-port 1645 acct-port 1646 key 7 ****************

radius-server vsa send accounting

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

!

sntp server 172.16.1.50

sntp broadcast client

end

2 Replies 2

Stephen Rodriguez
Cisco Employee
Cisco Employee

The config looks ok. You don't need the network EAP as you aren't doing LEAP, but that shouldn't hurt you here.

If the client is getting prompted for credentials it sounds like the AAA and client aren't negotiating the eap type properly. Can you look at the NPS logs when the client is failing and see what the error is?

Steve

Sent from Cisco Technical Support iPad App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Below if the event from the NPS Server. Instead of "guest" it normally says the user login name.

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          1/19/2012 11:51:45 AM

Event ID:      6273

Task Category: Network Policy Server

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:      PLN-NPS.aa.corp

Description:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID:                              AA\Guest

Account Name:

Account Domain:                              AA

Fully Qualified Account Name:          AA\Guest

Client Machine:

Security ID:                              NULL SID

Account Name:                              -

Fully Qualified Account Name:          -

OS-Version:                              -

Called Station Identifier:                    7081.0545.4bd0

Calling Station Identifier:                    0022.5f5f.31e1

NAS:

NAS IPv4 Address:                    172.16.0.81

NAS IPv6 Address:                    -

NAS Identifier:                              FRD-WAP01-1

NAS Port-Type:                              Wireless - IEEE 802.11

NAS Port:                              363

RADIUS Client:

Client Friendly Name:                    FRD-WAP01-1

Client IP Address:                              172.16.0.81

Authentication Details:

Connection Request Policy Name:          AA Secure Wireless Connections

Network Policy Name:                    -

Authentication Provider:                    Windows

Authentication Server:                    PLN-NPS.aa.corp

Authentication Type:                    EAP

EAP Type:                              -

Account Session Identifier:                    -

Logging Results:                              Accounting information was written to the local log file.

Reason Code:                              34

Reason:                                        The user or computer account that is specified in the RADIUS Access-Request message is disabled.

Event Xml:

http://schemas.microsoft.com/win/2004/08/events/event">

 

   

    6273

    1

    0

    12552

    0

    0x8010000000000000

   

    342030

   

   

    Security

    PLN-NPS.aa.corp

   

 

 

    S-1-5-21-3370326106-2379687522-1592785168-501

   

   

    AA

    AA\Guest

    S-1-0-0

    -

    -

    -

    7081.0545.4bd0

    0022.5f5f.31e1

    172.16.0.81

    -

    FRD-WAP01-1

    Wireless - IEEE 802.11

    363

    FRD-WAP01-1

    172.16.0.81

    Aa Secure Wireless Connections

    -

    Windows

    PLN-NPS.aa.corp

    EAP

    -

    -

    34

    The user or computer account that is specified in the RADIUS Access-Request message is disabled.

    Accounting information was written to the local log file.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: