Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5443
Views
0
Helpful
6
Replies

AiroNet 1140 Authentication Issues Windows Server 2008 NPS

puntgorda
Level 1
Level 1

‎02-07-2012 11:53 AM - edited ‎07-03-2021 09:31 PM

Hello,

We have an AiroNet 1140 AP that we are trying to configure RADIUS authentication. Our RADIUS server is a Microsoft Windows Server 2008 NPS server. Unfortunately, our Wi-Fi clients are unable to authenticate. We appear to have everything configured on the AP and RADIUS server correctly, but we receive the following errors from the debug on the AP. Doug

*Mar 14 05:46:58.413: RADIUS/DECODE: No response from radius-server; parse response; FAIL

*Mar 14 05:46:58.413: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response;

FAIL

*Mar 14 05:46:58.413: RADIUS/DECODE: No response from radius-server; parse response; FAIL

*Mar 14 05:46:58.413: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response;

FAIL

Labels:
0 Helpful
6 Replies 6

Stephen Rodriguez
Cisco Employee
Cisco Employee

‎02-07-2012 12:00 PM

that tells me that the NPS is either ignoring the request, or not receiving it.  In the NPS, you defined the AP as a NAS/Client?

Can you post the config from the AP.  I'd also like to see the NPS config.

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

puntgorda
Level 1
Level 1
In response to Stephen Rodriguez

‎02-08-2012 11:05 AM

Hi Steve, Here is the config for the AP.  Some screenshots of the NPS config are below, too.  Please let me know if you need more information from our NPS server.  Thanks, Doug

ap#sh run
Building configuration...

Current configuration : 2971 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
logging rate-limit console 9
enable secret 5 $1$1IPZ$WkdzqdeeGvEPvQLCHfGXU.
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.20.2.96 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
server 10.20.2.96 auth-port 1645 acct-port 1646
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
!
dot11 syslog
!
dot11 ssid wifi
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa
!
!
!
username pg_ap privilege 15 secret 5 $1$rg0/$hTYIn.lysNUfxhzxqXonl/
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid wifi
!
antenna gain 0
speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7.
m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid wifi
!
antenna gain 0
dfs band 3 block
speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11
. m12. m13. m14. m15.
channel dfs
station-role root access-point
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.40.0.200 255.255.0.0
no ip route-cache
!
ip default-gateway 10.40.0.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
  no authentication mac
  nas 10.20.2.96 key 7 003555402B5F012F3D007B16062C46430759550B3A232F7E0A1636472C01402573
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.20.2.96 auth-port 1645 acct-port 1646 key 7 08100A08261D0F3E202A3B5C251E677C26
677B1C171E08576F7A4C077F19403C337F0C7C7D035B172550305F756934172E327A1B13250C154D4C3F1319305C3514
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end

ap#

0 Helpful

daviwatk
Level 3
Level 3
In response to puntgorda

‎02-08-2012 11:31 AM

Hello,

Do you have any logs at the NPS server itself?  Attempt to authenticate again and then immediately open your 2008 server manager and navigate to...

Diagnostics > Event Viewer > Custome Views > Server Roles > Network Policy and Access Services

and

Diagnostics > Event Viewer > Windows Logs > Security

Do you see any relevant entries for NPS as to why this request was rejected or client not authenticated?

I see the AP is also configured as a local radius server.  This "should" not be a problem since your eap_methods is calling your rad_eap group, which is pointing back to NPS, however you might remove it for the sake of cleanliness of the config.

!

radius-server local

  no authentication mac

  nas 10.20.2.96 key 7 003555402B5F012F3D007B16062C46430759550B3A232F7E0A1636472C01402573

!

Lastly, on your NPS config, you may consider removing any "EAP Types" from the "settings" of the  "Connection Request Policy" and only include them in the "constraints" of the actual "Network Policy"

Remove local radius config, connect a client, and post relevant NPS logs from event viewer.

0 Helpful

puntgorda
Level 1
Level 1
In response to daviwatk

‎02-08-2012 12:29 PM

Hi David,

Here is an event in the NPS log. Doug

Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

0 Helpful

daviwatk
Level 3
Level 3
In response to puntgorda

‎02-08-2012 01:07 PM

So, since you are using PEAP on the server; make sure your client is configured as such (not smart card/etc)

MS further descrbes EAP Reason Code: 22 as...

Network Policy Server was unable to negotiate the use of an Extensible Authentication Protocol (EAP) type with the client computer

Did you remove the EAP types from the "connection request policy" and only use them in the conditions of the "network" policy?

0 Helpful

puntgorda
Level 1
Level 1
In response to daviwatk

‎02-10-2012 05:33 AM

Hello,

It turned out the issue was with the certificate on the NPS server.  I replaced it and all is well.  Thank you,  Doug

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card