Radius request to Active Directory Domain Controller running Network Policy Server suddenly stopped working

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Solved
We have a V2110 Controller set up to do authentication with RADIUS to our AD server using MSCHAP v2. But it suddenly stopped working.
In the log on the AD server I can see this many times in application log:
Negotiation failed. No available eap methods.
It never appeared before it was working and now it's showing that error a few times every minute.
I tried duplicating the Network Policy, disabling the old one and renaming the new one to the old ones name. But no luck.
Anyone else bump in to this?
Photo of Mattias Andersson

Mattias Andersson

  • 134 Points 100 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,502 Points 20k badge 2x thumb
Do you have a connection request policy configured? Check that first, are you keying off of anything specific in the policy? 
Photo of Mattias Andersson

Mattias Andersson

  • 134 Points 100 badge 2x thumb
Yes, it is set to NAS Port Type with the value Wireless - Other OR Wireless - IEEEE 802.11.
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,502 Points 20k badge 2x thumb
Basic PEAP setup without any Filter-ID return...




Photo of Mattias Andersson

Mattias Andersson

  • 134 Points 100 badge 2x thumb
Ah, when I hit edit on that I just get:
Cannot configure EAP
A certificate could not be found that can be used with this Extensible Authentication Protocol.
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,502 Points 20k badge 2x thumb
That would do it... Take a look at https://technet.microsoft.com/library/cc771696.aspx for more info and assistance. 
Photo of Mattias Andersson

Mattias Andersson

  • 134 Points 100 badge 2x thumb
Thanks Doug, got that fixed, the server the CA server the DC was pointing to had been turned off. Installed one locally on that DC, so I no longer get that error. I configured the NPS to match the config in your screenshots.
The clients are now prompted to accept a new certificate, which makes sense.
But now instead I get "Connection failed." when trying to connect from a Mac.
If I log on to the controller and do a test of the radius, it returns Test Completed, but with ACCESS_REJECTED. I'm guessing that is expected as it never asks for a password and I'm assuming it's just testing the actual radius connection?
Photo of Mattias Andersson

Mattias Andersson

  • 134 Points 100 badge 2x thumb
Thanks. Any other ways to test what is going wrong in the auth that you can think of?
I ran wireshark on the radius server and I can see the connections coming in. But for some reason it just gets connection failed on the client side.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 43,542 Points 20k badge 2x thumb
There is only one place where I look in such case... the NPS log.
The controller is only the message forwarder between the wireless client and the NPS and has no clue what this 2 talk to each other.
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,038 Points 20k badge 2x thumb
Like Ron stated you would want to review the NPS Event log to see why the client failed to connect. There is usually a reason code. 

Here is an example: