locked
Level-one Access Point WAP-6002 logging in Windows 2008 R2 using Radius RRS feed

  • Question

  • Good Evening, I'm having the problem.
    My client radius is OK, my access policies as well, but in the event viewer appears:

    The Network Policy Server discarded the request of a user.

    Contact the administrator of the Network Policy Server for additional information.

    User:

    Security ID: DOMAIN \ User

    Account name: DOMAIN \ User

    Account Domain: DOMAIN

    Fully Qualified Account Name: dominio.com / users / User's full name

    Client machine:

    Security ID: NULL SID

    Account Name: -

    Fully Qualified Account Name: -

    OS Version: -

    Call Station Id: 00-11-6B-58-D6-70

    Calling Station Id: 00-16-33-E7-E7-34

    NAS:

    NAS IPv4 Address: 192.168.xxx.xxx

    NAS IPv6 Address: -

    NAS Identifier: -

    NAS Port Type: Wireless - IEEE 802.11

    NAS Port: 0

    RADIUS Client:

    Friendly Name of Customer: NAME Access Point

    Client IP Address: 192.168.xxx.xxx

    Authentication Details:

    Policy Name Request Connection: Authenticated Users

    Name of Policy Network: Wireless Access

    Authentication Provider: Windows

    Authentication Server: SERVER.DOMAIN.com

    Authentication Type: EAP

    EAP Type: -

    Account Session ID: -

    Reason Code: 22

    Reason: The client could not be authenticated because the EAP type can not be processed by the server.

    I did not think anything about the problem on the net, can someone help me?

    MCTS Computer Network Technology Postgraduate Database MBA Project Management
    Wednesday, April 27, 2011 1:44 AM

Answers

  • Hi Customer,

     

    Please check below two things to resolve your issue.

    1.         “Authentication Type: EAP” display in your NPS log,  the type should be PEAP. Please check your wireless clients have been configured Wireless policies for PEAP-MS-CHAP v2.

    2.         “No default machine certificate could be found” display in your IASSAM log. Please check NPS server enrolled computer certificate and clients trusted enterprise root CA.

     

    Configure 802.1X Wired Access Clients for PEAP-MS-CHAP v2 Authentication

    http://technet.microsoft.com/en-us/library/dd759154.aspx


    Regards, Rick Tan
    • Marked as answer by Rick Tan Friday, May 6, 2011 1:02 AM
    Tuesday, May 3, 2011 8:28 AM

All replies

  • Hi Customer,

          1.Please check your NPS policies (Wireless Access) if use EAP type "Microsoft: Protected EAP (PEAP)".

          2.I would like to know if other users authenticate successful from this AP? Just one user failed?

          3.Please try to connect this client with wired cable logon domain and then test with wireless AP.

          4.Please Trace NPS log locate c:\Windows\tracing directory\ IASSAM.log and post to us.

             Trace start,  netsh ras set tr * en
             Trace stop,   netsh ras set tr * dis

       

     

     


    Regards, Rick Tan
    Thursday, April 28, 2011 9:08 AM
  • ok, let's go
    PEAP accept my policy;
    all user does not authenticate the AP;
    my domain users authenticate normally for a wired connection;
    I'm not on the server now, later I'll post what you asked

