Showing results for 
Search instead for 
Did you mean: 

Microsoft 2008 NPS Radius + WLC


Anyone have any luck getting this to work? I am at this point just trying to get the radius set up and get the certificate pulled into the EAP section of NPS. Or know if Cisco supports this type of setup. My 2003 IAS box was a snap but now have the Windows Team forcing this god-awful OS onto me to use. Any help docs links appreciated.

8 Replies 8


I am having the same issue, seems to be an incompatibility between the WLC and NPS when it comes to authentication - it keeps telling me that there is a key mismatch. Have you been able to sort your problem out as yet?

HI Guys,

Were any of you able to work out WLC 5508 with Windows 2008 NPS.  I'm currently running OS 7.x on my WLC and my server is Windows 2008 R2.  Any thoughts are really appreciated.




Hi all, I also started to working on this bind. I found this article, but it is not helpfull regarding 2008.

So lets do this work together.


Did you install NPS server and register it in AD?


Wow, this thread is still going?

I found a solution to the issue:

1. Install NPS

  • Start - Control Panel - Programs and Features - Turn Windows Features on or off
  • Rt-click Roles - Add Roles - Next - Network Policy and Access Services - Next - Next
  • Network Policy Server (tick) - Next - Install - Close

2. Start NPS and Register in AD

  • Start - Administrative Tools - Network Policy Server
  • Rt-click NPS (local) - Register Server in Active Directory - OK - OK

3. Configure Network Policy for Computers

  • Expand Policies
  • Rt-click Network Policies - New
  • Policy Name Computer Policy (or whatever you want to call it) - Next - Add
  • Select Windows Groups - Add - Add Groups
  • Enter Domain Computers - OK - OK
  • Select NAS Port type - Wireless - IEEE 802.11 (tick) - OK - Next - Access Granted - Next
  • Microsoft Encrypted Authentication MS CHAP (untick) - Add
  • Select Microsoft: Protected EAP (PEAP) - OK - Next - Next
  • Select Framed-Protocol | PPP - Remove
  • Select Service Type | Framed - Remove
  • Select Encryption - No encryption (untick) - Next - Finish

4. Configure Network Policy for Users

  • Repeat steps in 3 above substituting User Policy as name and Domain Users as Group

5. Setup RADIUS client

  • Expand RADIUS Clients and Servers
  • Rt-click RADIUS Clients - New RADIUS client
  • Friendly Name: WLAN Controller Name of your choice
  • Address (IP or DNS): IP address of Controller
  • Vendor Name: Cisco
  • Shared Secret: The Access Key you set on the Controller - Confirm Shared Secret - OK

6. Set up Wireless GPO (if you want to automate client distribution)

  • Start - Administrative Tools - Group Policy Management
  • Rt-click your domain object and Create a GPO in this Domain and Link it Here
  • Call it WirelessClient or whatever floats your boat
  • Rt-Click the GPO - Edit
  • Computer Configuration - Policies - Windows Settings - Security Settings - Wireless Network (IEEE 802.11) Policies
  • Rt-click Wireless Network (IEEE 802.11) Policies - Create a new Wireless Policy
  • Policy Name WIRELESS (or whatever)

The rest of the settings need to be as per your controller setup, below are settings for WPA2 enterprise

  • Description: Wireless network - yadayada
  • Authentication: WPA2
  • Encryption: AES
  • IEEE 802.1X tab - Settings
  • Trusted Roor Certificate Authorities - find your server's root certificate in the list and tick - OK - OK
  • Repeat for additional SSIDs if necessary

That should do it - it worked for me!

i'll try this out eugene. thanks for sharing. feedback when its running! thanks!!!

mine is not working. i have followed the above guide except for automation of wireless settings for client. i manually configured the 802.1x wireless settings. it is a lab set-up,

1. AD with Certificate Services enabled (internal CA)

2. NPS on separate server registered to AD, certificate is present issued by internal CA

3. WLC configured, pointed to NPS

4. client windows 7, certificate issued from web enrollment

i am having this error,

*Dot1x_NW_MsgTask_0: Jan 24 04:05:12.010: e8:39:df:b6:35:bc Sending EAP Attribute (code=2, length=11, id=2) for mobile e8:39:df:b6:35:bc
*Dot1x_NW_MsgTask_0: Jan 24 04:05:12.010: 00000000: 02 02 00 0b 01 72 6f 75  74 65 72                 .....router
*Dot1x_NW_MsgTask_0: Jan 24 04:05:12.010: e8:39:df:b6:35:bc [BE-req] Radius  EAP/Local WLAN 1.
*Dot1x_NW_MsgTask_0: Jan 24 04:05:12.011: e8:39:df:b6:35:bc [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*aaaQueueReader: Jan 24 04:05:12.011: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Jan 24 04:05:12.011: e8:39:df:b6:35:bc Successful transmission of Authentication Packet (id 7) to, proxy state e8:39:df:b6:35:bc-00:00
*radiusTransportThread: Jan 24 04:05:12.021: ****Enter processIncomingMessages: response code=3

*radiusTransportThread: Jan 24 04:05:12.021: ****Enter processRadiusResponse: response code=3

*radiusTransportThread: Jan 24 04:05:12.021: e8:39:df:b6:35:bc Access-Reject received from RADIUS server for mobile e8:39:df:b6:35:bc receiveId = 7
*radiusTransportThread: Jan 24 04:05:12.021: e8:39:df:b6:35:bc [Error] Client requested no retries for mobile E8:39:DF:B6:35:BC
*radiusTransportThread: Jan 24 04:05:12.021: e8:39:df:b6:35:bc Returning AAA Error 'Authentication Failed' (-4) for mobile e8:39:df:b6:35:bc
*radiusTransportThread: Jan 24 04:05:12.021: e8:39:df:b6:35:bc [BE-resp] AAA response 'Authentication Failed'
*radiusTransportThread: Jan 24 04:05:12.021: e8:39:df:b6:35:bc [BE-resp] Returning AAA response
*radiusTransportThread: Jan 24 04:05:12.021: e8:39:df:b6:35:bc AAA Message 'Authentication Failed' received for mobile e8:39:df:b6:35:bc

please do help, thanks!!!

I think there is an issue with the configuration of the RADIUS server, have you checked the event logs?

Your WLAN Controller log reports: "Access-Reject received from RADIUS server" and "

AAA response 'Authentication Failed'"

In my experience this is due to one of the following:

1. Invalid user account and/or password

2. Computer not a member of domain

3. Certificate services not working properly

4. Certificate expired, or

5. RADIUS incorrectly configured

6. Access key incorrectly entered - it IS case-sensitive (so is the SSID)

Check the event log, your answer may be there.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers