Header Only - DO NOT REMOVE - Extreme Networks

Radius request to Active Directory Domain Controller running Network Policy Server suddenly stopped working


We have a V2110 Controller set up to do authentication with RADIUS to our AD server using MSCHAP v2. But it suddenly stopped working.
In the log on the AD server I can see this many times in application log:
Negotiation failed. No available eap methods.
It never appeared before it was working and now it's showing that error a few times every minute.
I tried duplicating the Network Policy, disabling the old one and renaming the new one to the old ones name. But no luck.
Anyone else bump in to this?

10 replies

Userlevel 7
Do you have a connection request policy configured? Check that first, are you keying off of anything specific in the policy?
Yes, it is set to NAS Port Type with the value Wireless - Other OR Wireless - IEEEE 802.11.
Userlevel 7
Basic PEAP setup without any Filter-ID return...




Ah, when I hit edit on that I just get:
Cannot configure EAP
A certificate could not be found that can be used with this Extensible Authentication Protocol.
Userlevel 7
That would do it... Take a look at https://technet.microsoft.com/library/cc771696.aspx for more info and assistance.
Thanks Doug, got that fixed, the server the CA server the DC was pointing to had been turned off. Installed one locally on that DC, so I no longer get that error. I configured the NPS to match the config in your screenshots.
The clients are now prompted to accept a new certificate, which makes sense.
But now instead I get "Connection failed." when trying to connect from a Mac.
If I log on to the controller and do a test of the radius, it returns Test Completed, but with ACCESS_REJECTED. I'm guessing that is expected as it never asks for a password and I'm assuming it's just testing the actual radius connection?
Userlevel 7
Mattias Andersson wrote:

Thanks Doug, got that fixed, the server the CA server the DC was pointing to had been turned off. Installed one locally on that DC, so I no longer get that error. I configured the NPS to match the config in your screenshots.
The clients are now prompted to accept a new certificate, which makes sense.
But now instead I get "Connection failed." when trying to connect from a Mac.
If I log on to the controller and do a test of the radius, it returns Test Completed, but with ACCESS_REJECTED. I'm guessing that is expected as it never asks for a password and I'm assuming it's just testing the actual radius connection?

Correct...
https://gtacknowledge.extremenetworks.com/articles/Q_A/Does-the-test-button-on-the-802-1x-authentica...
Mattias Andersson wrote:

Thanks Doug, got that fixed, the server the CA server the DC was pointing to had been turned off. Installed one locally on that DC, so I no longer get that error. I configured the NPS to match the config in your screenshots.
The clients are now prompted to accept a new certificate, which makes sense.
But now instead I get "Connection failed." when trying to connect from a Mac.
If I log on to the controller and do a test of the radius, it returns Test Completed, but with ACCESS_REJECTED. I'm guessing that is expected as it never asks for a password and I'm assuming it's just testing the actual radius connection?

Thanks. Any other ways to test what is going wrong in the auth that you can think of?
I ran wireshark on the radius server and I can see the connections coming in. But for some reason it just gets connection failed on the client side.
Userlevel 7
Mattias Andersson wrote:

Thanks Doug, got that fixed, the server the CA server the DC was pointing to had been turned off. Installed one locally on that DC, so I no longer get that error. I configured the NPS to match the config in your screenshots.
The clients are now prompted to accept a new certificate, which makes sense.
But now instead I get "Connection failed." when trying to connect from a Mac.
If I log on to the controller and do a test of the radius, it returns Test Completed, but with ACCESS_REJECTED. I'm guessing that is expected as it never asks for a password and I'm assuming it's just testing the actual radius connection?

There is only one place where I look in such case... the NPS log.
The controller is only the message forwarder between the wireless client and the NPS and has no clue what this 2 talk to each other.
Userlevel 7
Mattias Andersson wrote:

Thanks Doug, got that fixed, the server the CA server the DC was pointing to had been turned off. Installed one locally on that DC, so I no longer get that error. I configured the NPS to match the config in your screenshots.
The clients are now prompted to accept a new certificate, which makes sense.
But now instead I get "Connection failed." when trying to connect from a Mac.
If I log on to the controller and do a test of the radius, it returns Test Completed, but with ACCESS_REJECTED. I'm guessing that is expected as it never asks for a password and I'm assuming it's just testing the actual radius connection?

Like Ron stated you would want to review the NPS Event log to see why the client failed to connect. There is usually a reason code.

Here is an example:

Reply