Issues when moving windows NPS server

Zulan
Here to help

Issues when moving windows NPS server

Hello, I am moving all my on prem servers remotely. I have created a new NPS installation on a new server. I then exported the NPS configuration I had on-prem and imported it to the new server. It starts up fine and I can see all my access points under Radios Clients. If I test the radius server from the cloud gui it can access the points, but fails on all of them with the message Failed to connect to the RADIUS server. Checking the eventviewer on the new server I get a ton of Event ID 6274.

Network Policy Server discarded the request for a user.

Reason Code: 1

Reason:An internal error occurred. Check the system event log for additional information.

 

The system event log shows nothing. 

 

If I test using my old NPS server with the same config, it works perfectly. 

 

I have no idea what to test or even start troubleshooting this, any ideas?

9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal

Have you verified that the certificates are configured in the policy?

 

https://learn.microsoft.com/en-us/answers/questions/653017/how-to-renew-nps-certificate

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Zulan
Here to help

No, I have not. I have not set this up but rather inherited it so I'm not sure on how to do that. But this is probably a good place to start. I will read up and investigate that. 

Zulan
Here to help

It seems I have a self signed certificate, should it still be moved? The new server has another name and that servername is now in the certificate list for the new server. Just like the old server has the old server name, this just seems correct to me?

alemabrahao
Kind of a big deal
Kind of a big deal

I don't know who plays the role of CA for your network, but you must sign a certificate in your CA for this new server.

 

https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/dep...

 

https://mizitechinfo.wordpress.com/2014/07/15/step-by-step-installing-and-configuring-a-network-poli...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Zulan
Here to help

It's all quite confusing to be honest since I'm not only new to Meraki. The network itself is now without an administrator and I can't find any documentation. Anyway, I ran a certutil and it sais the authority is on a server not available anymore and no one seems to know about it. I could install a new authority but I am worried about the implications of that. Still not sure it's the solution to the problem either. 

alemabrahao
Kind of a big deal
Kind of a big deal

For 802.1x to work, it is necessary to install the CA and configure the certificate. It is a prerequisite.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

HI @Zulan .  This kind of configuration is pretty complicated.  It usually requires a medium to advanced level of knowledge to deploy.

 

It's admirable you have taken on this challenge, but honestly, I think you would be better off getting a local network engineer to come and assist with this little bit.  If you don't have a "regular" you deal with, try the Cisco Partner Locator.

https://locatr.cloudapps.cisco.com/WWChannels/LOCATR/openBasicSearch.do 

 

@alemabrahao is asking you all the right questions, but I could see this taking a thousand questions to tease out and solve.

PhilipDAth
Kind of a big deal
Kind of a big deal

When you add the NPS role to Windows server it fails to add the correct firewall rules.  Create some new Windows Firewall rules and allow udp/1812 and udp/1813.  Then it should work.

 

The next thing to check is to make sure the keys for the clients are correctly loaded.  Maybe try setting one manually.

Zulan
Here to help

Hello Philip, thanks for your answer. I have created rules for udp 1812 and 1813. I get the mentioned events on the server everytime I try it so I guess it is able to reach the server. I have also double checked the secret to the radius server and it seems correct. I have now been going through the gui and I can not find anything about keys to the clients. Where do you set that?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels