Re: No response from Windows Server 2012 NPS authentication with Cisco WLC

NyiNyiZin59782 · ‎01-10-2021

I'm trying to connect Cisco WLC in Window NPS server as a radius client because I would like to get wireless dot1x authentication. But this task is not completed because while I connecting to SSID, Cisco WLC did not get respond from radius NPS server. But Cisco WLC and Windows NPS server are in different subnet and there is no any security control between these subnets. It show the following error message.

From WLC,

(Cisco Controller) >test aaa show radius

Radius Test Request
Wlan-id........................................ 4
ApGroup Name................................... Tech1
Server Index................................... 1
Radius Test Response

Radius Server Retry Status
------------- ----- ------

Authentication Response:
Result Code: No response received from server
No AVPs in Response

From Windows Server 2012 side,

A RADIUS message was received from the invalid RADIUS client IP address 172.30.3.xxx.

Tyson Joachims · ‎01-10-2021

Have you added the WLC to the list of RADIUS Clients in NPS?

Verify that the shared keys are also the same. If you open Windows Event Viewer and go to Windows Logs > Security and filter the current log to just the Task category of Network Policy Server, you'll be able to get all the details of what's happening between the RADIUS server and the WLC.

NyiNyiZin59782 · ‎01-11-2021

I've done to add WLC to the list of NPS radius client and also finished to check share secret key again and again. But the error is still happening. Could you please give me advice how to do this problem.

(Cisco Controller) >test aaa radius username user10 password admin123!@# wlan-id 4 apgroup Tech1 server-index 1

Radius Test Request
Wlan-id........................................ 4
ApGroup Name................................... Tech1

Attributes Values
---------- ------
User-Name user10
Called-Station-Id 192.168.134.2
Calling-Station-Id 00-11-22-33-44-55
Nas-Port 0x00000008 (8)
Nas-Ip-Address 192.168.134.2
NAS-Identifier Cisco
Airespace / WLAN-Identifier 0x00000004 (4)
User-Password admin123!@#
Service-Type 0x00000008 (8)
Framed-MTU 0x00000514 (1300)
Nas-Port-Type 0x00000013 (19)
Tunnel-Type 0x0000000d (13)
Tunnel-Medium-Type 0x00000006 (6)
Tunnel-Group-Id 0x0000008b (139)
Cisco / Audit-Session-Id c0a88602000002885ffc0b1c

--More-- or (q)uit
Acct-Session-Id 5ffc0b1c/00:11:22:33:44:55/760

(Cisco Controller) >test aaa show radius

Radius Test Request
Wlan-id........................................ 4
ApGroup Name................................... Tech1
Server Index................................... 1
Radius Test Response

Radius Server Retry Status
------------- ----- ------

Authentication Response:
Result Code: No response received from server
No AVPs in Response

patoberli · ‎01-11-2021

What does the security log (in Event Viewer) show on the NPS server in that instance?

Depending on security settings, the test command might not work on the CLI. It's easier if you configure a test SSID with the radius server in question and then use a real user to authenticate.

Scott Fella · ‎01-11-2021

1st, make sure you are not seeing this error: A RADIUS message was received from the invalid RADIUS client IP address 172.30.3.xxx.

That means that the radius and the controller are communicating via radius. Then take a look at some guides or blogs on configuration of WLC with NPS, which should help make sure you are setting everything up properly. You can also search for the key words you see like "No AVP's in Response" and should find more info on that:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-6/config-guide/b_cg86/wlan_security.html#info_nas-id_field_enhancement_radius_accounting

So once the radius and controllers are communicating, then you need to define the controller radius, controller SSID and the radius polices properly.

Is this a new setup?

-Scott
*** Please rate helpful posts ***

NyiNyiZin59782 · ‎01-11-2021

Yes new setup.