Radius logs show success but controller shows error

  • 0
  • 1
  • Problem
  • Updated 2 years ago
  • Solved
We just installed two new C5210 controllers for a client.  They also currently have two C4110-1 controllers in production.  One of the new controllers that was installed is not authenticating via Radius with a Windows 2012 NPS server.  The logs on the NPS server show a successfull authentication, however the wireless controller shows an error.  When I test the radius server from the WLAN auth section I receive the following error:  RADIUS_SHAREDSECRETKEY_DECODE_FAILED

The authentication request does show in the NPS logs with an incorrect user account/password error.  So the controller is sending radius requests to the server successfully.  If I test the radius server from the Login Maintenance screen using authorized credentials the test returns a "System error" message, while the NPS server shows an authentication success message.  

I have removed the WLAN controller as a radius client and then added it back.  I have also deleted the radius server from the controller and added it back.  The shared secret is entered correctly and it is sending the authentication requests to the radius server correctly, it just doesn't seem that it is receiving a proper response back.

The other new controller is authentication properly as well as the two existing controllers.  It is only one controller that is experiencing this issue.

Thank You.
Photo of Ty Kolff

Ty Kolff

  • 1,098 Points 1k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Hernandez, Joshua

Hernandez, Joshua, Employee

  • 1,564 Points 1k badge 2x thumb
Ty,

Can you take a look at this GTAC KB article and verify that matching shared secrets in NAC, Controller and Radius servers?

"RADIUS_SHAREDSECRETKEY_DECODE_FAILED error message
Photo of Ty Kolff

Ty Kolff

  • 1,098 Points 1k badge 2x thumb
I did review that article already.  There is a NAC server in this environment, however the radius authentication in this situation is between the controller and a Windows Server 2012 NPS server.

I did confirm that there is not a radius override enabled in the NAC appliance.
Photo of Jason

Jason, Employee

  • 3,608 Points 3k badge 2x thumb
Hello Ty, 

That is odd.
The only time I've seen that error message is if there is a discrepancy in the shared secret configured on either side, unless we have had a bug.  
What version are you running?  There was a bug that we fixed in 9.21.02 and later that involved a re-configured the shared secret. (in that case, a radius server configured from scratch was fine)

Is NAC involved at all? 

There are a few knowledge articles that match, but any issues seen are fixed in current firmware. 
https://gtacknowledge.extremenetworks.com/articles/Solution/Changing-the-radius-shared-secret-on-the...

https://gtacknowledge.extremenetworks.com/articles/Solution/RADIUS-SHAREDSECRETKEY-DECODE-FAILED-err...

https://gtacknowledge.extremenetworks.com/articles/Solution/Dynamic-Reauth-is-failing-with-a-shared-...

I would also double check that this Access-Request message box is not checked:



If nothing above helps and it's still not working, I would suggest opening a case with GTAC and we can investigate further. 

Thanks, 
Jason
Photo of Ty Kolff

Ty Kolff

  • 1,098 Points 1k badge 2x thumb
NAC is not involved in this.  This is directly between the wireless controller and Windows NPS server.

Both new controllers are running 10.01.05.0008.  They are in an availability pair.  The primary controller fails radius authentication, while the backup controller is successful with radiusu authentication.  Both have identical configurations for the radius server and are all using the same shared key.

I do have an open GTAC case, but haven't heard anything back yet.  I just thought I would throw it out on the hub to see if anyone else has encountered a similar issue.
Photo of Jason

Jason, Employee

  • 3,608 Points 3k badge 2x thumb
Thanks Ty.  We'll have someone in contact with you soon. 
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 48,880 Points 20k badge 2x thumb
You've wrote...
"The logs on the NPS server show a successfull authentication"
"The authentication request does show in the NPS logs with an incorrect user account/password error. "

So it's not an success - right.

I'd check whether the request hits the right connection request / network policy.
Look in the event log and compare the request from the good v10 controller with the bad one.
Photo of Ty Kolff

Ty Kolff

  • 1,098 Points 1k badge 2x thumb
When I said "The authentication request does show in the NPS logs with an incorrect user account/password error. " I meant when you are using the 'Test' button on the WLAN Auth & Acct tab.  It doesn't allow a username to be entered so it fails in the NPS Logs. 

When I test it from the Login Maintenance screen on the radius authentication tab and it allows me to enter a username/password, it will show as a successful authentication in the NPS logs.

Thanks.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 48,880 Points 20k badge 2x thumb
OK so it looks like that the shared secret is correct on both ends.
As I've mentioned I'd check the log to see whether you hit the right connection request / network policy on the NPS.
Photo of Ty Kolff

Ty Kolff

  • 1,098 Points 1k badge 2x thumb
This issue is solved now.  There was a Radius Client listed with the same IP address as the controller on the NPS server (apparently there was a previous server with the same IP that is no longer in use).  Once I deleted the duplicate radius client, authentication worked perfectly.

Photo of Jason

Jason, Employee

  • 3,608 Points 3k badge 2x thumb
Thanks Ty.