AP unable to authenticate to RADIUS server

  • Thread starter Thread starter Lee.NSM
  • Start date Start date
L

Lee.NSM

Guest
RADIUS is running on NPS Windows 2016 Datacenter

AP is Meraki MR33



I have tried just about everything I can think of in this configuration and cannot get a connection. I have looked over some of the other articles in the forum also but no success. If anyone can point out a flaw or something I have missed here it would be greatly appreciated! Config info is text and can attach screenshots if anyone needs them for reference for RADIUS server, GPO applied and Meraki config.





Following NPS configuration information:



NPS Server, WIN 2016 DC

Enrolled in AD Services

Certificate from CA applied

RADIUS Clients: 10.0.0.0/8

Manually Generated Shared Secret correct between devices

Vendor Name as RADIUS Standard



Connection Request Policies:

Policy: enabled

Type of server: unspecified



Conditions:

NAS Port type: Wireless IEEE 802.11 OR Wireless Other



Settings:

Authentication: authenticate requests on this server

No Accounting

Attribute type: Caller-Station-Id

No other settings applied







Network Policies:



Policy: enabled

Grant Access

Ignore user account dial-in properties

Type of server: unspecified



Conditions:

Wireless IEEE 802.11 OR Wireless Other

User Groups: (domain name)\domain users and (domain name)\domain computers



Constraints:

Auth methods EAP Types (in listed order top to bottom): MS Secured Password EAP_CHAP v2, MS Protected EAP (PEAP,) MS Smart Card or other cert

Idle Timeout, Session Timeout, CallerStation ID and day/time restrictions not configured/default

NAS Port Type: Wireless IEEE 802.11 OR Wireless Other



Settings:

Framed Protocol: PPP

Service Type: Framed

Vendor specific: none

BAP: server settings determine...

IP filters: none

Encryption: 40, 56 and 128 checked, no encryption is NOT checked

IP Settings: Server settings determines...



GPO: no inheritance from other GPO's and only GPO in the test OU



Comp config-Security-wireless-new

Policy Name: RADIUS-TEST



Properties:

General Tab: Policy name and description same name

Use Windows WLAN autoconfig service for clients CHECKED

SSID "RADIUSTEST"

Network Permissions:

Infrastructure

Allow

NO other boxes checked



SSID Profile RADIUSTEST:

Connection tab: SSID RADIUSTEST

all Connect boxes checked

Security tab:

WPA2-Enterprise

AES_CCMP

Network auth method: PEAP -Properties: Verify server, cert server is checked, tell if server cant be identified, auth method is EAP-MSCHAP v2 -Advanced: PMK caching is only box checked

Auth mode: User or computer

Cache information is checked





Meraki config:



MR33 AP connected to MX67

AP has static internal address assigned

Gateway is correct



SSID: RADIUSTEST

WPA2-Enterprise with my RADIUS server

WPA encryption: 1 and 2 allowed

802.11 r/w: disabled

No splash page

Radius server IP, port 1812, shared secret from NPS



No accounting, proxy or group policies

Bridge mode

VLAN tagging

VLAN ID: # for wireless vlan on appliance

Ignore VLAN attributes in RADIUS responses

No Content filter or Bonjour forwarding




Receiving the following errors regarding the policies that are setup. Going through the policies I cannot seem to find what I have configured incorrectly though.



Event ID 20153 Error

The currently configured accounting provider failed to load and initialize successfully. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.



Event ID 20269 Warning

CoId={NA}: The user failed an authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.





Also received an Error 18 for bad shared secret, but I have double checked that also and, if it was incorrect for some reason previously, has been updated. Not seeing 18 at this time, but others are creating with each attempt.



Looking into the certificate also. Had an issue regarding multiple SAN entries in the template to include using the specific IP of the server. Primary name is correct though.



Lots of moving parts here I know, I appreciate any and all assistance!



Continue reading...
 
Back
Top