NPS fails to authenticate on certain radius clients, no visible events on Event Viewer RRS feed

  • Question

  • Hey folks.

    I'm trying to troubleshoot authentication failure of some Ubiquiti AP. I've been able to set up NPS with Radius authentication, and the system works flawlessly for 4 wireless access points set up in my main site. Trouble is on a secondary site, which while it does have IP connectivity to the NPS and the access points are configured identically, they simply fail to authenticate. I am attaching some screenshots describing my NPS setup.

    There are no visible failure events on the radius server, not on the Server Role/Network Policy and Access Services, neither on the Windows Log/Security. However, checking the log file of the NPS Service (C:\Windows\System32\LogFiles), I was able to confirm that the failing access points are indeed hitting the server. The following registry is from a failed auth attempt:

    ",vrg,06/04/2015,14:14:53,IAS,ITSYSMGMNT,25,311 1 06/04/2015 16:27:40 628,27,30,4108,,4116,0,4128,WAP Cuvier2,4154,Secure Wirless 2,4155,1,4129,CIMEX\vrg,4130,CIMEX\vrg,4136,11,4142,0"

    while this registry is from a successful attempt:

    ",jme,06/04/2015,14:14:48,IAS,ITSYSMGMNT,25,311 1 06/04/2015 16:27:40 627,4132,Microsoft: Secured password (EAP-MSCHAP v2),4127,11,8100,0,4120,0x0143494D4558,4108,,4116,0,4128,WAP EjeNal1,4154,Secure Wirless 2,4155,1,8153,0,4129,CIMEX\jme,4149,WiFi"

    Can anybody help me make sense of the log? Better yet, can anybody point me out why some APs are authenticating, and why two of them are not?

    Thursday, June 4, 2015 8:20 PM


  • Hi,

    I am not sure your domain architecture. Just for your confirm:
    You want to provide authentication and authorization for user accounts that are not members of either the domain in which the NPS server is a member or another domain that has a two-way trust with the domain in which the NPS server is a member. This includes accounts in untrusted domains, one-way trusted domains, and other forests. Instead of configuring your access servers to send their connection requests to an NPS RADIUS server, you can configure them to send their connection requests to an NPS RADIUS proxy. The NPS RADIUS proxy uses the realm name portion of the user name and forwards the request to an NPS server in the correct domain or forest. Connection attempts for user accounts in one domain or forest can be authenticated for network access servers in another domain or forest.

    More information you may reference: https://technet.microsoft.com/en-us/library/dd197447(v=ws.10).aspx​.

    Besides, is there any error message on access client? Or you may contact the AP vendor and confirm the configuration.

    Best Regards,
    Eve Wang 

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Sunday, June 7, 2015 11:50 AM