Windows Server 2012 NPS + Radius Authentication

  • 2
  • Question
  • Updated 3 years ago
Hello Aerohive gurus.
I am trying to implement Radius authentication with Dynamic VLAN Assignment on our Aerohive.
I have set the following Configuration, but for some reason the AP's cannot connect to the Radius Server. (Connection timed out) I can ping the radius server 192.168.1.12 from the SSH session on an AP. . I have read the Guides and its not obvious to me why this is not working.

Here are the screenshots.
http://imageshack.com/a/img901/9121/t...
http://imageshack.com/a/img631/5961/t...
http://imageshack.com/a/img908/7877/A...
http://imageshack.com/a/img901/1774/K...
http://imageshack.com/a/img633/6927/w...
http://imageshack.com/a/img912/7622/1...
http://imageshack.com/a/img901/6528/P...
http://imageshack.com/a/img911/9829/M...
http://imageshack.com/a/img910/7126/j...
http://imageshack.com/a/img912/6021/F...
http://imageshack.com/a/img905/7158/Q...
Photo of Haris Chaudhry

Haris Chaudhry

  • 4 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 2
Photo of Bill W.

Bill W.

  • 222 Posts
  • 35 Reply Likes

First, it's hard to follow with links to images.  It would be much easier to see what is going on by embedding the images.

Now on to some suggestions.  For your Connection Request Policy, try adding the Condition "NAS Port Type" with "Wireless - IEEE 802.11" checked in Common 802.1X connection tunnel types and "Wireless - Other" checked in Others.  Also check the "Override network policy authentication settings" in Authentication Methods.  While you're in Authentication Methods, also check the box for "Microsoft Encrypted Authentication version 2 (MS-CHAP-v2)" under Less secure authentication methods:.  This is needed for the AP to do the RADIUS test.

In your Wireless Connections Policy, you only need 3 settings to work: Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, and Tunnel-Type.  Tunnel-Medium-Type should be "IP (IP version 4)".  Tunnel-Type should be "Generic Route Encapsulation (GRE)".  And Tunnel-Pvt-Group-ID should match the User Profile Attribute Number.

Photo of Haris Chaudhry

Haris Chaudhry

  • 4 Posts
  • 0 Reply Likes

For some reason the Radius server does not show in the dropdown box above..






Still No luck Connection timed out.
Photo of Bill W.

Bill W.

  • 222 Posts
  • 35 Reply Likes

What does the Event Viewer on the server show for messages in the Network Policy and Access Services?

Also, you should remove CHAP and MS-CHAP v1 from Authentication Method.  Nothing should be using those and they are not secure.

Photo of Haris Chaudhry

Haris Chaudhry

  • 4 Posts
  • 0 Reply Likes
Nothing shows on Event viewer, its almost like a connection problem but the APs can ping the Radius.
Photo of Bill W.

Bill W.

  • 222 Posts
  • 35 Reply Likes
Have you checked your firewall rules?  Are you sure you have the RADIUS ports (1812 and 1813) allowed through the firewall?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Haris,

I'd be more than happy to take a look remotely to find what the cause of your issue is.

It is most likely to be a connectivity issue with the server.

I suggest that you take a look with Wireshark watching UDP port 1812 in conjunction with the event log to see what's going on.

Nick
Photo of Haris Chaudhry

Haris Chaudhry

  • 4 Posts
  • 0 Reply Likes
HI Yes i would love to jump on a remote session. can you send me your details via PM or something ?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Haris,

You should have my contact details via email.

Cheers,

Nick
(Edited)