cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22653
Views
2
Helpful
17
Replies

No response from server NPS authentication

HUGH LANCASTER
Level 1
Level 1


I trying to get my new 3504 to authenticate to my window 2012 r2 Network Policy server on v1. The management interface on the WLC 3504 is on a trunk port. The management V ID is 30. From the controller v30 I can ping the 2012 r2 where Network Policy server is located on v1 and from the Network Policy server I can ping the controller. I can login to the web interface no issues. I set the service-port to Dynamic Host Configuration Protocol and it received an IP from the Dynamic Host Configuration Protocol server. When I complete the command test AAA show radius, I get "10.100.0.33 1 No response received from server". My old 2106 controller authenticates no issues. Any help appreciated!


(Cisco Controller) >test AAA show radius

Radius Test Request
WLan  id........................................ 1
AP Group Name................................... default-group
Server Index................................... 1
Radius Test Response

Radius Server Retry Status
------------- ----- ------
10.100.0.33 1 No response received from server

1 Accepted Solution

Accepted Solutions

@HUGH LANCASTER wrote:
I verified password on the NPS and Controller several times. If it was the password, i should get an error.

Are you sure you're looking in the right log? If your RADIUS Shared Secret is wrong, you will get an Event ID 13 in the "System" log of Windows Event Viewer. Most NPS stuff ordinarily is in the "Security" log, so it is easy to miss this event if you don't check the System log.

Alternatively if you view under "Server Roles" in Event Viewer then you will see all NPS events regardless of which Windows log they come from.

View solution in original post

17 Replies 17

HUGH LANCASTER
Level 1
Level 1

Sorry for spelling out some of the names. very difficult to post here.

Here is a screen shot of my NPS

You should see every authentication attempt in the Event Viewer - Security log on the NPS server.
Important, is the NPS registered in your domain? To check that, right click on NPS (local) in the NPS management tool. If the "Register in AD" is greyed out it's ok.

Some_Guy
Level 1
Level 1

Check for ideas in the Windows Event Viewer logs under Custom Views --> Server Roles --> Network Policy and Access Services.

In NPS did you add the IP address of your new WLC under "RADIUS Clients"?

NPS is registered in the domain. It is authenticating to my 2106 controller and clients are authenticating. I am thinking it has something to with the VLAN. However, from the WLC 3504 I can ping the NPS server and vice versa. 

I verified password on the NPS and Controller several times. If it was the password, i should get an error. I have the port trunked on the WLC. All my VLANS are operating with no issues. The NPS server is VLAN 1 and WLC in VLAN 30. 

 

@HUGH LANCASTER wrote:
I verified password on the NPS and Controller several times. If it was the password, i should get an error.

Are you sure you're looking in the right log? If your RADIUS Shared Secret is wrong, you will get an Event ID 13 in the "System" log of Windows Event Viewer. Most NPS stuff ordinarily is in the "Security" log, so it is easy to miss this event if you don't check the System log.

Alternatively if you view under "Server Roles" in Event Viewer then you will see all NPS events regardless of which Windows log they come from.

Yes. I've look both places. I am seeing information from the "service port" showing in the NPS logs. "A radius message was received from the invalid client IP address 10.100.1.137 address. I enable DHCP on the service port.

Can you provide me a screenshot of the Radius Clients screen on the NPS?
Firewall is allowing connections from the new IP of the WLC to the NPS?

All internal

Thanks.
As you are masking various parts of the IP address, is it the same as this one "A radius message was received from the invalid client IP address 10.100.x.x address" from your error message?
Or please stop masking private IP addresses, it just makes the troubleshooting much more complicated.