topic Re: MSM 422 AP cannot authenticate on Windows NPS server in M and MSM Series

MSM 422 AP cannot authenticate on Windows NPS server

Onno — Tue, 22 Jan 2013 14:21:30 GMT

At one of our locations we have a setup where clients connecting to a msm422 ap in autonomous mode must authenticate on a windows NPS server using their computer-certifcate. This authentication fails and the NPS security log shows an empty EAP type. The event log on the MSM422 shows BAD EAP TYPE. Everything is setup using Micorsoft PEAP. What is going wrong ? Shoudl this setup be able to work ?

Re: MSM 422 AP cannot authenticate on Windows NPS server

Peter_Debruyne — Tue, 22 Jan 2013 22:32:43 GMT

Hi,

Have you verified that the inner PEAP authentication type is certificate (not ms-chapv2) on both the client and the NPS server ?

Instead of PEAP with inner auth certificate you can also use the outer auth type "Certificate" (TLS), but again make sure the NPS policy has the same config as the windows client.

On the client you should also verify the advanced properties and make sure the computer auth is selected.

Other place to look for errors is in the NPS server standard windows event logs - NPS, there you should see some messages. Feel free to post the error message if the problem remains,

Best regards,Peter

Re: MSM 422 AP cannot authenticate on Windows NPS server

Onno — Wed, 23 Jan 2013 12:04:44 GMT

Thanks for answering.I've double checked our settings. Both sides are set up with Microsoft PEAP using computer certificate. The certificates are generated on our internal PKI infrastructure using the Microsoft CA role. I was wondering if the AP needs to set up with the CA certificate in the trusted CA store for this to work. On the NPS server we see the following errors, as you can see it is not receiving or unable to determine the EAP-Type:

Contact the Network Policy Server administrator for more information.

User:

Security ID: YYYYYY

Account Name: XXXXXXX

Account Domain: ZZZZZZZ

Fully Qualified Account Name: YYYYYYY

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: intentionally removed

Calling Station Identifier: intentionally removed

NAS:

NAS IPv4 Address: X.Y.Z.V

NAS IPv6 Address: -

NAS Identifier: intentionaly removed

NAS Port-Type: Wireless - IEEE 802.11

NAS Port: 584

RADIUS Client:

Client Friendly Name: intentionally removed

Client IP Address: X.Y.Z.V

Authentication Details:

Connection Request Policy Name: Secure Wireless Connections

Network Policy Name: Secure Wireless Connections

Authentication Provider: Windows

Authentication Server: intentionally removed

Authentication Type: EAP

EAP Type: -

Account Session Identifier: 65333666313264302D3030303030326435

Logging Results: Accounting information was written to the local log file.

Reason Code: 22

Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

Re: MSM 422 AP cannot authenticate on Windows NPS server

Peter_Debruyne — Wed, 23 Jan 2013 12:42:25 GMT

You can verify on the MSM AP on the RADIUS profile if the type is EAP (not PAP or CHAP). I thought there was no real need for this anymore, but you might want to check it anyway.

Have you tried instead of "PEAP" the outer "certificate" method (on both nps and client) ?

Which version of code is running on the AP ?

Re: MSM 422 AP cannot authenticate on Windows NPS server

Onno — Thu, 24 Jan 2013 07:38:47 GMT

Based on your suggestion, I checked the setting in our Radius Profile. It is currently set to MSCHAPV2. The help however states that when using 802.1x this setting is controlled by client and radius server and that this setting has no effect. I am going to check however what happens if I change change it to the EAP MD5 setting and post the results.

the version of the AP firmware is: Current firmware version: 5.3.1.0-01-7143.

Re: MSM 422 AP cannot authenticate on Windows NPS server

Peter_Debruyne — Sat, 26 Jan 2013 11:43:28 GMT

Hi,

that is pretty old firmware, so I would start with an update first. The Radius auth type does not matter indeed for the 802.1x process,

Best regards,Peter

Re: MSM 422 AP cannot authenticate on Windows NPS server

rkobiske — Fri, 01 Feb 2013 20:17:26 GMT

DId you adjust your MTU setting for the radius policy?

This applys to Windows 2003, but we had to do this in 2008 also.

http://support.microsoft.com/kb/883389