Cisco Aironet 1040 and Radius Auth Failure

ams-it · ‎09-25-2011

Alright now this might seem bizarre but I am really hoping someone can work out what I am doing wrong!

I have setup a Cisco Aironet 1040 to connect to our Radius server which I have also configured.

I can successfully connect up any Iphone or Ipad but I cannot get any laptop to connect.

I have attached the logs showing the Iphone Successfully logging in and the Laptop Failing.

Every single failure in the Event log for NPS comes up with

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID: NULL SID

Account Name: scottd

Account Domain: AMSLAN

Fully Qualified Account Name: AMSLAN\scottd

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: 5835.d976.9420

Calling Station Identifier: d0df.9a92.0f40

NAS:

NAS IPv4 Address: 192.168.2.98

NAS IPv6 Address: -

NAS Identifier: ap

NAS Port-Type: Wireless - IEEE 802.11

NAS Port: 336

RADIUS Client:

Client Friendly Name: Cisco AP

Client IP Address: 192.168.2.98

Authentication Details:

Connection Request Policy Name: Secure Wireless Connections

Network Policy Name: -

Authentication Provider: Windows

Authentication Server: AMS-DC3.lan.ams.co.nz

Authentication Type: PEAP

EAP Type: -

Account Session Identifier: -

Logging Results: Accounting information was written to the local log file.

Reason Code: 266

Reason: The message received was unexpected or badly formatted.

A successful Iphone connection shows as below

Network Policy Server granted access to a user.

User:

Security ID: AMSLAN\scottd

Account Name: scottd

Account Domain: AMSLAN

Fully Qualified Account Name: AMSLAN\scottd

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: 5835.d976.9420

Calling Station Identifier: dc2b.6196.184b

NAS:

NAS IPv4 Address: 192.168.2.98

NAS IPv6 Address: -

NAS Identifier: ap

NAS Port-Type: Wireless - IEEE 802.11

NAS Port: 324

RADIUS Client:

Client Friendly Name: Cisco AP

Client IP Address: 192.168.2.98

Authentication Details:

Connection Request Policy Name: Secure Wireless Connections

Network Policy Name: Secure Wireless Connections

Authentication Provider: Windows

Authentication Server: AMS-DC3.lan.ams.co.nz

Authentication Type: PEAP

EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)

Account Session Identifier: -

Logging Results: Accounting information was written to the local log file.

Quarantine Information:

Result: Full Access

Session Identifier: -

I just cannot for the life of me find any settings or configuration that will allow this to work. I am hoping that someone may have seen this or be able to offer some insight into what could be wrong.

Thanks in advance!

ams-it · ‎09-26-2011

Still having this issue if anyone is able to supply any kind of information to point me in the right direction it would be much appreciated!

George Stefanick · ‎09-27-2011

Yea, i see is doesnt like it ...

Sep 25 23:47:26.884: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL

Question, why is the security ID different between the Apple and the laptop?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

ams-it · ‎09-27-2011

I wish I knew! The same information is entered but it doesn't seem to send the security ID no matter how I set up the wireless connection on the PC

George Stefanick · ‎09-27-2011

What supplicant are you using on the laptop ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

ams-it · ‎09-27-2011

I have tried it on both Win XP and WIndows 7 both get the exact same error.

Tried it with and without certificates on, the certificate works as that is what it uses on the Iphones and Ipads

Tried WPA and WPA2 with AES or TKIP

on the Radius setup under NPS if I have any kind of authentication setup I get the

Reason Code: 266

Reason: The message received was unexpected or badly formatted.

If I set everything to open then it will connect fine so there is no issue with that side of things it's definetly to do with the security used, but whether it is a Cisco AP setting or a windows server/cleint setting eludes me.

George Stefanick · ‎09-27-2011

read this ... see if this helps at all

http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/fc4d949b-7ac5-4c50-b984-4c16b3710716/

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

ams-it · ‎09-27-2011

From everything I can see this is working correctly as the Iphones use the certificates.

markmilenkovic · ‎09-28-2011

used to have a similar issues on several of our laptops depending on how they were built.

Driver updates fixed our problem though - not sur eif it will for you? but the error was the same for use

Reason: The message received was unexpected or badly formatted.

ams-it · ‎09-28-2011

I had already given drivers ago, But I tried again anyway. Sadly this didn't fix the problem.

ams-it · ‎10-02-2011

Just tried a Wireless USB stick in multiple hardware and get the exact same issue, peap appears to be the issue but this is what the Iphones say they are connecting with and they work.....