locked
Cisco AP1200 RADIUS clients cannot authenticate using NPS. No Logs, No Error RRS feed

  • Question

  • On our student network, We have a setup of two AD-DCs which are installed with NPS and our Cisco 1200 Series APs cannot get authenticate against the NPS. There are no Success/Failure logs in event viewer. I have confirmed that the APs are talking to the NPS server but no reply coming out of the NPS. I used wrong shared secrets to confirm if the APs are talking to the NPS server. The result was I found error logs in the event viewer.

    Both servers run Windows 2008 w/ SP2.

    We have the same setup for the Staff network and it works perfectly. There were no problems occurred. The AP's are configured correctly and the connectivity between the servers and APs is fine.

    Please Help !!!!!!!! Thank you all in advance.

    Thursday, May 13, 2010 6:49 AM

Answers

  • Hi.  Sorry, yes they are N compliant.  I thought there must have been more to the question than what met the eye.  I ended up resolving the problem as we did not have the computers listed in NPS policy.  As we were only testing it, we only added a test group of users, however set the rule to authenticate both computers and users.  We were not worried about allowing users to connect prior to logon during the test stage as they were already logged on, on an existing unsecure SSID. For some reason it would not authenticate until we added the computers in though.  Strange that it would not log any information about this though.  We have now added the AD group "Authenticated Computers" and all is working ok.

    Thanks for taking the time to reply.

    Monday, February 14, 2011 6:48 AM

All replies

  • Now the problem is that if I use a WRONG username the NPS server rejects the authentication request. But if I use thevalid username it does not authenticate or even no logs generated in NPS. This is very frustrated for me and really appreciate any of your help.

    Regards,

    Charith

    Monday, May 17, 2010 3:22 AM
  • I seem to be in the same boat.  I've been looking into this configuration on and off for about a year, and haven't had any luck with it.  I'm hoping to get 3 networks setup, one with radius/wpa2/aes for our teachers, one for school guests-internet only via acl wpa/tkip-psk, and one open network-intenet only via acl and restricted to no access during the day via our filter software then it will open to student access on nights and weekends for visitors/parents/spectators/etc.

    However because of the problems getting radius to work I haven't been able to move forward with this plan.

    I have found a few helpful articles mostly for the multiple ssids, but still I can't get the radius to work, and I also have no log entries pertaining to this on the NPS.

    I've been working with this Cisco guide on setting up PEAP ( https://www.cisco.com/en/US/docs/wireless/technology/peap/technical/reference/PEAP_D.html#wp1007979 )

    I'm going to try your idea of purposefully setting the wrong shared key to see if I can get errors in the event log.

     

    Tuesday, May 25, 2010 7:55 PM
  • Same here.  I have a site with multiple AP1131g's and they are working beautifully, but 2 sites that have AP1231g's running latest software for that unit which is supposed to enable multiple beacons will not work with RAdIUS/EAP auth and no logs.  Remove security or put WEP only on and works fine - of course no radius.  I intentionally set an incorrect Shared Secret and still see no attempts to connect to the NPS server by the WAP. 
    Thursday, May 27, 2010 1:54 PM
  • Did anyone find a solution/answer to this?  I am having the same problem with a D-Link Managed wireless solution and have tried both NPS and IAS.  I have followed this article

    http://techblog.mirabito.net.au/?p=87

     to set up the NPS server and the D-Link user manual for connecting the AP's to the NPS.  can verify that the AP's are connected by using incorrect secrets and seeing the log, but nothing logged when clients try to connect.  windows 7 does not give/log an error either on the client side - other than it cannot connect.
    Tuesday, February 8, 2011 11:53 AM
  • Hi Mattyruss

    By nothing is being logged on the server.. do you mean NOTHING AT ALL LIKE COMPLETELY NOTHING IN ALL LOGS ASSOCIATED WITH NPS AUTHENTICATION?? if so then there might be a problem with the connection between the AP and the Clients... either mode is set set to 802.11g on clients and AP is set to 802.11b something like that... 

    are u using EAP-TLS or PEAP MSCHAP V2 or other please post.. and are your DLINK AP's compliant with RFC  3580  if not you may have a problem using some EAP methods for 802.1X.. please update your AP's firmware and contact your supplier to find out if they support the 802.1x solution you want to implement. If al that checks out fine and the problem still persits please clear all your logs before tryin to connect again make sure there is zero or close to then try again.. if anything is logged check it out and see if it has something to do with NPS and authenticatioon

    Hope this helps


    tech-nique
    Tuesday, February 8, 2011 10:13 PM
  • Hi Tech-nique

    Information is logged if secret is incorrect.  It shows the errors relevant in the system log in event viewer.  If I correct this and both the secret on the NPS and the AP are the same, System log states that an LDAP connection with Domain Controller is established.

    So the AP and NPS server seem correctly setup.  The problem is that when the client tries to connect to the SSID on the AP, nothing is logged in the NPS event log.  I am using wireless N, 5ghz protocol.  I am not sure what you mean about the client mode and checking that it is set to N.  can you clarify this?

    I am using PEAP MSCHAP V2 - I have followed this article exactly http://techblog.mirabito.net.au/?p=87

    The Dlink AP's are with compliant.  I have tried with a Linksys WAP54G as in the article as well, and same result.

    I have cleared the logs, but this does not make a difference.

    Thursday, February 10, 2011 1:28 AM
  • Hi

    Are your wireless clients 802.11n compliant.. most laptops are 802.11a/b/g so check to see if your laptops are .11n compliant.. you can do this by doing the following on your client machines

    right click wireless network connection and click properties, in properties go to the advanced tab and select mode.. make sure 802.11n is the one selected. You may have to buy wireless adapters for 802.11n since most laptops don't support this yet.. or you can make an exception in your AP setting to allow 802.11bg clients to also be able connect and test authentication to see if this is could be the problem

     


    tech-nique
    Thursday, February 10, 2011 8:48 AM
  • Hi.  Sorry, yes they are N compliant.  I thought there must have been more to the question than what met the eye.  I ended up resolving the problem as we did not have the computers listed in NPS policy.  As we were only testing it, we only added a test group of users, however set the rule to authenticate both computers and users.  We were not worried about allowing users to connect prior to logon during the test stage as they were already logged on, on an existing unsecure SSID. For some reason it would not authenticate until we added the computers in though.  Strange that it would not log any information about this though.  We have now added the AD group "Authenticated Computers" and all is working ok.

    Thanks for taking the time to reply.

    Monday, February 14, 2011 6:48 AM
  • good one mate!! glad to know its working now ;) it never crossed my mind that AD groups could have been the issue ;)
    tech-nique
    Monday, February 14, 2011 3:22 PM