cancel
Showing results for 
Search instead for 
Did you mean: 

802.1X EAP failure with Windows AD Radius - Help!

Conversationalist

802.1X EAP failure with Windows AD Radius - Help!

Okay so I've spent several DAYS on this and seem to be getting nowhere :\ I'm starting to get fairly frustrated having followed numerous guides exactly.

 

I used this to setup the Meraki side:

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

This is the latest guide I followed:

http://www.cracknells.co.uk/servers-side/configuring-radius-authentication-for-a-wireless-network-80...

 

No matter what I try though, I can't get my phone or laptop to connect, nor get the Test function to succeed from the SSID > Radius Servers section.

 

When I click Test, I get:
Total APs: 14
APs failed: 14

 

I have Accounting enabled on the Windows Server (which is now a DC running Server 2016. I had been running 2012 R2 but decided to wipe it and install 2016 afresh as though maybe RADIUS worked better!). The NPS Account log shows this when I click the Test button:

 

<Event><Timestamp data_type="4">11/15/2018 14:15:21.607</Timestamp><Computer-Name data_type="1">MY-DC03</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 10.33.102.23 11/15/2018 13:06:56 231</Class><Client-IP-Address data_type="3">10.32.108.21</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Meraki - AP1</Client-Friendly-Name><Session-Timeout data_type="0">30</Session-Timeout><Proxy-Policy-Name data_type="1">Meraki Staff Secure Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">MYDOMAIN\JohnDoe</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">MYDOMAIN\JohnDoe</Fully-Qualifed-User-Name><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">Meraki Staff Secure Wireless Connections</NP-Policy-Name><Packet-Type data_type="0">11</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

 

I get pretty much the same error logged when trying to connect from my laptop. I also see this in the Meraki event log:

 

Nov 15 14:24:57PurchasingRadius_TestITSPARE01802.11 associationchannel: 40, rssi: 29
Nov 15 14:24:57PurchasingRadius_TestITSPARE01802.11 disassociationunknown reason
Nov 15 14:24:57PurchasingRadius_TestITSPARE01802.1X deauthenticationradio: 1, vap: 4, client_mac: 84:3A:4B:56:F4:5C  more »
Nov 15 14:24:48PurchasingRadius_TestITSPARE01802.1X deauthenticationradio: 1, vap: 4, client_mac: 84:3A:4B:56:F4:5C  more »
Nov 15 14:24:48PurchasingRadius_TestITSPARE01802.11 associationchannel: 40, rssi: 28
Nov 15 14:24:47PurchasingRadius_TestITSPARE01802.11 disassociationunspecified reason
Nov 15 14:24:47PurchasingRadius_TestITSPARE01802.1X deauthenticationradio: 1, vap: 4, client_mac: 84:3A:4B:56:F4:5C  more »
Nov 15 14:24:47PurchasingRadius_TestITSPARE01802.1X EAP failureradio: 1, vap: 4, client_mac: 84:3A:4B:56:F4:5C  more »
Nov 15 14:24:47PurchasingRadius_TestITSPARE01802.1X deauthenticationradio: 1, vap: 4, client_mac: 84:3A:4B:56:F4:5C  more »
Nov 15 14:24:47PurchasingRadius_TestITSPARE01802.11 associationchannel: 40, rssi: 29

 

Any ideas?

34 REPLIES 34
Building a reputation

Re: 802.1X EAP failure with Windows AD Radius - Help!

nps15.gif

Hello Dan,

 

Did you add the AP's to the RADIUS clients? They need to be added so that RADIUS can work.

Conversationalist

Re: 802.1X EAP failure with Windows AD Radius - Help!

Yes, all of my Meraki AP's were added with their IP addresses. I created a Shared Secret template first, which I applied to all APs when adding them as RADIUS Clients.

Highlighted
Building a reputation

Re: 802.1X EAP failure with Windows AD Radius - Help!

Does NPS server have a certificate installed & configured in the NPS policy? I'm just making sure I get all the common denominators as I ask you this by the way.

Kind of a big deal

Re: 802.1X EAP failure with Windows AD Radius - Help!

Assuming then your access points have static IP addresses? I find its easier to simply add the /24 the AP's sit on. Also assuming the access points can reach the NPS server? Pings work etc.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Conversationalist

Re: 802.1X EAP failure with Windows AD Radius - Help!

All AP's are set to DHCP but have a reservation set on the DHCP server. NPS server can ping all AP's no problem.

