locked
RADIUS \ NPS - Connection Issues - Help greatly appreciated. RRS feed

  • Question

  • Hello,

    I have been banging my head on this issue, and would greatly appreciate some assistance getting this worked out. My goal here is to authenticate both domain & non-domain devices (laptops, smart phones, tablets, etc) to my network. I'll followed several tutorials without much luck - and I feel my lack of knowledge on this particular topic weighing on me. 

    I am currently working in a lab environment, which consists of a Server 2012 VM with Active Directory installed and configure. I've also setup and configured my Wireless Access Point, which i've confirmed works just fine using WPA-Personal. I've installed NPS, as well as AD CS using all of the defaults.

    I'd like to know the opinions of anyone here as to the best way to set up this environment for my needs. As mentioned above, I want to be authenticating both Domain and non-domain devices. Should I have to be setting up certificates of some sort for this goal? Or can I stick with just plain AD user/pw access? 

    I've configured my WAP for WPA-Enterprise, specified the RADIUS server IP, and entered the shared secret. I've configured NPS w/ my RADIUS client (that being my WAP). My Wireless Policy consists of the following:

    Overview:

    Policy Enabled
    Grant Access
    Ignore User account dial-in properties checked.
    Type of network access server: Unspecified.

    Conditions:

    NAS Port Type - Wireless - Other OR wireless - IEEE 802.11
    Windows Group - DomainName\Wireless Users (I created the Wireless Users security group and added one newly created user to the group)

    Constraints:

    EAP Types: Microsoft: Secured Password (EAP-MSCHAP v2)
    Less Secure Auth. methods selected: MS-CHAP-V2, MS-CHAP

    Everything else in the network policy is set as its default, and i've registered the NPS server in AD. 

    My attempts to connect fail, and the only relevant Event Log that is being processed is in the Network Policy and Server Log is what i've copied below. Please ask for any information that may help me work this out, i'm all ears! 

    Thank you.

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
    Security ID: Domain\Daniel
    Account Name: Domain\Daniel
    Account Domain: Domain
    Fully Qualified Account Name: Domain\Daniel

    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: 2A-A4-3C-99-FE-CA:DomainWIFI
    Calling Station Identifier: 00-24-D6-A4-C8-8A

    NAS:
    NAS IPv4 Address: 192.168.1.100
    NAS IPv6 Address: -
    NAS Identifier: 24a43c98feca
    NAS Port-Type: Wireless - IEEE 802.11
    NAS Port: 0

    RADIUS Client:
    Client Friendly Name: UniFi
    Client IP Address: 192.168.1.100

    Authentication Details:
    Connection Request Policy Name: Wireless Policy
    Network Policy Name: Wireless Policy
    Authentication Provider: Windows
    Authentication Server: WIN-PBL42GEIH4E.Domain.local
    Authentication Type: EAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 22
    Reason: The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

    Sunday, July 27, 2014 7:36 PM

Answers

  • Hi,

    You receive this message when there is an incompatibility in authentication between the client and server.

    Check the authentication protocol on the client and verify if its the same as the authentication protocol configured in your network policy.

    Besides, secure password EAP-MS-CHAP v2 is an EAP type that can be used with PEAP, for password-based network authentication. EAP-MsCHAPv2 can also be used as a standalone method for VPN, but only as a PEAP inner method for wireless.

    For detailed information about EAP-MSCHAPv2, please view the link below,

    http://technet.microsoft.com/en-us/library/hh945104.aspx#BKMK_LAN_SecPWD

    Therefore, we recommend that you need to change your authentication method on both of server and client.

    Moreover, if you change the authentication method to PEAP, you need to implement ADCS in your environment.

    Hope this helps.



    Steven Lee

    TechNet Community Support


    Monday, July 28, 2014 9:03 AM