Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

AAA Authentication Failure for UserName

I recently tried to setup an CiscoWLC 4402 ios 7.0.235.0 with RADIUS on Win Serv 2008r2, I set up my security type as wpa2-ent aes encryption, Microsoft PEAP, and exported a certificate from my CA server, and installed on my client machine.

I am not sure what I am missing, let me know what information I need to further assist you. I attched some screenshots.

0Mon Jul 22 10:25:58 2013Client Excluded: MACAddress:8c:70:5a:d2:f6:f8 Base Radio MAC :00:1e:79:d6:25:e0 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4
1Mon Jul 22 10:25:58 2013AAA Authentication Failure for UserName:host/106LPT073.itserve.com User Type: WLAN USER
2Mon Jul 22 10:25:54 2013AAA Authentication Failure for UserName:host/106LPT073.itserve.com User Type: WLAN USER
3Mon Jul 22 10:25:49 2013AAA Authentication Failure for UserName:host/106LPT073.itserve.com User Type: WLAN USER
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: AAA Authentication Failure for UserName

The issue seems to be with server side certificate. Based on your very first post, I realise you're using a third party certificate. Is that possible that we issue a new certificate and try again. Or please export the certificate and attach it in your next reply.

Certificate Requirements for PEAP and EAP

http://technet.microsoft.com/en-us/library/a1ac8d7e-3479-46b4-932b-ab43362e021b

By default, these log files are located at %windir%\System32\Logfiles

http://technet.microsoft.com/en-us/library/dd197464%28v=ws.10%29.aspx

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
20 REPLIES
Cisco Employee

AAA Authentication Failure for UserName

I reviewed the doc you attached. The WLAN config part looks fine. I'd like to know what error message are you seeing on the radius server under event viewer.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: AAA Authentication Failure for UserName

I have not seen any errors, only the information in the event viewer below

A LDAP connection with domain controller 106P101.itserve.com for domain ITSERVE is established.

Earlier this morning I was receiving, 2 hours ago. I fixed this already with the shared secret

An Access-Request message was received from RADIUS client 10.110.0.99 with a Message-Authenticator attribute that is not valid.

Cisco Employee

Re: AAA Authentication Failure for UserName

I'd like you to check under event viewer > custom views > server roles > Network policy and access services. Are we looking down in the same sections. In case there are no hits, please make sure the NPS service is running fine.

If all well, we may need to look at the radius/aaa debugs.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: AAA Authentication Failure for UserName

I attached both username and computer errors.

Username:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID: ITSERVE\ccampbell

Account Name: ITSERVE\ccampbell

Account Domain: ITSERVE

Fully Qualified Account Name: itserve.com/Accounts/Norcross/IT Staff/IT Administrators/Chad Campbell

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: 00-1e-79-d6-25-e0:ARCHWAY

Calling Station Identifier: 8c-70-5a-d2-f6-f8

NAS:

NAS IPv4 Address: 10.110.0.99

NAS IPv6 Address: -

NAS Identifier: WAP106-MM

NAS Port-Type: Wireless - IEEE 802.11

NAS Port: 29

RADIUS Client:

Client Friendly Name: Cisco WAP

Client IP Address: 10.110.0.99

Authentication Details:

Connection Request Policy Name: Secure Wireless Connections

Network Policy Name: Connections to other access servers

Authentication Provider: Windows

Authentication Server: 106P101.itserve.com

Authentication Type: EAP

EAP Type: -

Account Session Identifier: -

Logging Results: Accounting information was written to the local log file.

Reason Code: 65

Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.

Computer

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID: ITSERVE\106LPT073$

Account Name: host/106LPT073.itserve.com

Account Domain: ITSERVE

Fully Qualified Account Name: ITSERVE\106LPT073$

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: 00-1e-79-d6-25-e0:ARCHWAY

Calling Station Identifier: 8c-70-5a-d2-f6-f8

NAS:

NAS IPv4 Address: 10.110.0.99

NAS IPv6 Address: -

NAS Identifier: WAP106-MM

NAS Port-Type: Wireless - IEEE 802.11

NAS Port: 29

RADIUS Client:

Client Friendly Name: Cisco WAP

Client IP Address: 10.110.0.99

Authentication Details:

Connection Request Policy Name: Secure Wireless Connections

Network Policy Name: Secure Wireless Connections

Authentication Provider: Windows

Authentication Server: 106P101.itserve.com

Authentication Type: PEAP

EAP Type: -

Account Session Identifier: -

Logging Results: Accounting information was written to the local log file.

