Solved: Re: No response from server NPS authentication

HUGH LANCASTER · ‎05-16-2019

I trying to get my new 3504 to authenticate to my window 2012 r2 Network Policy server on v1. The management interface on the WLC 3504 is on a trunk port. The management V ID is 30. From the controller v30 I can ping the 2012 r2 where Network Policy server is located on v1 and from the Network Policy server I can ping the controller. I can login to the web interface no issues. I set the service-port to Dynamic Host Configuration Protocol and it received an IP from the Dynamic Host Configuration Protocol server. When I complete the command test AAA show radius, I get "10.100.0.33 1 No response received from server". My old 2106 controller authenticates no issues. Any help appreciated!

(Cisco Controller) >test AAA show radius

Radius Test Request
WLan id........................................ 1
AP Group Name................................... default-group
Server Index................................... 1
Radius Test Response

Radius Server Retry Status
------------- ----- ------
10.100.0.33 1 No response received from server

Some_Guy · ‎05-17-2019

@HUGH LANCASTER wrote:

I verified password on the NPS and Controller several times. If it was the password, i should get an error.

Are you sure you're looking in the right log? If your RADIUS Shared Secret is wrong, you will get an Event ID 13 in the "System" log of Windows Event Viewer. Most NPS stuff ordinarily is in the "Security" log, so it is easy to miss this event if you don't check the System log.

Alternatively if you view under "Server Roles" in Event Viewer then you will see all NPS events regardless of which Windows log they come from.

View solution in original post

HUGH LANCASTER · ‎05-16-2019

Sorry for spelling out some of the names. very difficult to post here.

HUGH LANCASTER · ‎05-16-2019

Here is a screen shot of my NPS

patoberli · ‎05-17-2019

You should see every authentication attempt in the Event Viewer - Security log on the NPS server.
Important, is the NPS registered in your domain? To check that, right click on NPS (local) in the NPS management tool. If the "Register in AD" is greyed out it's ok.

Some_Guy · ‎05-16-2019

Check for ideas in the Windows Event Viewer logs under Custom Views --> Server Roles --> Network Policy and Access Services.

In NPS did you add the IP address of your new WLC under "RADIUS Clients"?

HUGH LANCASTER · ‎05-17-2019

NPS is registered in the domain. It is authenticating to my 2106 controller and clients are authenticating. I am thinking it has something to with the VLAN. However, from the WLC 3504 I can ping the NPS server and vice versa.

I verified password on the NPS and Controller several times. If it was the password, i should get an error. I have the port trunked on the WLC. All my VLANS are operating with no issues. The NPS server is VLAN 1 and WLC in VLAN 30.

Some_Guy · ‎05-17-2019

@HUGH LANCASTER wrote:

I verified password on the NPS and Controller several times. If it was the password, i should get an error.

Are you sure you're looking in the right log? If your RADIUS Shared Secret is wrong, you will get an Event ID 13 in the "System" log of Windows Event Viewer. Most NPS stuff ordinarily is in the "Security" log, so it is easy to miss this event if you don't check the System log.

Alternatively if you view under "Server Roles" in Event Viewer then you will see all NPS events regardless of which Windows log they come from.

HUGH LANCASTER · ‎05-17-2019

Yes. I've look both places. I am seeing information from the "service port" showing in the NPS logs. "A radius message was received from the invalid client IP address 10.100.1.137 address. I enable DHCP on the service port.

patoberli · ‎05-20-2019

Can you provide me a screenshot of the Radius Clients screen on the NPS?
Firewall is allowing connections from the new IP of the WLC to the NPS?

HUGH LANCASTER · ‎05-20-2019

All internal

patoberli · ‎05-20-2019

Thanks.
As you are masking various parts of the IP address, is it the same as this one "A radius message was received from the invalid client IP address 10.100.x.x address" from your error message?
Or please stop masking private IP addresses, it just makes the troubleshooting much more complicated.

Some_Guy · ‎05-20-2019

This means the RADIUS request is getting to the NPS server, but the NPS server is ignoring it because it's coming from the service port's IP (10.100.1.137) instead of the IP you were expecting (10.100.32.3).

There is probably a way to set on the WLC which interface it will use for RADIUS requests. I don't know about it off the top of my head though. You'll need to configure the WLC to use the 10.100.32.3 interface for RADIUS.

HUGH LANCASTER · ‎05-20-2019

Makes sense to me. I created a case with tech support. I ran wireshark on both subnets and not seeing any communication with the 10.100.32.3 interface.

Mikey Boy · ‎05-17-2019

If you are getting a no response from AAA server have you absolutely confirmed that the WLC is entered correctly as a client in the NPS server? Does the share secret etc match up on both ends?

HUGH LANCASTER · ‎05-17-2019

I changed the password on both ends to 123456 for testing and no go. ON WLC I completed a test and received this error "

test aaa radius username test password 123456 wlan-id 1

Fri May 17 10:50:54 2019

RADIUS server 10.100.0.33:1812 failed to respond to request (ID 0) for client 00:11:22:33:44:55 / user 'test'

In the event viewer NPS does not show any communication from the WLC test that I competed