Conversationalist

Re: 802.1X EAP failure with Windows AD Radius - Help!

Yes, I have a certificate selected in NPS > Network Policies > My Meraki Policy > Constraints > Auth Methods > Microsoft PEAP > (Edit), issued by the server I installed the CA role on. I suspect it could be failing to do with this? I think at some point I created a Group Policy to deploy that certificate to client PC's, perhaps something is amiss with that but I can't seem to get enough info from any logs.

Building a reputation

Re: 802.1X EAP failure with Windows AD Radius - Help!

Check on this thread please and see if the problem might be there:

 

https://community.meraki.com/t5/Wireless-LAN/authentication-fails-in-windows-7-with-802-1X-with-Mera...

 

 

Conversationalist

Re: 802.1X EAP failure with Windows AD Radius - Help!

Thanks, I did come across that thread previously (with all the Spanish screenshots!) but I think I need to get the Test button working from the Meraki dashboard > Access Control for SSID first, before I then troubleshoot client PC's, would you agree?

Kind of a big deal

Re: 802.1X EAP failure with Windows AD Radius - Help!

I'm torn because I've seen instances where the AP fails that test, but radius still works. So at this point I would say try it and ignore those test results and see what happens.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Conversationalist

Re: 802.1X EAP failure with Windows AD Radius - Help!

Okay I'll give it a go. Our clients are all Windows 10. At the moment when I try to connect to the Radius SSID it prompts me for credentials, with a tickbox to 'use my Windows user account', which if I tick fills in the boxes with my AD credentials. It check network requirements after clicking OK, but the credentials prompt just comes back again.

Kind of a big deal

Re: 802.1X EAP failure with Windows AD Radius - Help!

Does anything appear for NPS in the Windows Security Event log on the NPS server.  It will usually say why the request has been denied.

Comes here often

Re: 802.1X EAP failure with Windows AD Radius - Help!

ElectroDan-

 

Interesting to read your post, i'm in pretty much the same boat. So I can sympathize with your struggles, I'm dealing with almost the same thing. One thing I wanted to mention is to be sure that your NPS Network Policy is configured per the Meraki Documentation for 802.1X authentication (in addition to having your RADIUS Clients portion configured) since I found it needed both in order to test from the Meraki Dashboard. Check the following:

 

- The right certificate is selected under the NPS Policy > Constraints Tab > Microsoft: Protected EAP (PEAP) options > Edit Protected PEAP Properties

- The "Conditions" allow the proper AD user groups to authenticate ex: DOMAIN\Domain Users

 

So, i've gone through much of what you've already outlined and get the same interesting behavior. Macs and Apple IOS devices can successfully authenticate against AD using RADIUS, but only after they "Trust" the AD CS certificate used on our Domain. 

 

Our workstation environment consists of almost exclusively Windows 10 PC's and they all seem to do the same thing when a user tries to connect to wifi in the building:

 

1) Get prompted to authenticate (check "use my windows user account" or manually type in AD creds)

2) Windows prompts about the certificate. The thumbprint matches a cert issued by a trusted AD intermediate CA, user accepts

3) Immediately get a prompt "Can't connect to this network"

 

NPS doesn't give any useful output, and I know its validating accounts since iPhones and Mac OSX computers are able to get onto the wireless network.

 

There are never any reject or denied message in NPS logging (see below)

 

Network Policy Server granted access to a user.

User:
Security ID: DOMAIN\user.name
Account Name: user.name
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\user.name

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: E2-CB-AC-B5-5B-0ASmiley FrustratedSID NAME
Calling Station Identifier: 80-B0-3D-7F-EA-EA

NAS:
NAS IPv4 Address: 10.2.X.X
NAS IPv6 Address: -
NAS Identifier: 0bb3dca34b449637d61c5e0a6f2590af2dc7d2e9eff19b8a
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1

RADIUS Client:
Client Friendly Name: Meraki APs
Client IP Address: 10.2.X.X

Authentication Details:
Connection Request Policy Name: Meraki
Network Policy Name: Meraki
Authentication Provider: Windows
Authentication Server: DOMAINDC01.domain.local
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: 46353632394546364635453539383730
Logging Results: Accounting information was written to the local log file.


I'm at a loss. I think this is a certificate issue on the windows end stations, but i am not sure how to fix this. I'd like to avoid having to push out a GPO to get this going. We have a large traveling workforce that doesn't always get GPO updates in a timely manner because they are off the domain most of the time.

