1 ACCEPTED SOLUTION
So, a little embarrassing, but it looks like stuff started working once I set the local Windows firewall on the NPS server to allow all incoming connections.
This is strange because - when installing / configuring the NPS role - the corresponding allow rules were automatically created (I had double checked that a few times while working through this process). So, maybe there is some port requirement other than UDP 1812, 1645, 1813, 1646... and TCP 135 and RPC Dynamic Ports...
Anyone run into this before?
Thanks!
Hi Devid,
Please check and make sure auth method (EAP - PEAP) has a certificate mapped to it, else auth will not work.
If still facing issue, check event viewer >> Customer Views >> Server Roles >> Network Policy And Access Service >> Review the most recent authentication attempt. It will give you more info like if request is even reaching the server and hitting the correct policy, and what is the reason for auth failure, etc.
To see the complete picture, we need to review and collect information from below points.
- Radius policy should be configured correctly with a certificate in auth method.
- Radius server profile on Cloud should be configured correctly.
- Make sure shared secrete is same on both sides, on Cloud and on Radius server.
- Make sure AP IPs are added to radius client list on Radius Server.
For troubelshooting:
- Setup packet capture on the AP where test client is connecting.
- Select AP on cloud GUI >> Click on More Action >> Test Connection >> Packet Capture >> Set "Capture Interface" to "Wired" and start capture when client is ready to connect. - Setup and run wireshark on NPS server, and set the filter for AP IP address to filter the traffic coming from radius server.
- Now connect the client and try 2-3 times so that you have more captures for review.
- Post 2-3 failure, stop captures on AP and on radius server side.
- Save captures from AP, radius server and review all to see the connection flow.
- AP capture
- Server capture
- Server event logs.
Parallelly, if Cloud Analytics is working, it can also show you complete client connection flow and can pin point the failure.
If still facing issue, open a case with support for further help.
Thanks for the detailed reply;
Regarding the first part - yes - there is a certificate mapped for PEAP
When looking at the NPS Event Log, I only see some logs from when I was initially trying to add the APs (had initially deployed windows server standard, and was trying to add APs using cidr... had to upgrade edition to Datacenter to do that :))
I don't see any authentication attempts in the NPS event log at all.
As for making sure the RADIUS server is configured correctly in the Cloud, there is nothing else aside from defining it in the WiFi network setup, correct?
Shared secret is the same, and all AP IP addresses have been added. Again, added using cidr, but maybe I will try adding individually see if that makes a difference.
I was looking around in Analytics, but I don't see any reference to the failed connection / auth attempts from my laptop and another test laptop I have. So, not sure if I am not looking where I should be.
I will look at doing a packet trace also.
Thanks,
