none
EAP failing for most users after NPS granting access RRS feed

  • Question

  • Hi,

    I am using NPS on Windows server 2016 as the radius authentication server, which is a member server to our domain.

    Access points throughout our various sites are all in the 10.112.0.0/14 scope. We have therefore created a single radius client entry in NPS for 10.112.0.0/14.

    Our connection request policies and network policies are quite straight forward, allowing access to users which are members of machine groups or windows groups via PEAP.

    Quite frequently users and or computers won't be able to connect to the defined 802.1x SSID being broadcast by our access points. This occurs across multiple operating systems and device types, using either certificate or user credentials for authentication. If the access point is rebooted the problem is gone for a few hours, then it resurfaces. Other access points work fine, and the issue is not consistently isolated to a single access point.

    On the image below, the gray records are unsuccessful attempts to connect to the ssid, blue are successful. The side by side image below shows the detailed information of a blue record left, compared to a gray record right. Notice the connection result unknown

    The image below shows the event viewer record for a failed attempt, to which you can see the user is granted.

    After mirroring the access points NIC on the switch we can see the radius exchange.

    Whilst also capturing raw 802.11 frames we can see the authentication, association, eap, and death stages take place. Im not sure as to why the eap failure is being sent as NPS granted access.

    I do notice that in the raw 802.11 capture, the BSSID has changed completely, yet the wap hostname still reports correctly. This can be seen in the access point controller logs. This may be nothing however as the the library access point which we successfully connected to is the same.

    Does anyone have any thoughts or suggestions on what could be going wrong?

    Thanks in advance

    Thursday, March 14, 2019 3:28 AM

All replies

  • Hi,

    What is the error code in radius logs?

    Have you considered that the issue is related to APs?

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 15, 2019 7:53 AM
    Moderator
  • Hi Travis, 

    That's the thing. From the perspective of NPS, there are no issues at all. The only thing i could think of is that there there may have been a possible issue with adding a single radius client entry in NPS for 10.112.0.0/14 encompassing all APs. As far as you're aware, is this practice okay? The alternative would be to add each individual AP to the radius clients list.

    Yes, i am currently in the process of contacting the AP controller vendor for assistance. 

    Thank you


    • Edited by mitch8888 Monday, March 18, 2019 1:50 AM more information
    Monday, March 18, 2019 1:44 AM
  • Hi,

    Thanks for your reply.

    Do you mean that configure all APs as one radius client? I have never done this before, and I would suggest you add some APs as a test. 

    Meanwhile, check the NPS settings on APs.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, March 19, 2019 9:35 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, March 21, 2019 6:34 AM
    Moderator
  • Did you ever find a solution to this? I'm having a very similar issue setting up Always on VPN.  

    Edit:   So I found out for me it was just a mundane detail.  I changed my NPS log format to IAS (Legacy) and boom problem fixed for me.  I didn't suspect this for the longest time because I swore I set that up when I originally built the NPS server.

    <style><br _moz_dirty="" /></style>

    Thursday, April 16, 2020 1:25 PM