 

UPDATE:

I was able to get this resolved / working. Make sure that Wireless > Access Control > 802.11r is set to "Adaptive" (not Enabled). I think at one point we had turned this on. The tooltip description of what 802.11r made me think it only applied to old systems, not the Windows 10 computers we were having problems with.

 

802.11r technology reduces overhead when a client roams from one AP to another, delivering a more seamless transition. "Enabled" will activate 802.11r for devices that support it, though some legacy clients may not be able to join the network. "Adaptive" enables a custom version of 802.11r just for Apple iOS devices. Very few devices will have compatibility challenges with the "Adaptive" mode.

 

The description is misleading in that I didn't think it applied to our Windows 10 systems since they're not really legacy devices, yet. ;-)

Conversationalist

Re: 802.1X EAP failure with Windows AD Radius - Help!

I've had a go at that, however the link for rootsupd.exe is dead. I'll need to find an alternative.

Conversationalist

Re: 802.1X EAP failure with Windows AD Radius - Help!

Okay so the Security Event Log shows this on the NPS server. I'm guessing it's trying to authenticate the computer rather than the user?:

 

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: MYDOMAIN\ITSPARE01$
Account Name: host/ITSPARE01.mydomain.local
Account Domain: MYDOMAIN
Fully Qualified Account Name: mydomain.local/Mydomain/UK/Computers/ITSPARE01

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 9A-15-54-AB-52-67:Radius_Test
Calling Station Identifier: 84-3A-4B-56-F4-5C

NAS:
NAS IPv4 Address: 10.32.108.26
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: -

RADIUS Client:
Client Friendly Name: Meraki - Purchasing
Client IP Address: 10.32.108.26

Authentication Details:
Connection Request Policy Name: Meraki Staff Secure Wireless Connections
Network Policy Name: Connections to other access servers
Authentication Provider: Windows
Authentication Server: DC03.mydomain.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: 33364144324231353946353331303231
Logging Results: Accounting information was written to the local log file.
Reason Code: 65
Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.

Conversationalist

Re: 802.1X EAP failure with Windows AD Radius - Help!

I was really hopeful with your suggestion on 802.11r, however I don't seem to have an 802.11r section in my dashboard! Searching for it just takes me to the Access Control page but the nearest thing to that on the page is 802.11w.

Conversationalist

Re: 802.1X EAP failure with Windows AD Radius - Help!

Okay, so working through the Event Viewer Security log, seems my user account is blocked from dial-in in my AD user properties. I don't recall this being mention in ANY of the guides I've read?!

 

I've opened my AD user properties, navigated to the Dial-in tab, changed Network Access Permission to 'Control access through NPS Network Policy', then rebooted my laptop but no joy. I then changed it to 'Allow access' but still no joy. I made these changes on my local domain controller, but I'll try again in an hour or so in case it's referring to another DC for some reason.

Conversationalist

Re: 802.1X EAP failure with Windows AD Radius - Help!

Have gotten a bit further.

 

With my user profile in AD set to 'Allow access' under the Dial-in tab, and the computer account having always been set to 'Control access through NPS Network Policy', I now see in Event Viewer on the NPS server:

 

Network Policy Server denied access to a user.

Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.

Conversationalist

Re: 802.1X EAP failure with Windows AD Radius - Help!

I've now found out that if I remove the Machine Group from NPS > Policies > Network Policies > MyPolicy > Conditions, I don't get anything logged in the Security Event Log.

 

Once I add that back in, I see log entries again.

 

Still failing though with:

Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.

Comes here often

Re: 802.1X EAP failure with Windows AD Radius - Help!

Strange that there is no 802.11r options in your Dashboard. I'm not sure how Meraki includes / excludes features (AP type? Licensing?). Like I said, this was the fix for us.

 

I'm looking at your NPS logs and its definitely trying to authenticate a computer account (as opposed to a user security group), is this by design? You will need to have a matching NPS policy which allows the AD computer group(s) under NPS > Policies > Network Policies > (policy name) > Properties > "Conditions" Tab.

I didn't realize that you can have Dial-in properties on computer accounts too. I suspect that this is also set to "Control access through NPS Network Policy".

 

It may be necessary to create a GPO as outlined here: https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

 

In order for these machine accounts to manually trust your Active Directory root and intermediate CAs and boot up with the correct wireless profile with SSID configured, etc.

