none
NPS discards RADIUS req from cisco switch

    Question

  • Hi all,

    I need some assistance with configuring NPS to validate cisco switch. I am trying to implement NEAT technology with wired 802.1x authentication. My supplicant sw 2960 is unable to authenticate against authentication swtich 4510, and log in RADIUS server which runs on win 2008r2 server says:

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
        Security ID:            <removed>\switch
        Account Name:            switch
        Account Domain:            <removed>
        Fully Qualified Account Name:    <removed>\switch

    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        44-D3-CA-F1-23-94
        Calling Station Identifier:        1C-17-D3-AA-CF-99

    NAS:
        NAS IPv4 Address:        10.1.1.254
        NAS IPv6 Address:        -
        NAS Identifier:            -
        NAS Port-Type:            Ethernet
        NAS Port:            50205

    RADIUS Client:
        Client Friendly Name:        CISCO-L3
        Client IP Address:            10.1.1.254

    Authentication Details:
        Connection Request Policy Name:    Secure Wired (Ethernet) Connections 2
        Network Policy Name:        Authentication supplicant switch
        Authentication Provider:        Windows
        Authentication Server:        <removed>
        Authentication Type:        EAP
        EAP Type:            -
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            22
        Reason:                The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

    I have created EAP profile on supplicant to athenticate itself against authenticator switch with EAP method md5.

    On RADIUS network policy->policy name->tab Conditions I have those parameters:

    NAS port type: Ethernet

    Windows group: supplicant switch where is added "switch" account

    Authentication type: EAP

    On Constraints tab I have selected "Microsoft: Protected EAP using EAP-mschapv2

    Can anyone help?

    Sunday, June 03, 2018 3:46 PM

All replies

  • Hi,

    Thanks for your question.

    Please check if there was Event Viewer on Radius Server happening with event id 6273. According to your description, my understanding is that 802.1x authenticated access failed, with Reason Code 22. The log identified that Network Policy - Secure Wired (Ethernet) Connections Reason:  The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

    This error might be caused by one of the following conditions:
    The user does not have valid credentials
    The connection method is not allowed by network policy
    NPS does not have access to the user account database on the domain controller

    Then you may reference the link below for detailed steps of troubleshooting:
    https://technet.microsoft.com/en-us/library/dd316172(v=ws.10).aspx

    Meanwhile, may I know what actually authentication method is being used? Is EAP-TLS or PEAP-EAP-TLS? What authentication method you added in the Network Policy?

    Furthermore, please verify the client profile match the network policy settings. You can also push this via Group Policy.

    Be sure that your connecting client is configured correctly. And be sure to use a certificate for connecting  This guide may help: NPS Server Certificate: Configure the Template and Autoenrollment (https://technet.microsoft.com/en-us/library/cc754198(v=ws.10).aspx)

    Here are references for you,

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771696(v=ws.11)

    https://social.technet.microsoft.com/Forums/ie/en-US/b6323303-3b23-402f-b704-0ad10cbb4e80/npsradius-problems-with-authentication-methods?forum=winserverNAP

    Hope this helps. I look forward your good news. If you have any question and concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Monday, June 04, 2018 8:46 AM
  • Thank you for your answear. So I am going to start fom beggining, becasue I am loosing myself in this thing.

    On RADIUS server I have added my switch into RADIUS client. On policy request I have created "secure wired connection" policy, which is configured with authentication method PEAP. PC clients are authenticated by certificate - Auto enrollment policy is deployed via GPO. When I had those setting done I configured sw 2960 in my test environment as authenticator and dynamic vlan assignment was working perfectly. So topology was like PC client - switch - RADIUS.

    Network Policy Server granted access to a user.

    User:
        Security ID:            <removed>\P22169$
        Account Name:            host/P22169.<removed>
        Account Domain:            <removed>
        Fully Qualified Account Name:    <removed>\P22169$

    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        1C-17-D3-AA-CF-83
        Calling Station Identifier:        F8-0F-41-D0-3F-AF

    NAS:
        NAS IPv4 Address:        <removed>
        NAS IPv6 Address:        -
        NAS Identifier:            -
        NAS Port-Type:            Ethernet
        NAS Port:            50003

    RADIUS Client:
        Client Friendly Name:        sw49 - skoliaca
        Client IP Address:            <removed>

    Authentication Details:
        Connection Request Policy Name:    Use Windows authentication for all users
        Network Policy Name:        Secure Wired (Ethernet) Connections - VLAN40
        Authentication Provider:        Windows
        Authentication Server:        <removed>
        Authentication Type:        PEAP
        EAP Type:            Microsoft: Smart Card or other certificate
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.

    Quarantine Information:
        Result:                Full Access
        Session Identifier:           

    /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

    BUT now Id like to change topology into "PC client - supplicant switch - authenticator switch - RADIUS". and on this topology dot1x authentication method doesnt work at all.

    Monday, June 04, 2018 11:11 AM