We are using WLC4402 for our Aironet 1240AG access points. The clients are connecting to the access points and are authenticating to the RADIUS server. I am seeing the logs in Server 2008 but they are being rejected due to Network Policy on the NPS server.
Where do I see the Authentication Type on the WLC4400 or the 1240's? In order for the clients (authenticated via Active Directory user) I have to set the Authentication in the NPS Connection Request Policy to "Allow clients to connect without negotiating an authentication method".
I do not have a certificate on the server and my method options are MS-CHAP-v2, MS-CHAP, CHAP, PAP, SPAP, and allow without negotiating. This RADIUS server was moved from Server 2003 IAS to Server 2008 NPS and there were no issues in Server 2003 IAS. I have all authentication methods allowed and it still gives me the error below. Only when I check "Allow clients to connect without negotiating an authentication method" it allows the authentication to proceed.
Any insight is greatly appreciated. Thank you!
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 00-17-a2-87-54-00:SSIDNAME
Calling Station Identifier: 00-41-96-b6-e3-27
NAS IPv4 Address: 192.168.90.24
NAS IPv6 Address: -
NAS Identifier: WLCHOSTNAME
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
Client Friendly Name: AP Controller 2
Client IP Address: 192.168.90.24
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Wireless MAC Authentication Policy
Authentication Provider: Windows
Authentication Server: RADIUSSERVERHOSTNAME
Authentication Type: Unauthenticated
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
Authentication methods are determined by the client, the WLC does not determine that.
You say you don't have a certificate on the server? How do you have the clients setup? What authentication method is selected? Typically you would use EAP-PEAP for username authentication but this requires at least that the server has a self-signed certificate.
Thanks for the fast response. I am in the process of determining the authentication methods of the clients. I forgot to mention that VPN still works whether or not I set different settings on the RADIUS server. We are using ASA 5510s and authentication and Windows RRAS still does fine. It just seems like our wireless clients (laptops, phones, handheld scanners, etc.) doesn't like the setup of something on either the RADIUS server or the WLC.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...