 

Are you applying a GPO like this to the OU that contains the computer accounts that are trying to connect?

Conversationalist

Re: 802.1X EAP failure with Windows AD Radius - Help!

I'm back on this now Christmas is out of the way Smiley Happy

 

I had some default policies still enabled on my 2016 NPS Server, which I've disabled. They were:

 

Connection Request Policies > Use Windows authentication for all users.

Network Policies > Connections to other access servers.

Network Policies > Connections to Microsoft Routing and Remote Access server.

 

With those 3 disabled, I'm no longer getting the following Information level event logged in Event Viewer:

Reason code: 66

Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.

 

Instead, I am now getting:

Reason code: 48

Reason: The connection request did not match any configured network policy.

 

I have 3 conditions set for the Staff WiFi Network Policy:

Condition: NAS Port Type, Value: Wireless - IEEE 802.11 OR Wireless - Other

Condition: User Groups, Value: MYDOMAIN\Meraki Staff Group

Condition: Machine Groups, Value: MYDOMAIN\Meraki Computer Group

 

The laptop I'm testing on is a member of the Meraki Computer Group, and the user account I'm logged on with belongs to the Meraki Staff Group.

 

I get a 'Reason Code: 48' event logged twice each time I try to connect; first for the user, then 10 seconds later for the machine:

 

-------------------------------------------------------------------------------------------------------------

 

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

 

User:
     Security ID: MYDOMAIN\ElectroDan
     Account Name: MYDOMAIN\ElectroDan
     Account Domain: MYDOMAIN
     Fully Qualified Account Name: MYDOMAIN\ElectroDan

 

Client Machine:
     Security ID: NULL SID
     Account Name: -
     Fully Qualified Account Name: -
     Called Station Identifier: 9A-15-54-AB-52-67:Radius_Test
     Calling Station Identifier: 84-3A-4B-56-F4-5C

 

NAS:
     NAS IPv4 Address: 10.99.108.26
     NAS IPv6 Address: -
     NAS Identifier: -
     NAS Port-Type: Wireless - IEEE 802.11
     NAS Port: -

 

RADIUS Client:
     Client Friendly Name: Meraki - Purchasing
     Client IP Address: 10.99.108.26

 

Authentication Details:
     Connection Request Policy Name: WiFi_Staff
     Network Policy Name: -
     Authentication Provider: Windows
     Authentication Server: DC03.mydomain.local
     Authentication Type: EAP
     EAP Type: -
     Account Session Identifier: 41413346334133424138354636383335
     Logging Results: Accounting information was written to the local log file.
     Reason Code: 48
     Reason: The connection request did not match any configured network policy.

 

-------------------------------------------------------------------------------------------------------------

 

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

 

User:
     Security ID: MYDOMAIN\ITSPARE01$
     Account Name: host/ITSPARE01.mydomain.local
     Account Domain: MYDOMAIN
     Fully Qualified Account Name: MYDOMAIN\ITSPARE01$

 

Client Machine:
     Security ID: NULL SID
     Account Name: -
     Fully Qualified Account Name: -
     Called Station Identifier: 9A-15-54-AB-56-2D:Radius_Test
     Calling Station Identifier: 84-3A-4B-56-F4-5C

 

NAS:
     NAS IPv4 Address: 10.99.108.25
     NAS IPv6 Address: -
     NAS Identifier: -
     NAS Port-Type: Wireless - IEEE 802.11
     NAS Port: -

 

RADIUS Client:
     Client Friendly Name: Meraki - Accounts
     Client IP Address: 10.99.108.25

 

Authentication Details:
     Connection Request Policy Name: WiFi_Staff
     Network Policy Name: -
     Authentication Provider: Windows
     Authentication Server: DC03.mydomain.local
     Authentication Type: EAP
     EAP Type: -
     Account Session Identifier: 41433342464337434233394535444334
     Logging Results: Accounting information was written to the local log file.
     Reason Code: 48
     Reason: The connection request did not match any configured network policy.

 

 

-------------------------------------------------------------------------------------------------------------

 

A couple of things I've noticed.

1) The machine account (MYDOMAIN\ITSPARE01$) is being listed in the User section, and the Client Machine section is empty.

2) The 2nd entry (for MYDOMAIN\ITSPARE01$) is registering via a different AP (Meraki - Accounts). Both AP's are within range of my test laptop.

 

Fun.

