EAP Type cannot be processed error on connecting to Cisco 2504 WLAN using NPS as backend auth
We have a small roll-out of a new Cisco 2504 controller with 11 APs.
We are authenticating clients using a previously existing RADIUS server, specifically, Microsoft's NPS (Network Policy Server, MS Server 2008R2 SP1). The NPS server works with our existing wireless controller (an Aruba model), but we are getting a persistent error with the new system.
Properties of the configured AAA (802.1x) profile:
Security type: WPA-Enterprise
Network Auth Method: EAP (PEAP)
(We are not having clients validate the server certificate).
Inner EAP Method: EAP-MSCHAPv2
It seems that the (outer) PEAP tunnel is working, but the (inner) EAP authentication is failing. We think so because we get logs on the NPS server, and they mention EAP specifically.
Looking at NPS logs in Event Viewer, we are getting the same error (see below) upon each attempt to authenticate a client to the network.
Most of the "solutions" to this problem when searching the internet seem to involve certificates, but we are not using certificates on our inner EAP method -- just Windows password authentication (MSCHAPv2). So we don't understand how certificates could be relevant.
Here is the error from Windows event logs. See especially the last line:
Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: 00-a6-ca-ac-2c-10:TestEmployeeAccess Calling Station Identifier: 4c-34-88-dd-b5-6c
NAS: NAS IPv4 Address: [redacted] NAS IPv6 Address: - NAS Identifier: [redacted] NAS Port-Type: Wireless - IEEE 802.11 NAS Port: 13
RADIUS Client: Client Friendly Name: CISCO-CAPWAP-CONTROLLER Client IP Address: [redacted]
Authentication Details: Connection Request Policy Name: Use Windows authentication for all users Network Policy Name: NSAM wireless Authentication Provider: Windows Authentication Server: [redacted] Authentication Type: EAP EAP Type: - Account Session Identifier: 35383234653034392F34633A33343A38383A64643A62353A36632F3130 Logging Results: Accounting information was written to the local log file. Reason Code: 22 Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
We understand that there are lots of EAP types, but we are attempting to use the native Windows EAP (MSCHAPv2), so Cisco equipment should have an easy time talking to it. And, again, the NPS works with a different wireless controller.
We have tried a few different variations of the policies normally used by our clients, with no success.
If it's a 2504 setting that we're missing, we'd love to know where. Beyond setting WPA and WPA2, we don't see a place to specify MSCHAPv2 (in the web interface). And it isn't the controller's job to specify EAP anyway, once the PEAP tunnel has been opened.
Is it possible that this is a misleading error and the problem is actually with PEAP, even though the one error that we can see in Windows mentions EAP...?
If anyone has had experience with this issue and can lend guidance, we would greatly appreciate it.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...