Reason Code: 23

Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

Bronze

Re: AAA Authentication Failure for UserName

issue most likely with windows radius server... are you using ldap as identity base or radius server on windows?

from log seems eap handshake issue, as log stated you need to get eap log , or more effectively, go to microsoft/msdn for help.

Sent from Cisco Technical Support iPad App

New Member

Re: AAA Authentication Failure for UserName

RADIUS.

Cisco Employee

Re: AAA Authentication Failure for UserName

The user request showing that it's hitting the wrong network access policy :

Network Policy Name: Connections to other access servers

However the machine authentication hitting the right one.

Let's do this

Go to network policies

Edit secure wireless connections.

Remove the condition "Machine Groups" equals ITSERVE\Wireless Users

save changes

Try again and check the error if you fail to connect. If we see eap failure we then need to look into eal log files.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: AAA Authentication Failure for UserName

I edited my dial in properties to allow it in AD, it was controlled by NPS policy previously, which was set to ignore.

I removed the machine groups condition, and now receive a different error.

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID: ITSERVE\ccampbell

Account Name: ITSERVE\ccampbell

Account Domain: ITSERVE

Fully Qualified Account Name: itserve.com/Accounts/Norcross/IT Staff/IT Administrators/Chad Campbell

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: 00-1e-79-d6-25-e0:ARCHWAY

Calling Station Identifier: 8c-70-5a-d2-f6-f8

NAS:

NAS IPv4 Address: 10.110.0.99

NAS IPv6 Address: -

NAS Identifier: WAP106-MM

NAS Port-Type: Wireless - IEEE 802.11

NAS Port: 29

RADIUS Client:

Client Friendly Name: Cisco WAP

Client IP Address: 10.110.0.99

Authentication Details:

Connection Request Policy Name: Secure Wireless Connections

Network Policy Name: Connections to other access servers

Authentication Provider: Windows

Authentication Server: 106P101.itserve.com

Authentication Type: EAP

EAP Type: -

Account Session Identifier: -

Logging Results: Accounting information was written to the local log file.

Reason Code: 66

Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.

Cisco Employee

Re: AAA Authentication Failure for UserName

You need to select the authentication peap under the "secure wireless connection" network policies. Please refer the screen shot attached.

Save the changes and try again. Let me know if you see any more errors.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: AAA Authentication Failure for UserName

Jatin I already have it set.

New Member

Re: AAA Authentication Failure for UserName

Not sure if this is related?

Cisco Employee

Re: AAA Authentication Failure for UserName

Yup, you have it configured however the request is still going to some other policy where it's not checked.

Network Policy Name: Connections to other access servers

You may try this, go to the policy"secure wireless connection" network policiy and add a condition

NAS IPv4 address equals 10.110.0.99

This should work fine.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: AAA Authentication Failure for UserName

Still did not work, I am thinking the issue is with the certificate just want to verify it,

I keep receiving the below error, where can I find the log file if it is not in C:\Windows\System32\Logfiles

An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

Cisco Employee

Re: AAA Authentication Failure for UserName

The issue seems to be with server side certificate. Based on your very first post, I realise you're using a third party certificate. Is that possible that we issue a new certificate and try again. Or please export the certificate and attach it in your next reply.

Certificate Requirements for PEAP and EAP

http://technet.microsoft.com/en-us/library/a1ac8d7e-3479-46b4-932b-ab43362e021b

By default, these log files are located at %windir%\System32\Logfiles

http://technet.microsoft.com/en-us/library/dd197464%28v=ws.10%29.aspx

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: AAA Authentication Failure for UserName

Sorry for the delay, certificate are self signed.

New Member

Re: AAA Authentication Failure for UserName

Jatin,

I am still having an issue, I have attache the logs from my most recent connection.