 

Not.

Kind of a big deal

Re: 802.1X EAP failure with Windows AD Radius - Help!

Note that when using conditions in NPS that all conditions have to be true.  So when you want to match on Windows Groups (and assuming whatever needs access is not in both groups) you have to put both of those groups into a single condition.

 

So make sure:

Condition: User Groups, Value: MYDOMAIN\Meraki Staff Group

Condition: Machine Groups, Value: MYDOMAIN\Meraki Computer Group

Is actually a single conditon containing both groups (which makes it an OR).

Getting noticed

Re: 802.1X EAP failure with Windows AD Radius - Help!

Just to check a couple of things that I've come across in the past... (although admittedly this was on a Windows Server 2012 R2 server). Make sure that the the 'Extensible Authentication Protocol' service on the Windows Server running NPS is not disabled (it should be set to Manual), and make sure that you have registered the NPS server with Active Directory. Both of these can prevent EAP with user credentials working.

Conversationalist

Re: 802.1X EAP failure with Windows AD Radius - Help!

Hi Philip,

 

I can confirm that all of those conditions should match, as the user account is in the MYDOMAIN\Meraki Staff Group, and the laptop in the MYDOMAIN\Meraki Computer Group.

 

If I change it to an OR condition, which I have previously tried, and set the condition to Windows Groups, when attempting to connect it just hangs on 'Verifying and connecting' on the laptop for a minute or so, then eventually ask for credentials. I tick the box for 'Use my Windows user account' and click OK, it checks for network requirements, then prompts for credentials again, and at no stage does anything get logged in the NPS event log.

 

If I take out the Meraki Computer Group condition, leaving just the NAS Port Type and User Groups conditions, again nothing gets logged and I'm repeatedly prompted for credentials.

 

If I remove the Meraki Computer Group condition and re-add the Meraki User Group condition, I get a Reason Code 48 logged, referencing the user account I'm testing with.

 

So I can't even connect with less security. Ultimately I want the AND condition to work, as I only want to allow company-issued computers that a domain user is logged onto, to connect.

Conversationalist

Re: 802.1X EAP failure with Windows AD Radius - Help!

Hi Bruce,

 

I can confirm the EAP service is set to Manual, and the NPS server is registered in AD.

 

Thanks.

Conversationalist

Re: 802.1X EAP failure with Windows AD Radius - Help!

A couple of other things I've noticed.

 

From this guide: https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_... I'm not able to do the following:

 

Disable Auto Remediation

  1. Navigate to Policies>Network Policies. Right click the wireless policy and select Properties.
  2. On the Setting tab for the policy uncheck the box Enable auto-remediation of client computers and click OK.

The auto-remediation option isn't there on the Settings tab and I haven't located it elsewhere.

 

Also, in the screenshot that outlines an example of an NPS policy, it has 2 conditions which I don't have (and can't find where I set them):

 

NAP Enforcement: Allow full network access

Update Noncompliant Clients: False

 

I'd like to add these, just in case they have an affect.

Kind of a big deal

Re: 802.1X EAP failure with Windows AD Radius - Help!

>I can confirm that all of those conditions should match, as the user account is in the MYDOMAIN\Meraki Staff Group, and the laptop in the MYDOMAIN\Meraki Computer Group.

 

Negative, you missed the point.  A user account is only a member of the "Meraki Staff Group".  It is not a member of the "Meraki Computer Group".

Consequently if you create an NPS policy and list each as seperate conditions it can never match, as the user will never be in the "Meraki Staff Group" AND the "Meraki Computer Group" at the same time.

 

So put both groups in the same condition to convert it to an OR criteria.

 

 

Next you said there was a big delay when you had this configuration.  This is another seperate problem.  Is the CA certificate that issued the certificate being used for the PEAP authentication in NPS trusted by the clients as a root authority?  Also this certificate can not be self-signed.

If both of these certificate requirements are not met the Windows workstations will not allow the authentication to succeed.  Note it is the workstation and not the NPS server refusing it in this case.

 

You need to check the event log on both the NPS server and the workstation to see which one is not happy.

Kind of a big deal

Re: 802.1X EAP failure with Windows AD Radius - Help!

>So I can't even connect with less security. Ultimately I want the AND condition to work, as I only want to allow company-issued computers that a domain user is logged onto, to connect.

 

Microsoft NPS server does not support this.  You would need to use a more advanced RADIUS server such as Cisco ISE.

