Cisco wireless controller set up as a Radius client for a Windows 2022 NPS

Question

Cisco wireless controller set up as a Radius client for a Windows 2022 NPS

Anonymous

Hi

In my current environment, I have a Cisco wireless controller set up as a Radius client for a Windows 2022 NPS. I have configured the policy in my NPS to allow authentication via MSCHAPv2.

The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

EventData

		SubjectUserSid	S-1-5-21-4097143817-3994732641-3694424330-1108

		SubjectUserName	test1

		SubjectDomainName	MYDOMAIN

		FullyQualifiedSubjectUserName	MYDOMAIN\test1

		SubjectMachineSID	S-1-0-0

		SubjectMachineName	-

		FullyQualifiedSubjectMachineName	-

		CalledStationID	68-bc-0c-cb-9a-60:ISJMB

		CallingStationID	08-6a-c5-8b-24-6e

		NASIPv4Address	192.168.0.22

		NASIPv6Address	-

		NASIdentifier	ISJWLC

		NASPortType	Wireless - IEEE 802.11

		NASPort	1

		ClientName	isjwlc

		ClientIPAddress	192.168.0.22

		ProxyPolicyName	Secure Wireless ISJWLC

		NetworkPolicyName	Secure Wireless ISJWLC

		AuthenticationProvider	Windows

		AuthenticationServer	DHCP-001.mydomain.local

		AuthenticationType	EAP

		EAPType	-

		AccountSessionIdentifier	-

		ReasonCode	22

		Reason	The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

		LoggingResult	Accounting information was written to the local log file.

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

3 answers

Answer 1

Hello Friends,

To address the EAP authentication issue on your Cisco wireless controller configured as a Radius client for a Windows 2022 NPS, here is a detailed checklist and step-by-step guide for troubleshooting:

Checklist:

EAP Configuration Verification:
- Ensure the NPS server supports the EAP types required by your clients (e.g., EAP-MSCHAPv2).
- Verify that these EAP types are enabled and correctly configured on the NPS server.
Network Policy Configuration:
- Check that the network policy on the NPS server matches the conditions of the incoming requests (e.g., NAS Port Type, Windows Groups).
Cisco WLC Configuration:
- Confirm that the Cisco WLC is correctly configured to use the NPS server as a Radius server.
- Verify the shared secret and IP address settings.
Certificate Validity:
- Ensure the certificates used for EAP methods are valid and trusted by both the server and client devices.
Event Viewer Logs:
- Check the Event Viewer logs on the NPS server for detailed error messages.

Step-by-Step Guide:

1. Verify EAP Configuration on NPS Server:

Open the NPS Console:
- Go to Start > Administrative Tools > Network Policy Server.
Edit Network Policies:
- Expand Policies and select Network Policies.
- Double-click on the relevant network policy (e.g., Secure Wireless ISJWLC).
Check Conditions:
- Go to the Conditions tab.
- Ensure the conditions match your wireless clients (e.g., NAS Port Type: Wireless - IEEE 802.11, Windows Groups, Day and Time Restrictions).
Check Constraints:
- Go to the Constraints tab.
- Under Authentication Methods, ensure that EAP-MSCHAPv2 is selected.
- If using PEAP, ensure Protected EAP (PEAP) is configured with EAP-MSCHAPv2.
Apply and Save:
- Click OK to save changes.

2. Verify Cisco WLC Configuration:

Access WLC Web Interface:
- Open a web browser and log in to the Cisco WLC web interface.
Configure Radius Authentication:
- Navigate to Security > AAA > Radius > Authentication.
- Ensure the NPS server is listed with the correct IP address and shared secret.
Verify WLAN Settings:
- Go to WLANs and select the SSID configured for Radius authentication.
- Ensure that the SSID is using the correct Radius server for authentication.

3. Check Certificate Validity (if using EAP-TLS or PEAP):

Validate Certificates:
- Ensure both server and client certificates are valid and not expired.
- Check that the certificates are trusted by both the server and clients.
Import Trusted Certificates:
- On the NPS server, import the CA certificates to the Trusted Root Certification Authorities store.
- Ensure the client devices also trust the CA certificates.

4. Review Event Viewer Logs:

Open Event Viewer:
- Go to Start > Administrative Tools > Event Viewer.
Check NPS Logs:
- Navigate to Custom Views > Server Roles > Network Policy and Access Services.
- Look for errors related to EAP authentication and note the Reason Code and Description.
Investigate Specific Errors:
- Use the Reason Code to find specific solutions. For instance, Reason Code 22 indicates an unsupported EAP type.

Example Commands:

Get IP Configuration on Server: shell ipconfig /all

Check Firewall Rules: powershell Get-NetFirewallRule | where {$_.DisplayName -like "*ICMPv6*"}

Add Firewall Rule for ICMPv6: powershell New-NetFirewallRule -DisplayName "Allow ICMPv6-In" -Protocol ICMPv6 -IcmpType 128 -Action Allow

By following this detailed checklist and step-by-step guide, you should be able to diagnose and resolve the EAP authentication issue on your Cisco WLC and Windows 2022 NPS setup.

If you need further assistance, please feel free to ask.

Best regards,

Rosy

Answer 2

Anonymous

Hi Rosy,

Thank you for your help.

Check Certificate Validity (if using EAP-TLS or PEAP):

Is this a self-signed certificate or a certificate from the Certificate Authority server?

Thank you

Answer 3

Hi Talmaggies,

Thank you for your reply.

To check the certificate validity, could you please clarify whether the certificate being used is a self-signed certificate or a certificate issued by a Certificate Authority (CA) server?

Understanding the type of certificate will help us provide more accurate troubleshooting steps.

Thank you for your cooperation.

Best regards,

Rosy

Forum Support Team

Share via

Cisco wireless controller set up as a Radius client for a Windows 2022 NPS

3 answers