L
Lee.NSM
RADIUS is running on NPS Windows 2016 Datacenter
AP is Meraki MR33
I have tried just about everything I can think of in this configuration and cannot get a connection. I have looked over some of the other articles in the forum also but no success. If anyone can point out a flaw or something I have missed here it would be greatly appreciated! Config info is text and can attach screenshots if anyone needs them for reference for RADIUS server, GPO applied and Meraki config.
Following NPS configuration information:
NPS Server, WIN 2016 DC
Enrolled in AD Services
Certificate from CA applied
RADIUS Clients: 10.0.0.0/8
Manually Generated Shared Secret correct between devices
Vendor Name as RADIUS Standard
Connection Request Policies:
Policy: enabled
Type of server: unspecified
Conditions:
NAS Port type: Wireless IEEE 802.11 OR Wireless Other
Settings:
Authentication: authenticate requests on this server
No Accounting
Attribute type: Caller-Station-Id
No other settings applied
Network Policies:
Policy: enabled
Grant Access
Ignore user account dial-in properties
Type of server: unspecified
Conditions:
Wireless IEEE 802.11 OR Wireless Other
User Groups: (domain name)\domain users and (domain name)\domain computers
Constraints:
Auth methods EAP Types (in listed order top to bottom): MS Secured Password EAP_CHAP v2, MS Protected EAP (PEAP,) MS Smart Card or other cert
Idle Timeout, Session Timeout, CallerStation ID and day/time restrictions not configured/default
NAS Port Type: Wireless IEEE 802.11 OR Wireless Other
Settings:
Framed Protocol: PPP
Service Type: Framed
Vendor specific: none
BAP: server settings determine...
IP filters: none
Encryption: 40, 56 and 128 checked, no encryption is NOT checked
IP Settings: Server settings determines...
GPO: no inheritance from other GPO's and only GPO in the test OU
Comp config-Security-wireless-new
Policy Name: RADIUS-TEST
Properties:
General Tab: Policy name and description same name
Use Windows WLAN autoconfig service for clients CHECKED
SSID "RADIUSTEST"
Network Permissions:
Infrastructure
Allow
NO other boxes checked
SSID Profile RADIUSTEST:
Connection tab: SSID RADIUSTEST
all Connect boxes checked
Security tab:
WPA2-Enterprise
AES_CCMP
Network auth method: PEAP -Properties: Verify server, cert server is checked, tell if server cant be identified, auth method is EAP-MSCHAP v2 -Advanced: PMK caching is only box checked
Auth mode: User or computer
Cache information is checked
Meraki config:
MR33 AP connected to MX67
AP has static internal address assigned
Gateway is correct
SSID: RADIUSTEST
WPA2-Enterprise with my RADIUS server
WPA encryption: 1 and 2 allowed
802.11 r/w: disabled
No splash page
Radius server IP, port 1812, shared secret from NPS
No accounting, proxy or group policies
Bridge mode
VLAN tagging
VLAN ID: # for wireless vlan on appliance
Ignore VLAN attributes in RADIUS responses
No Content filter or Bonjour forwarding
Receiving the following errors regarding the policies that are setup. Going through the policies I cannot seem to find what I have configured incorrectly though.
Event ID 20153 Error
The currently configured accounting provider failed to load and initialize successfully. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.
Event ID 20269 Warning
CoId={NA}: The user failed an authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.
Also received an Error 18 for bad shared secret, but I have double checked that also and, if it was incorrect for some reason previously, has been updated. Not seeing 18 at this time, but others are creating with each attempt.
Looking into the certificate also. Had an issue regarding multiple SAN entries in the template to include using the specific IP of the server. Primary name is correct though.
Lots of moving parts here I know, I appreciate any and all assistance!
Continue reading...
AP is Meraki MR33
I have tried just about everything I can think of in this configuration and cannot get a connection. I have looked over some of the other articles in the forum also but no success. If anyone can point out a flaw or something I have missed here it would be greatly appreciated! Config info is text and can attach screenshots if anyone needs them for reference for RADIUS server, GPO applied and Meraki config.
Following NPS configuration information:
NPS Server, WIN 2016 DC
Enrolled in AD Services
Certificate from CA applied
RADIUS Clients: 10.0.0.0/8
Manually Generated Shared Secret correct between devices
Vendor Name as RADIUS Standard
Connection Request Policies:
Policy: enabled
Type of server: unspecified
Conditions:
NAS Port type: Wireless IEEE 802.11 OR Wireless Other
Settings:
Authentication: authenticate requests on this server
No Accounting
Attribute type: Caller-Station-Id
No other settings applied
Network Policies:
Policy: enabled
Grant Access
Ignore user account dial-in properties
Type of server: unspecified
Conditions:
Wireless IEEE 802.11 OR Wireless Other
User Groups: (domain name)\domain users and (domain name)\domain computers
Constraints:
Auth methods EAP Types (in listed order top to bottom): MS Secured Password EAP_CHAP v2, MS Protected EAP (PEAP,) MS Smart Card or other cert
Idle Timeout, Session Timeout, CallerStation ID and day/time restrictions not configured/default
NAS Port Type: Wireless IEEE 802.11 OR Wireless Other
Settings:
Framed Protocol: PPP
Service Type: Framed
Vendor specific: none
BAP: server settings determine...
IP filters: none
Encryption: 40, 56 and 128 checked, no encryption is NOT checked
IP Settings: Server settings determines...
GPO: no inheritance from other GPO's and only GPO in the test OU
Comp config-Security-wireless-new
Policy Name: RADIUS-TEST
Properties:
General Tab: Policy name and description same name
Use Windows WLAN autoconfig service for clients CHECKED
SSID "RADIUSTEST"
Network Permissions:
Infrastructure
Allow
NO other boxes checked
SSID Profile RADIUSTEST:
Connection tab: SSID RADIUSTEST
all Connect boxes checked
Security tab:
WPA2-Enterprise
AES_CCMP
Network auth method: PEAP -Properties: Verify server, cert server is checked, tell if server cant be identified, auth method is EAP-MSCHAP v2 -Advanced: PMK caching is only box checked
Auth mode: User or computer
Cache information is checked
Meraki config:
MR33 AP connected to MX67
AP has static internal address assigned
Gateway is correct
SSID: RADIUSTEST
WPA2-Enterprise with my RADIUS server
WPA encryption: 1 and 2 allowed
802.11 r/w: disabled
No splash page
Radius server IP, port 1812, shared secret from NPS
No accounting, proxy or group policies
Bridge mode
VLAN tagging
VLAN ID: # for wireless vlan on appliance
Ignore VLAN attributes in RADIUS responses
No Content filter or Bonjour forwarding
Receiving the following errors regarding the policies that are setup. Going through the policies I cannot seem to find what I have configured incorrectly though.
Event ID 20153 Error
The currently configured accounting provider failed to load and initialize successfully. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.
Event ID 20269 Warning
CoId={NA}: The user failed an authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.
Also received an Error 18 for bad shared secret, but I have double checked that also and, if it was incorrect for some reason previously, has been updated. Not seeing 18 at this time, but others are creating with each attempt.
Looking into the certificate also. Had an issue regarding multiple SAN entries in the template to include using the specific IP of the server. Primary name is correct though.
Lots of moving parts here I know, I appreciate any and all assistance!
Continue reading...