Issue Joining AP RADIUS Server to AD Domain

  • 2
  • Question
  • Updated 4 years ago
  • Answered
Has anyone seen this error in 6.1r1 when attempting to join an Aerohive AP RADIUS server to a domain?
could not obtain winbind separator!
Reading winbind reply failed! (0x01)
:  (###0x0###

I can put in any credentials I want and the same error occurs, indicating that it's either a config issue or HiveOS issue.

The issue only occurs when RADIUS service on the AP is on. The AP is able to join the domain without issue if RADIUS service is off.

Photo of Steven Bateman

Steven Bateman

  • 65 Posts
  • 12 Reply Likes

Posted 4 years ago

  • 2
Photo of Tim Ruda

Tim Ruda, Official Rep

  • 40 Posts
  • 56 Reply Likes
Hi Steve,

This may not be the most informative reply, but I have encountered this a few times in the past. I addressed it by first removing and recreating the user account in the domain. Once the user was re-added, I used the AAA User Directory Settings where the domain credentials and such are configured and simply ran through each button on the page to rejoin it to the domain. I'm lacking a root cause and another expert may chime in on this, but this has worked to mitigate the problem for me before.

Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
That's saying simply that there is an error in your NPS configuration. Having matched a CRP (Secure Wireless), no Network Policy was matched. Check the constraints on the Network Policy you expect to be matched to see why that's not happening.
Photo of Tim Ruda

Tim Ruda, Official Rep

  • 40 Posts
  • 56 Reply Likes
Hi Bob,

I believe this type of error is stating that there is no matching CRP for this access request. Was anything missed when the user was recreated?

Opening nps.msc and comparing your Connection Request Policies to the Network Policy to be positive would be the best first step.


There is also a small chance that something could be cached with the user that the radius AP is trying to join the domain as. If you perform a purge on the users to ensure any removed items (the previous admin for joining the domain) are permanently deleted and then recreate the user this may be a good test to confirm.

You could alternatively verify/deny this as a possibility before purging by creating a new unique admin for the radius AP to use, and trying to set a new access point as the radius server to join AD. This would eliminate both variables which may have something cached from the previous connection to the domain.

Let us know what you find!
(Edited)
Photo of KatInTX81

KatInTX81

  • 23 Posts
  • 0 Reply Likes
Tim, Nick;

Thanks for your additional suggestions. I've combed through the CPR and NP to make sure everything matches, down to the certificate specified in the PEAP authentication methods.

As far as I know, I've still not made any changes to the configuration of the Windows Server, but in the last hour, a behavior has changed ... clients that had previously connected via RADIUS are once again joining the network. However, in the HMOL I still can't
  1. use the Tools > RADIUS test to verify connectivity (I get the error "The connection attempt to the server timed out.")
  2. use the AAA User Directory Settings interface to join my BR200 to the domain (I get the error "Strong(er) authentication required.")
To add one more odd tidbit ... yesterday when this problem cropped up, I told my iPhone to "forget this network" so that it would stop attempting to join the RADIUS SSID, and rather switched over to an SSID that uses WPA/WPA2 PSK (Personal) authentication. As soon as I saw that clients were re-joining the WPA/WPA2 802.1X (Enterprise) SSID again, I told my iPhone to attempt to rejoin ... but all attempts fail after a long timeout.

It would be soooo helpful if I could find an error message in the labyrinth of the MS Event Viewer to give me a more precise idea of what is going wrong. I'm much more comfortable in a Linux or OS X environment, and simply don't know my way around a Windows server very well ... particularly when it comes to certificate-based authentication.

Which is where I suspect the root cause lies ... something seems to have gone awry in the trust chain that is manifesting itself in these odd behaviors. Perhaps I need to flush all of the certs and start over?
Photo of KatInTX81

KatInTX81

  • 23 Posts
  • 0 Reply Likes
BTW, the thread @ https://community.aerohive.com/aerohive/topics/3rd_party_certificate hints at a procedure I might try in order to ensure certs are matching through my environment.
Photo of KatInTX81

KatInTX81

  • 23 Posts
  • 0 Reply Likes
One more new piece of information ... as of about an hour ago I started to see event log entries for my user name, which is about the time I fired up my MacBook Pro and had it attempt to join the 802.1X network. At least this error message points me in a more specific direction:

Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: <redacted>
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.