Configuring Windows Radius Server for User / Computer Authentication

  • 1
  • Question
  • Updated 2 years ago

Anyone have any instructions / FAQs / etc. on how to configure a Windows Radius Server to allow 802.1x connections?  We would like both userid and workstation to validated.

We are currently doing this with our Trapeze wireless network with a Radius server on Windows 2003.  So for the Aerohive implementation we wanted to build a new server.   We can find no documentation on how the windows side needs to be configured.

We have reviewed this with no help:

Also reviewed this with no help:

Both documents deal with how the Aerohive needs to be configured, not the Windows Radius Server.

Photo of Dennis


  • 4 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Eastman Rivai

Eastman Rivai, Official Rep

  • 146 Posts
  • 17 Reply Likes
For a standard dot1x authentication without any dynamic VLAN assignment, you need to configure EAP on the NPS just like any other EAP authentication. In order to assign the user into a user profile you will need to edit your radius policy settings:

Choose your policy- select settings- Radius Attribute - Standard - and add the followings

Tunnel-Type:IP (IP version 4)
Tunnel-Medium-Type: GRE
Tunnel-Pvt-Group-ID: <<user profile attribute number - default is 1>>

If you have multiple user profile attributes enabled on your network policy you will need to configure all of them in the NPS policy. You would only put multiple IDs if you do dynamic profile assignment or if you have multiple dot1x SSIDs with different user profiles.

I hope this answers your question.
Photo of J. Goodnough

J. Goodnough, Champ

  • 265 Posts
  • 32 Reply Likes
Photo of tommy


  • 1 Post
  • 0 Reply Likes
When I test through Hive Radius Test it returns the correct user attribute ID but when I try from client I get NPS error 1 and the authentication type is EAP instead of MS-CHAPv2. What could be wrong and how I can fix this?
Photo of Spencer Bischof

Spencer Bischof

  • 11 Posts
  • 0 Reply Likes
I am also having a similar problem, may I get assistance with this? 
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2474 Posts
  • 446 Reply Likes
Happy to take a look, but it'll likely have to be outside of my work hours.

I'm nick.lowe on Skype
Photo of Erik Gunnarsson

Erik Gunnarsson

  • 38 Posts
  • 6 Reply Likes
If you look in the Event Viewer, what EAP type does it say?
I've had some issue with EAP type = Null/Unknown.
This could be a issue with the packet-size of the EAP payload and can be fixed by lowering MTU size. I've had this issue on both 2008r2 and 2012 servers.
Have a look at this site for how to:
Photo of Spencer Bischof

Spencer Bischof

  • 11 Posts
  • 0 Reply Likes
After playing with this on Monday I realized it was because I needed to change the certificate I was using.
Thanks for the help. 
Photo of Jay


  • 2 Posts
  • 0 Reply Likes
My problem was a certificate issue as well.  I had pointed my Radius server (NPS) to the wrong CA certificate. Live and learn!