AD user authentication using NPS

  • 1
  • Question
  • Updated 4 years ago
  • Answered
I'm trying to setup an SSID which uses a Server 2008R2 NPS for Radius authentication.

I have setup an AD security group and and added my domain account to it for testing and I've setup the AP (or so I believe) with the correct settings but its not authenticating when put in my domain credentials.

I've included a couple of pics of the config settings and below is the log from NPS with the authentication error

<Event><Timestamp data_type="4">03/21/2014 13:33:40.825</Timestamp><Computer-Name data_type="1">BALL-PDC</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 02/15/2014 20:38:59 763</Class><Authentication-Type data_type="0">8</Authentication-Type><Fully-Qualifed-User-Name data_type="1">RIVERS\mattg</Fully-Qualifed-User-Name><SAM-Account-Name data_type="1">RIVERS\mattg</SAM-Account-Name><Provider-Type data_type="0">1</Provider-Type><Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name><Client-IP-Address data_type="3"></Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Aerohive AP330</Client-Friendly-Name><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">21</Reason-Code></Event>

Only thing that seems weird is that on the end of 3rd line of the error its date stamp is wierd..

Photo of Matt Gudgeon

Matt Gudgeon

  • 1 Post
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
You can use the client monitor tool to see where the client is failing

Gregor Vučajnk Lazy Guide To Trouble Shooting

time is important for certificates so it it should be synchronized throughout. Time zones is another area to check.

Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The Class attribute value that you are seeing has been decoded. It is generated and inserted by NPS in the Access-Accept that it sends and is documented by Microsoft as follows:

“Attribute: Class
ID: 25
Data type: Text

Represents the attribute sent to the client in an Access-Accept packet, which is useful for correlating Accounting-Request packets with authentication sessions. The format is:

  • Type contains the value 25 (1 octet).
  • Length contains a value of 20 or greater (1 octet).
  • Checksum contains an Adler-32 checksum that is computed over the remainder of the Class attribute (4 octets).
  • Vendor-ID contains the ID of the NAS vendor (4 octets). The high-order octet is 0 and the low-order 3 octets are the SMI Network Management Private Enterprise Code of the vendor in network byte order, as defined in “Private Enterprise Numbers” at
  • Version contains the value of 1 (2 octets).
  • Server-Address contains the IP address of the RADIUS server that issued the Access-Challenge message. For multihomed servers, this is the address of the network interface that received the original Access-Request message (2 octets).
  • Service-Reboot-Time specifies the time at which the first serial number was returned (8 octets).
  • Unique-Serial-Number contains a unique number to distinguish an individual connection attempt (8 octets).
  • String contains information that is used to classify accounting records for additional analysis (0 or more octets). In NPS, the Class attribute is copied into the String field.

The Class attribute is used to match the accounting and authentication records if it is sent by the NAS in the Accounting-Request message. The combination of Serial-Number, Service-Reboot-Time, and Server-Address must be a unique identification for each authentication that the RADIUS server performs.”

Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
If you export your NPS configuration and email me the XML, I will take a look at it in a VM and let you know if anything obvious stands out.

nick.lowe [at]