Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

WLC4402 and Windows 2008 NPS

We are using WLC4402 for our Aironet 1240AG access points.  The clients are connecting to the access points and are authenticating to the RADIUS server.  I am seeing the logs in Server 2008 but they are being rejected due to Network Policy on the NPS server.

Where do I see the Authentication Type on the WLC4400 or the 1240's?  In order for the clients (authenticated via Active Directory user) I have to set the Authentication in the NPS Connection Request Policy to "Allow clients to connect without negotiating an authentication method". 

I do not have a certificate on the server and my method options are MS-CHAP-v2, MS-CHAP, CHAP, PAP, SPAP, and allow without negotiating.  This RADIUS server was moved from Server 2003 IAS to Server 2008 NPS and there were no issues in Server 2003 IAS.  I have all authentication methods allowed and it still gives me the error below.  Only when I check "Allow clients to connect without negotiating an authentication method" it allows the authentication to proceed. 

Any insight is greatly appreciated.  Thank you!

Client Machine:

    Security ID:            NULL SID

    Account Name:            -

    Fully Qualified Account Name:    -

    OS-Version:            -

    Called Station Identifier:        00-17-a2-87-54-00:SSIDNAME

    Calling Station Identifier:        00-41-96-b6-e3-27


    NAS IPv4 Address:

    NAS IPv6 Address:        -

    NAS Identifier:            WLCHOSTNAME

    NAS Port-Type:            Wireless - IEEE 802.11

    NAS Port:            1

RADIUS Client:

    Client Friendly Name:        AP Controller 2

    Client IP Address:  

Authentication Details:

    Connection Request Policy Name:    Use Windows authentication for all users

    Network Policy Name:        Wireless MAC Authentication Policy

    Authentication Provider:        Windows

    Authentication Server:        RADIUSSERVERHOSTNAME

    Authentication Type:        Unauthenticated

    EAP Type:            -

    Account Session Identifier:        -

    Logging Results:            Accounting information was written to the local log file.

    Reason Code:            66

    Reason:                The user attempted to use an authentication method that is not enabled on the matching network policy.

Everyone's tags (5)

WLC4402 and Windows 2008 NPS

Authentication methods are determined by the client, the WLC does not determine that.

You say you don't have a certificate on the server? How do you have the clients setup? What authentication method is selected? Typically you would use EAP-PEAP for username authentication but this requires at least that the server has a self-signed certificate.

Community Member

WLC4402 and Windows 2008 NPS

Thanks for the fast response.  I am in the process of determining the authentication methods of the clients.  I forgot to mention that VPN still works whether or not I set different settings on the RADIUS server.  We are using ASA 5510s and authentication and Windows RRAS still does fine.  It just seems like our wireless clients (laptops, phones, handheld scanners, etc.) doesn't like the setup of something on either the RADIUS server or the WLC.

CreatePlease to create content