Radius Issues with NPS ,AD and Fortinet

Anonymous
2024-04-17T15:13:42+00:00

I have recently encountered an issue where once I have radius enabled users cannot log on , If I use Wpa2 it works.

I have collected logs but do not know what else to try :

04512.222 2c:33:58:0a:f7:d5 <eh>     recv IEEE 802.1X ver=1 type=0 (EAP_PACKET) data len=43
04512.222 2c:33:58:0a:f7:d5 <eh> RADIUS message (type=0) ==> RADIUS Server code=1 (Access-Request) id=18 len=380
04512.226 2c:33:58:0a:f7:d5 <eh> RADIUS message (type=0) <== RADIUS Server code=3 (Access-Reject) id=18 len=44
04512.226 2c:33:58:0a:f7:d5 <eh>     send IEEE 802.1X ver=2 type=0 (EAP_PACKET) data len=4
04512.227 2c:33:58:0a:f7:d5 <eh> IEEE 802.1X (EAPOL 8B) ==> 2c:33:58:0a:f7:d5 ws (0-192.168.80.7:15246) rId 0 wId 1 94:f3:92:ac:95:29
04512.227 2c:33:58:0a:f7:d5 <eh>     ***WPA_PTK 2c:33:58:0a:f7:d5 DISCONNECTED***

RADIUS Protocol
    Code: Access-Reject (3)
    Packet identifier: 0x8e (142)
    Length: 44
    Authenticator: 147181fb5e23bee50112ff7a8bc89eb8
    [This is a response to a request in frame 1]
    [Time from request: 0.000000000 seconds]
    Attribute Value Pairs
        AVP: t=EAP-Message(79) l=6 Last Segment[1]
            Type: 79
            Length: 6
            EAP fragment: 04a30004
            Extensible Authentication Protocol
                Code: Failure (4)
                Id: 163
                Length: 4
        AVP: t=Message-Authenticator(80) l=18 val=0470f9fd937f0a13b6e5dbb06aea2abd
            Type: 80
            Length: 18
            Message-Authenticator: 0470f9fd937f0a13b6e5dbb06aea2abd![](https://filestore.community.support.microsoft.com/api/images/6fce33a9-9243-4dfe-9cac-0dad838f14b4?upload=true&fud_access=wJJIheezUklbAN2ppeDns8cDNpYs3nCYjgitr%2BfFBh2dqlqMuW7np3F6Utp%2FKMltnRRYFtVjOMO5tpbpW9UyRAwvLeec5emAPixgq9ta07Dgnp2aq5eJbnfd%2FU3qhn54Cjv4R%2FCSKX7K%2BMx%2Fy%2FNNiaJQqBDllW3AAY3jNSdUJRYS2ws6QVYPtfO1PRkA4Pit258T900Xj91Bq5ZAyADgrX46VAGxLtyOUggbj5RyBYwlDxnJ7DrzkoiAJEEnKLiBQxgNZMVIKAH%2FCasA8b1KteJDo%2BXSmiU%2F7TZnJ2v5GREDYQARIQFK5aBwURHsz%2BvtKVXGHaCwubNf4SsVCaGpePywtwCMn%2Fb1aJDz9yBTWTylMo6Ds7jrhiIRDy0ZNa%2B%2F01Hy18%2Be7NUcocKL%2Fr9lVBKkh%2FA%2Fa2V%2BdXekSS3rGss%3D)

Windows for business | Windows Server | Networking | Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Anonymous
    2024-04-18T12:46:59+00:00

    Hello,

    From the logs provided, it appears that your Radius server is rejecting the access requests from the wireless client (with MAC address 2c:33:58:0a:f7:d5). The Radius server responds with an Access-Reject message (code 3) to the Access-Request message (code 1) sent by the client. The reason for rejection can be found in the EAP-Message attribute within the Radius response.

    The EAP message shows Code: Failure (4) which indicates that the EAP authentication has failed at the Radius level.

    To further troubleshoot this issue:

    1.Review the Radius server logs to see if it provides more detailed information about why the Access Request was rejected.

    2.Verify that the wireless network is configured to use the correct EAP method that is supported by both the Radius server and the client devices.

    3.Check for any recent changes to the Radius server or network infrastructure that could have affected the authentication process.

    4.Test with another user account or device to rule out a client-side issue.

    Extensible Authentication Protocol (EAP) for network access in Windows | Microsoft Learn

    Best regards

    Zunhui

    0 comments No comments
  2. Anonymous
    2024-04-19T18:08:51+00:00

    Thanks for the feedback. My colleague would have upgraded our AD DC and the DC with the NPS was demoted to a member server. As a result I am thinking that is why Radius Auth is not working. As a result I am thinking that the best approach is to just export the config and install onto the NEW DC after I add NPS to a new DC .

    So I added NPS to the new DC and now I get this message when I try to import the config.

    Do not matter what I try, I am unable to import the config.

    What am i missing ?

    It must be noted that when I click on policies on the left of the NPS , in the MMC it shows no policies on the right side ?

    0 comments No comments
  3. Anonymous
    2024-04-23T15:42:53+00:00

    Hello,

    You can try to copy the NPS configuration to another NPS using the following Netsh command:

    1. On the source NPS, open Command Prompt, type netsh, and then press Enter.
    2. At the netsh prompt, type nps, and then press Enter.
    3. At the netsh nps prompt, type export filename="path\file.xmlexportPSK=YES, where path is the folder location where you want to save the NPS configuration file, and file is the name of the XML file that you want to save. Press Enter. This stores configuration settings (including registry settings) in an XML file. The path can be relative or absolute, or it can be a Universal Naming Convention (UNC) path. After you press Enter, a message appears indicating whether the export to file was successful.
    4. Copy the file you created to the destination NPS.
    5. At a command prompt on the destination NPS, type netsh nps import filename="path\file.xml", and then press Enter. A message appears indicating whether the import from the XML file was successful.

    Reference links:

    Export an NPS Configuration for Import on Another Server | Microsoft Learn

    Best regards

    Zunhui

    0 comments No comments