Conversationalist

Re: 802.1X EAP failure with Windows AD Radius - Help!

Thanks Philip, some good suggestions there.

 

I changed the condition in the network policy to only check for the Meraki Staff Group, and attempted to reconnect. I was then prompted whether to use Windows Credentials, so ticked the box again and clicked OK. It failed to connect.

 

Checking the NPS server, I see 2 entries:

 

1)

User:

     Security ID: MYDOMAIN\ITSPARE01$

Authentication Details:

     Reason Code: 48

     Reason: The connection request did not match any configured network policy.

 

2)

User:

     Security ID: MYDOMAIN\ElectroDan

Authentication Details:

     Reason Code: 22

     Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

 

Looking in the WLAN-AutoConfig event log on the laptop, I see several errors:

 

1)

Wireless 802.1x authentication failed.

Identity: host/ITSPARE01.mydomain.local

User: 

Reason: Explicit Eap failure received

Error: 0x40420016

EAP Root cause String: Network authentication failed\nWindows doesn't have the required authentication method to connect to this network.

 

2)

Wireless 802.1x authentication failed.

Identity: ElectroDan@mydomain.com

User: ElectroDan

Reason: Explicit Eap failure received

Error: 0x40420016

EAP Root cause String: Network authentication failed\nWindows doesn't have the required authentication method to connect to this network.

 

A couple of the other Information type event log entries show the Encryption for the RADIUS_Test network as AES-CCMP and the EAP Information: Type: 0, Vendor ID 0, Vendor Type 0, Author ID 0

 

I would've thought the EAP information should show some values? Either way, I'm going to change it to an OR statement for the Network Policy by removing the User Group condition and adding the 2 security groups as Windows Groups on the same line, then retest.

Conversationalist

Re: 802.1X EAP failure with Windows AD Radius - Help!

I changed it to the OR statement, still no joy!

 

I also deployed a GPO to set a PEAP Wireless Profile on the laptop (using machine authentication as per the "(Optional) Deploy a PEAP Wireless Profile using Group Policy" section in the Meraki guide), which I can see is applied to the laptop after I do a gpupdate, but when attempting to connect it just tries and tries but logs no errors.

 

Is there an absolute minimum configuration I can go with to try to connect, and then add security layers on top to get to where it should be?

Kind of a big deal

Re: 802.1X EAP failure with Windows AD Radius - Help!

Does the NPS event viewer show that it is now granting the user/machine access?

 

The certificate being used for PEAP on your NPS server - where did that come from? Your own CA?

Kind of a big deal

Re: 802.1X EAP failure with Windows AD Radius - Help!

I just spotted your other message;

 

 

>Windows doesn't have the required authentication method to connect to this network.

 

This is good, we are getting close.  In NPS you should (only) have PEAP selected.  And inside of the PEAP configuration you should (only) have MSCHAPv2 selected.

Conversationalist

Re: 802.1X EAP failure with Windows AD Radius - Help!

In the NPS Policy, Constraints > Authentication Methods screen, I have EAP Type: Microsoft: Protected EAP (PEAP) set, which when you edit has the Eap Type Secured Password (EAP-MSCHAP v2) set.

 

Back on the Authentication Methods screen I have none of the Less secure authentication methods ticked.

 

These should all be correct as I've verified this with several guides.

 

Regarding the certificate, I obtained this for the RADIUS server from SSL.com, so a trusted CA. Is there a basic test I can run to check this part is setup correctly?

Comes here often

Re: 802.1X EAP failure with Windows AD Radius - Help!

FWIW- I could not get this setup to work with a Thawte issued Wildcard certificate, so we ended up using an internal certificate from a AD integrated CA and just deal with the trust / validation warnings on Macs and Android devices. 

 

Windows clients authenticate fine, since they have the GPO that forces the specific internal CA to be trusted for the wireless profile assigned to the SSID.

 

I'd LOVE to know how a public cert can be used in this situation properly, but i am not sure if it is possible with NPS.

Getting noticed

Re: 802.1X EAP failure with Windows AD Radius - Help!

Just another suggestion to check - which I'm not sure will be relevant or not, but might be worth checking. Does the Connection Request Policy you are hitting also have EAP selected as an Authentication method? If the Connection Request Policy doesn't have EAP specifically selected as an Authentication Method then the type of EAP isn't passed through to the Network Policy, and so this can cause the unknown EAP type error.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.