Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

EAP Type cannot be processed error on connecting to Cisco 2504 WLAN using NPS as backend auth

We have a small roll-out of a new Cisco 2504 controller with 11 APs.

We are authenticating clients using a previously existing RADIUS server, specifically, Microsoft's NPS (Network Policy Server, MS Server 2008R2 SP1).  The NPS server works with our existing wireless controller (an Aruba model), but we are getting a persistent error with the new system.

Properties of the configured AAA (802.1x) profile:

Security type: WPA-Enterprise

Encryption:  AES

Network Auth Method:  EAP (PEAP)

  (We are not having clients validate the server certificate).

Inner EAP Method:  EAP-MSCHAPv2

It seems that the (outer) PEAP tunnel is working, but the (inner) EAP authentication is failing.  We think so because we get logs on the NPS server, and they mention EAP specifically.

Looking at NPS logs in Event Viewer, we are getting the same error (see below) upon each attempt to authenticate a client to the network.

Most of the "solutions" to this problem when searching the internet seem to involve certificates, but we are not using certificates on our inner EAP method -- just Windows password authentication (MSCHAPv2).  So we don't understand how certificates could be relevant.

Here is the error from Windows event logs.  See especially the last line:

<ERROR Event ID="6273">

User:
Security ID: [redacted]\[redacted]
Account Name: [redacted]\[redacted]
Account Domain: [redacted]
Fully Qualified Account Name: [redacted]

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-a6-ca-ac-2c-10:TestEmployeeAccess
Calling Station Identifier: 4c-34-88-dd-b5-6c

NAS:
NAS IPv4 Address: [redacted]
NAS IPv6 Address: -
NAS Identifier: [redacted]
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 13

RADIUS Client:
Client Friendly Name: CISCO-CAPWAP-CONTROLLER
Client IP Address: [redacted]

Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: NSAM wireless
Authentication Provider: Windows
Authentication Server: [redacted]
Authentication Type: EAP
EAP Type: -
Account Session Identifier: 35383234653034392F34633A33343A38383A64643A62353A36632F3130
Logging Results: Accounting information was written to the local log file.
Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

</ERROR>

We understand that there are lots of EAP types, but we are attempting to use the native Windows EAP (MSCHAPv2), so Cisco equipment should have an easy time talking to it.  And, again, the NPS works with a different wireless controller.

We have tried a few different variations of the policies normally used by our clients, with no success.

If it's a 2504 setting that we're missing, we'd love to know where.  Beyond setting WPA and WPA2, we don't see a place to specify MSCHAPv2 (in the web interface).  And it isn't the controller's job to specify EAP anyway, once the PEAP tunnel has been opened.

Is it possible that this is a misleading error and the problem is actually with PEAP, even though the one error that we can see in Windows mentions EAP...?

If anyone has had experience with this issue and can lend guidance, we would greatly appreciate it.

Sincerely,

-Jason

Everyone's tags (1)
2 REPLIES
VIP Purple

Jason,

Jason,

not sure if you have come across the document below, you might find something in there...

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html

Thanks, yeah, we've been

Thanks, yeah, we've been looking through that for insight.  No definite answer yet.

Appreciate it,

-Jason

89
Views
0
Helpful
2
Replies
CreatePlease to create content