802.1x wireless authentication on Windows NPS working for some, others generate an error.

JacobD
Here to help

802.1x wireless authentication on Windows NPS working for some, others generate an error.

I'm currently moving our authentication off of a Cisco ISE to a windows NPS server. Each machine uses a certificate from our CA to authenticate and has worked on the ISE with no issues. We now are moving most services (maybe all eventually) to Microsoft Azure and so my boss wanted to set up a NPS server there. We also have a vMX100 in Azure so all traffic is sent to Azure through the Meraki VPN.

 

I set up an MX68CW at my desk and configured it with a test SSID that was set to authenticate with the new NPS. It's a pretty simple policy in the NPS, just matches 802.1x and then does a certificate exchange. The NPS has a certificate from our CA as well and is set to use that to authenticate itself to the client. It worked fine on my test MX68CW. I joyfully told my boss and he gave me the go-ahead to set it up on all our branches. The clients at the first branch I set it up on wouldn't authenticate. The NPS gave me this error:

Reason code: 22

The client could not be authenticated because the Extensible Authentication Protocol type cannot be processed by the server.

But when I use my test MX68CW again, it still works fine there. I tried a few other locations, some with MX68CW, some with MR52/55, but it always generates this error. With the MX68CWs I can't really change that many settings, so the EAP type shouldn't be different. I just have the NPS clients set up in subnets, so not individual devices, and it's matching that fine. I am at a loss. I don't know what to check because it works for exactly one device that I have tried and since it's not working for any actual production devices that I've tried, I'm unsure about trying anymore.

 

I had the thought, that maybe I needed to reboot the wireless devices after I change the setting. So I went in earlier today to try that. Deleted the ISE entry and added the NPS and let it sit for about a minute so the dashboard would push the setting change, then rebooted. After it came back it did attempt to authenticate on the NPS but I still got the same error for the 2 wireless devices at that location. I rebooted it once more, and when it came back up for some reason it authenticated with the Cisco ISE, even though that is not even configured in dashboard now. It was previous configured with the ISE, but I deleted that. Did the new config not get completely committed or something?

 

Maybe this is to much information, but I try to always list everything I've done and everything I've experienced, just in case something clues someone in on something.

6 REPLIES 6
cmr
Kind of a big deal
Kind of a big deal

Have you set the server that the NPS is on to trust your CA, or just given it a client certificate?

JacobD
Here to help

We gave it a RAS and IAS Server certificate and it is from our CA. Under "intended purpose" for that certificate it says for client and server authentication. I believe that's the correct one, but maybe I am wrong. And as far as I understand, if that cert is there (under personal certificates btw) then it trusts our CA. Am I wrong in that assumption? Also under "trust root CA" it has our CA listed there.

cmr
Kind of a big deal
Kind of a big deal

I think you have the correct certificate settings with what you have described.

 

Going into the message, it seems to be saying that it doesn't like EAP, I'm guessing that it is a newiish OS that you are running?

JacobD
Here to help

It's windows server 2016 (says version 1607). I'm no sysadmin, but that doesn't sound very new to me, but maybe others are running on an older version. I know our sysadmins have a patch day every month, so it's also possible they added a patch that changed something. However, I cannot say what exactly. I only have the rights to the NPS settings.
cmr
Kind of a big deal
Kind of a big deal

2016 should be fine for EAP, especially if it is patched, I don't think that is the problem.

JacobD
Here to help

This may seem crazy, but is it possible that I have to just let the config sit for a day? We had some weird issues with the ISE when we were replacing old devices with Meraki at each branch location, I had to configure everything a day before, otherwise the radius on the ISE wouldn't work either. But it always worked the next day. I thought that was something weird on the ISE, but maybe it that is related.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.