Cisco Employee

Re: AAA Authentication Failure for UserName

I'm unsure how you captured those event viewer because if you go and look at the info...the actual info is missing. I don't see any reason code and rest of the parameters. Can you take it again and confirm it there.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: AAA Authentication Failure for UserName

I got everything working, I followed the below steps.

You can install another certificate fairly easily if you want to extend the validity period. It looks like the original problem is that there was something wrong with the server certificate.

A couple things you should know:

1. It isn't necessary to have the client settings configured to validate the server certificate. This is just for better security.

2. In the link I gave before (http://support.microsoft.com/kb/814394), there are some requirements for the server certificate. One of the requirements close to the bottom of the page says "For wireless clients, the Subject Alternative Name (SubjectAltName) extension contains the server's fully qualified domain name (FQDN)." This may be why one of the certificates you installed isn't working.

Load up the certificates mmc snap-in for the Computer account on your DC and look at the certificates in the Personal\Certificates container. Double-click the certificates and then click the Details tab. This displays information about the certificate such as the subject alternative name, the enhanced key usage, and the valid from/to dates.

You can delete certificates here if you aren't using them. You might want to re-issue a certificate and then delete the old one.

To re-issue a certificate, first you should review the template for the certificate. Type certtmpl.msc at a command line (click Start, Run, certtmpl.msc, enter) to open the certificate templates console. If you installed an Enterprise CA then you can create and modify templates. The instructions you used did say to create an Enterprise CA, so you should be able to do this.

Try this:

1. In the Certificate Templates Console, under Template Display Name, find Computer. Right-click it, click Duplicate Template, and then click OK.

2. In Properties of New Template, on the General tab, under Template display name, type a name for your new template. You can use something like Wireless Server Auth. While you are on the General tab, you can also set a validity period. By default it will be 1 year. Change this if you wish, but read this first: http://www.expta.com/2010/08/how-to-create-certificates-with-longer.html - if you try to create a validity period longer than 2 years it won't work without some tweaking.

3. Click the Security tab. Here is where you need to add permission for you to enroll. Click Authenticated Users and place a check in Allow for Enroll.

3a. (Added a step here). Click the Subject Name tab, choose Build from this Active Directory information, and then choose Common name from the drop-down list.

4. Click OK and now you'll see the new certificate at the bottom of the list. There is just one more thing to do now to enable the CA to actually issue this certificate.

5. Close the certificate templates console. Click Start, Run, certsrv.msc, enter. This will open the local Certification Authority console.

6. Click Certificate Templates and have a look at the list. This is all the templates that this CA can currently issue if the user and computer has permission to enroll.

7. Now right-click the Certificate Templates folder, point to New, then click Certificate Template to Issue. Scroll down the list and find the new template you created. The name I suggested was Wireless Server Auth but you might have picked something else. Highlight this template and then click OK. Now you should see that it is added to the list of Certificate Templates.

8. While you are in this console, click on the Issued Certificates container. You should see a list here of all the certificates that this CA has issued. You can also view Pending Requests (for certificates that require approval before being issued) and Failed Requests (there was a problem issuing the cert).

9. Now go back to the local computer certificate console (Start, Run, mmc, enter, File... Add/Remove Snap-in, Certificates, Add, Computer account, Next, Local computer Finish, OK).  Right-click the container under Personal\Certificates, point to All Tasks, Request New Certificate, Next, Next. You should now see the Wireless Server Auth certificate.  Choose it and click Enroll. At this point you should now see another certificate in the list. You can tell which one is the one you just issued by looking at the details tab and viewing Certificate Template Information.

10. Now go back to PEAP properties in the Network Policy and choose this certificate.

Cisco Employee

Re: AAA Authentication Failure for UserName

Good to know. Thanks for the update.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

YOU ARE THE MAN!  

YOU ARE THE MAN!  

I've been working on NPS/RADIUS authentication going on two weeks now having issues with Windows 7 and non-domain clients authenticating correctly.  I was running in to the same exact issue you were (reasoncode 23, etc) and couldn't come up with anything that would resolve the problem... until now.  I followed your directions to a tee and low and behold, wireless authentication (PEAP/MSCHAPv2) is working flawlessly. 

I wish I could buy you a beer. /thumbsup

17368
Views
5
Helpful
20
Replies
CreatePlease to create content