    MCTS Computer Network Technology Postgraduate Database MBA Project Management
    Thursday, April 28, 2011 9:10 PM
  • SVCHOST_RASTLS
    [5072] 04-29 21:52:27:970: EapPeapBegin
    [5072] 04-29 21:52:27:970: EapPeapBegin - flags(0x2)
    [5072] 04-29 21:52:27:970: PeapReadUserData
    [5072] 04-29 21:52:27:970:
    [5072] 04-29 21:52:27:970: EapTlsBegin(MYDOMAIN\MYUSER)
    [5072] 04-29 21:52:27:970: SetupMachineChangeNotification
    [5072] 04-29 21:52:27:970: State change to Initial
    [5072] 04-29 21:52:27:970: EapTlsBegin: Detected PEAP authentication
    [5072] 04-29 21:52:27:970: MaxTLSMessageLength is now 16384
    [5072] 04-29 21:52:27:970: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
    [5072] 04-29 21:52:27:970: CRYPT_E_REVOCATION_OFFLINE will not be ignored
    [5072] 04-29 21:52:27:970: The root cert will not be checked for revocation
    [5072] 04-29 21:52:27:970: The cert will be checked for revocation
    [5072] 04-29 21:52:27:970: EapPeapBegin done
    [5072] 04-29 21:52:27:970: EapPeapMakeMessage
    [5072] 04-29 21:52:27:985: EapPeapSMakeMessage, flags(0x405)
    [5072] 04-29 21:52:27:985: EapPeapSMakeMessage, user prop flags(0x3)
    [5072] 04-29 21:52:27:985: PEAP:PEAP_STATE_INITIAL
    [5072] 04-29 21:52:27:985: EapTlsSMakeMessage, state(0)
    [5072] 04-29 21:52:27:985: EapTlsReset
    [5072] 04-29 21:52:27:985: State change to Initial
    [5072] 04-29 21:52:27:985: EapGetCredentials
    [5072] 04-29 21:52:27:985: Flag is Server and Store is local Machine
    [5072] 04-29 21:52:27:985: GetCachedCredentials Flags = 0x40e1
    [5072] 04-29 21:52:27:985: FindNodeInCachedCredList, flags(0x40e1), default cached creds(0), check thread token(1)
    [5072] 04-29 21:52:27:985: GetCachedCredentials Flags = 0x40e1
    [5072] 04-29 21:52:27:985: FindNodeInCachedCredList, flags(0x40e1), default cached creds(1), check thread token(1)
    [5072] 04-29 21:52:27:985: GetDefaultMachineCert
    [5072] 04-29 21:52:27:985: No Certs were found in the Certificate Store.  (A cert was needed for the following purpose(s): Server )  Aborting search for certificates.
    [5072] 04-29 21:52:27:985: No default machine certificates could be found; returning EAP_E_SERVER_CERT_NOT_FOUND.
    [5072] 04-29 21:52:27:985: EapPeapSMakeMessage done
    [5072] 04-29 21:52:27:985: EapPeapMakeMessage done

    IASNAP
    [5072] 04-29 21:52:27:970: The request comes from NAS type 0
    [5072] 04-29 21:52:27:970: Applying RAP policy:Acesso Wireless
    [5072] 04-29 21:52:27:985: Response type is 2, so disable Quarantine State
    [5072] 04-29 21:52:27:985: WARNING: No SHV Session Handle
    [5072] 04-29 21:52:27:985: The request is given quarantine state 3

    IASRAD
    [5072] 04-29 21:52:27:985: message authenticator Attribute added to out-bound RADIUS packet
    [5072] 04-29 21:52:27:985: Message Authenticator Attribute set in out UDP buffer

    IASSAM
    [5072] 04-29 21:52:27:673: Setting localServerName.User to SRV11$
    [5072] 04-29 21:52:27:798: LDAP connect succeeded.
    [5072] 04-29 21:52:27:798: Sending LDAP search to SRV11.MYDOMAIN.com.
    [5072] 04-29 21:52:27:970: Successfully validated windows account MYDOMAIN\MYUSER.
    [5072] 04-29 21:52:27:970: NT-SAM User Authorization handler received request for MYDOMAIN\MYUSER.
    [5072] 04-29 21:52:27:970: Using native-mode dial-in parameters.
    [5072] 04-29 21:52:27:970: Sending LDAP search to SRV11.MYDOMAIN.com.
    [5072] 04-29 21:52:27:970: Inserting attribute msNPAllowDialin.
    [5072] 04-29 21:52:27:970: Successfully retrieved per-user attributes.
    [5072] 04-29 21:52:27:970: Allowed EAP type: 25
    [5072] 04-29 21:52:27:970: Succesfully created EAP Host session with session id 47
    [5072] 04-29 21:52:27:985: Processing output from EAP: action:2
    [5072] 04-29 21:52:27:985: Translating attributes returned by EAPHost.
    [5072] 04-29 21:52:27:985: EAP authentication failed.
    [5072] 04-29 21:52:27:985: No AUTHORIZATION extensions, continuing
    [5072] 04-29 21:52:27:985: Inserting outbound EAP-Message of length 4.


    MCTS Computer Network Technology Postgraduate Database MBA Project Management
    Saturday, April 30, 2011 2:01 AM
  • AND NOW?


    MCTS Computer Network Technology Postgraduate Database MBA Project Management
    Saturday, April 30, 2011 2:02 AM
  • Hi Customer,

     

    Please check below two things to resolve your issue.

    1.         “Authentication Type: EAP” display in your NPS log,  the type should be PEAP. Please check your wireless clients have been configured Wireless policies for PEAP-MS-CHAP v2.

    2.         “No default machine certificate could be found” display in your IASSAM log. Please check NPS server enrolled computer certificate and clients trusted enterprise root CA.

     

    Configure 802.1X Wired Access Clients for PEAP-MS-CHAP v2 Authentication

    http://technet.microsoft.com/en-us/library/dd759154.aspx


    Regards, Rick Tan
    • Marked as answer by Rick Tan Friday, May 6, 2011 1:02 AM
    Tuesday, May 3, 2011 8:28 AM