Windows clients will not authenticate to RADIUS

  • 1
  • Question
  • Updated 4 years ago
  • Answered
Hey Aerohive people, 

It seems that over the weekend, we have had our Windows clients unable to authenticate to our Radius server - OSX, iOS and Android clients are fine.

Our setup:
Aerohive HMOL - VHM
Windows Server 2012 NPS for RADIUS using EAP MSCHAPv2

Here is the even logged on the NPS on a failing client:

Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.

User:
Security ID: DOMAIN/username
Account Name: username
Account Domain: DOMAIN
Fully Qualified Account Name: FQDN

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-19-77-**-**-**:Wildy-WiFi
Calling Station Identifier: 00-21-6B-**-**-**

NAS:
NAS IPv4 Address: 10.*.*.*
NAS IPv6 Address: -
NAS Identifier: WILD-AP120-STAFF
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0

RADIUS Client:
Client Friendly Name: AP-120-STAFF
Client IP Address: 10.*.*.*

Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: VLAN700
Authentication Provider: Windows
Authentication Server: NPSSERVER
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.




Here is an event logged on NPS from a successful client:

Network Policy Server granted access to a user.
User:
Security ID: DOMAIN/username
Account Name: username
Account Domain: DOMAIN
Fully Qualified Account Name: FQDN

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-19-77-**-**-**:Wildy-WiFi
Calling Station Identifier: D0-E1-40-**-**-**

NAS:
NAS IPv4 Address: 10.*.*.*
NAS IPv6 Address: -
NAS Identifier: WILD-AP330-RM20
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0

RADIUS Client:
Client Friendly Name: AP-330-RM20
Client IP Address: 10.*.*.*

Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: VLAN700
Authentication Provider: Windows
Authentication Server: NPSSERVER
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.

Quarantine Information:
Result: Full Access
Session Identifier: -



I note that there is a distinct lack of EAP TYPE in the failed client log file.


Here is the output from a Client Monitor capturing the failing client authentication:


08/09/2014 02:53:40 PM  501AC5ED45AB  00197728FFA8  WILD-AP120-STAFF   DETAIL  (250)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=96 length=153

08/09/2014 02:53:40 PM  501AC5ED45AB  00197728FFA8  WILD-AP120-STAFF   DETAIL  (251)Send message to RADIUS Server(192.168.*.*): code=1 (Access-Request) identifier=97 length=223,  User-Name=username NAS-IP-Address=10.2.*.* Called-Station-Id=00-19-77-28-FF-A8:Wildy-WiFi Calling-Station-Id=50-1A-C5-ED-45-AB

08/09/2014 02:53:40 PM  501AC5ED45AB  00197728FFA8  WILD-AP120-STAFF   BASIC   (252)Authentication is terminated (at if=wifi1.1) because it is rejected by RADIUS server

08/09/2014 02:53:40 PM  501AC5ED45AB  00197728FFA8  WILD-AP120-STAFF   BASIC   (253)Sta(at if=wifi1.1) is de-authenticated because of notification of driver

08/09/2014 02:53:43 PM  501AC5ED45AB  9C5D12055DE4  WILD-AP230-UJS-2   DETAIL  (0)Rx <broadcast> probe req (rssi -89dB)

08/09/2014 02:53:43 PM  501AC5ED45AB  9C5D12055DE4  WILD-AP230-UJS-2   BASIC   (1)Tx probe resp (pwr 13dBm)

08/09/2014 02:53:43 PM  501AC5ED45AB  9C5D12055DE4  WILD-AP230-UJS-2   BASIC   (2)Tx probe resp (pwr 13dBm)

08/09/2014 02:53:43 PM  501AC5ED45AB  9C5D12055DE5  WILD-AP230-UJS-2   DETAIL  (3)Rx <broadcast> probe req (rssi -89dB)



We haven't purposely changed any RADIUS or Network Policy settings to initiate this new change and this was working fine for us on Friday afternoon...

Any ideas?  I have checked the NPS Policy and the cert we have always used is still present and in use.

Thanks
Corey
Photo of Corey Kemp

Corey Kemp

  • 3 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Corey Kemp

Corey Kemp

  • 3 Posts
  • 0 Reply Likes
On another note, I fear the issue may be that RADIUS is secured by a wildcard cert...?  Although, this has been this way for several weeks and working fine. 
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
if I remember correctly windows clients will interpret the * as a literal character

https://community.aerohive.com/aerohive/topics/3rd_party_certificate?topic-reply-list[settings][filt...

also any MS updates recently?

http://social.technet.microsoft.com/Forums/windowsserver/en-US/9171b4aa-ba71-430b-935f-b27513debda4/...

old post where wildcard certs are not supported

http://technet.microsoft.com/en-US/cc730460

cheers
A
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
Great documentation, Corey. You're on the right track.
Unfortunately, without an ability to work with a client on your network, I'm not sure how much troubleshooting assistance I can offer.
Have you considered opening a support case? They excel with issues such as yours. 
The fact that it is only an issue with only Win clients rules out cert expiration or mismatch problems in my book. Certainly review the docs Andrew has listed.   

Best,
BJ 
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS

http://support.microsoft.com/kb/814394
Photo of Corey Kemp

Corey Kemp

  • 3 Posts
  • 0 Reply Likes
Thanks for your input folks.  After doing some more reading and testing I thought it best to replace the wildcard certificate with a UC cert - purely to remove any anomolies which seem to be documented around about Windows/RADIUS/wildcard certs.

Works fine now but still having to battle with the clients (with Win BYOD devices) having to have the correct WiFi profile configured before being able to connect.  Im looking into XpressConnect (as suggested by Nick in another post) as a more user friendly way for non technical clients to connect further down the track.

Thanks again.

Corey