Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
645
Views
0
Helpful
4
Replies

2016 NPS Server does not work for a few select devices

bjaegf119
Level 1
Level 1

‎02-18-2019 11:19 AM - edited ‎07-05-2021 09:53 AM

We have a few devices that do not appear to authenticate with our new 2016 NPS server.  If we move these devices back over to our legacy 2003/2008 NPS servers, the devices authenticate.  I have checked over the settings and and they all appear to be the exact same across each platform.  I have engaged the vendor of one of these device types but thought I would throw this out there.  This is all setup for PEAP.  Historically we have never had to install a certificate on the devices themselves.  There are a few devices out there which require the certificate.  In this instance one of the devices in question has never needed a certificate before.

 

Without the certificate the device gives error code 23: 

An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

 

With a certificate the device gives error code 265:

The certificate chain was issued by an authority that is not trusted.

 

I have also performed a client debug and have enabled the following:

 

debug dot1x aaa

debug dot1x events

debug dot1x packet

Labels:
0 Helpful
4 Replies 4

Scott Fella
Hall of Fame
Hall of Fame

‎02-18-2019 12:10 PM

With a new radius server, you must make sure all the root CA and intermediate CA are installed on the NPS server. So compare what is installed on your legacy vs you new and export then import the cert.
-Scott
*** Please rate helpful posts ***
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Scott Fella

‎02-18-2019 12:36 PM

Thinking about it, since you are doing PEAP, it’s the client devices that need to trust the root CA that is being used for auth on the radius server.
-Scott
*** Please rate helpful posts ***
0 Helpful

bjaegf119
Level 1
Level 1
In response to Scott Fella

‎02-18-2019 12:40 PM

I have checked and the same root certs live on both servers in question.

0 Helpful

Jurgens L
Level 3
Level 3
In response to bjaegf119

‎02-18-2019 03:23 PM

Double check that the required certs are mapped for your policies on the NPS, sometimes if you have multiple certs on your server they get mixed up and may be mapped to an incorrect cert. Also don’t forget to register the NPS with AD (right-click on the NPS)



<<< Please help the community by marking useful posts helpful, or accept as a solution if it resolved your issue >>>

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card