To totally unlock this section you need to Log-in
This article discusses common configuration errors when implementing WPA2 Enterprise with PEAP-MSCHAPv2, using a Windows 2008 NPS environment for error codes. This article addresses Windows Event Log messages, possible causes for the error events, and recommended solutions.
Windows Event Viewer can be found by navigating to Start > All Programs > Administrative Tools > Event Viewer. The 2 logs that will be referenced are Network Policy and Access Services logs and Security logs, see the image below:
Common Configuration Errors
The following common configuration errors may result in RADIUS authentication failing. Though the error codes outlined below are specific to Windows NPS, the following configuration check should be made regardless of RADIUS server vendor:
- No certificate installed on the RADIUS Server or the certificate has expired.
- Access Points are not added as a RADIUS Client or are Configured for DHCP.
- Incorrect Secret configured on the AP/APs or on server.
- Network Policy is misconfigured.
- Connection Request Policy is misconfigured.
- Mismatch in Authentication Settings.
- Incorrect Username or Password.
- Root Certificate is not added to the client Device.
Event ID 6273 with reason code 23 (bad/missing certificate)
Often times connection issues occur because a digital certificate is not installed on the RADIUS Server or the certificate has expired. If this is the case, you will see Event ID 6273 with Reason Code 23 in the Network Policy and Access Services logs, shown below.
To resolve this, a certificate will need to be installed or renewed on your NPS server, in order to establish TLS.
Event ID 6273 Reason Code 265 (untrusted CA)
On Windows end-user devices (PC clients usually) you have the option to validate the server certificate presented by the server when using WPA-2 Enterprise, which is strongly recommended for RADIUS. If this option is selected, the Certificate Authority must be added to the client's list of Trusted Root Certification Authorities. If the Certificate Authority is not added to the Windows Client you may see Event 6273 Reason Code 265 in the Network Policy and Access Services logs:
Event ID 6273 Reason Code 8 (Bad username or password)
When testing RADIUS authentication it is possible that the username may be incorrect or may not be located in the Windows group specified in the Network Policy. If this is the case, you will see Event ID 6273 with Reason Code 8 in the Network Policy and Access Services logs, see the image below.
To resolve ensure the username is correct and is present in the Windows group specified on your Network Policy.
When testing RADIUS authentication it is possible that the user password may be incorrect. If this is the case, you will see Event ID 4625 in the Windows Security logs, shown below.
To resolve, confirm the users password and/or perform a password reset in Active Directory.
Event ID 18: An Access-Request message was received from RADIUS client x.x.x.x with a Message-Authenticator attribute that is not valid (Bad shared secret)
On the dashboard or web admin page on your AP, in the Security section for your Wireless and RADIUS, you must enter a secret specifyied on your RADIUS server. This secret must match the shared secret you enter when you adding the Access Point as RADIUS clients. When the secrets do no match, you will see Event ID 18 in the Network Policy and Access Services logs as shown below.
To resolve, ensure when adding a gateway AP as a RADIUS Client in NPS that the Shared Secret matches the Secret specified on your AP's dashboard portal.
Event ID 13: A RADIUS message was received from the invalid RADIUS client (APs not added as clients)
WPA2 Enterprise authentication requires your Access Points be added as RADIUS Clients on your NPS Server. Because of this, it is imperative that a static IP assignment or a DHCP fixed IP assignment be used on your APs.
If your AP is not added as a RADIUS Client you will see Event ID 13 in the Network Policy and Access Services logs, as shown below.
To resolve, add your Access Point's IP address as a RADIUS client on your NPS Server (it is recommended to set static IP addresses on access points).
General RADIUS Troubleshooting Advices
If you're having connection issues, here are some troubleshooting techniques, features, and tools you can use.
Check the RADIUS Server Logs
Before performing troubleshooting steps on the client you should check the logs on the RADIUS server. If the authentication attempts are making it to the server, the logs can usually give you an idea of the underlying issue. But if the logs don't help or the authentication attempts aren't making it to the server you can continue troubleshooting via other methods.
Address Intermittent Connection Issues
If a client is having intermittent connection issues — disconnecting periodically, not reconnecting after resuming from sleep, or not roaming well between wireless access points — you may first want to eliminate general networking issues.
For wireless adapters that came with their own wireless configuration software, try uninstalling it so the adapter uses the native Windows interface and Microsoft 802.1X supplicant. Also consider reinstalling and even updating the driver for the client's network adapter.
If clients are still being intermittently disconnected (even if automatically reconnected), it may be because a Fast Roaming technique isn't being used. By default, the full 802.1X authentication process must take place the first time a client connects to the network, when roaming to another wireless access point, and after the 802.1X session interval expires. And this full authentication process can interrupt the client connection, especially for latency-sensitive traffic like VoIP or video streams.
When a Fast Roaming technique is supported by your network, however, it helps reduce the amount of full authentication processes a client must make on the network. The three most popular techniques are called WPA/WPA2 Fast Reconnect (or EAP Session Resumption), WPA2 PMK Caching, and Pre-authentication.
- WPA/WPA2 Fast Reconnect (or EAP Session Resumption) caches the TLS session from the initial connection and uses it to simplify and shorten TLS handshake process for re-authentication attempts. This is usually enabled by default when a client connects to an 802.1X network the first time, but if you push network settings to domain clients you should make sure Fast Reconnect is enabled.
- WPA2 Pairwise Master Key (PMK) Caching allows clients to perform a partial authentication process when roaming back to the access point the client had originally performed the full authentication on. This is typically enabled by default in Windows, with a default expiration time of 720 minutes (12 hours). In Windows 7 and later you can configure these settings via the advanced 802.1X settings for each network connection, however in Windows Vista and earlier they must be edited via registry entries or Group Policy.
- Pre-authentication is a step further than PMK caching, basically performing PMK caching with other access points after connecting to just one, which can help make roaming the wireless network even more seamless. Once a client authenticates via one access point, the existing network connection is used to convey the authentication details to the other access points. By default, pre-authentication is disabled by Windows but can be enabled via the advanced 802.1X settings in Windows 7 or later, or via registry entries or Group Policy in Windows Vista or earlier.
Solve connectivity issues with a single client
If a single computer or device can't connect, the first item to check is if the correct login credentials are being provided. For instance, the username and password if using PEAP, the smart card and PIN, or the user certificate if using EAP-TLS.
Next you may want to check for general network-related issues, such as with the wireless adapter or OS. So consider steps like disabling and re-enabling the client's network connection and rebooting the computer or device.
Next you may want to see if there are issues related to the RADIUS server validation, the verification made by the client to ensure the legitimacy of the RADIUS server before moving forward with authentication. To see if it's causing the problem, you can temporary disable it. Though this server validation is optional, it's typically enabled by default for 802.1X networks in Windows, whereas on smartphones and tablets it usually must be manually setup.
When using Windows you can disable server verification by unchecking the Validate server certificate option in the EAP Properties dialog. For smartphones and tablets you can deselect the Certificate Authority certificate in the network's properties, if one has even been previously installed and selected.
If the computer or device successfully connects to the network after disabling server validation, there is likely something wrong with the RADIUS server's root Certificate Authority certificate loaded on the client and/or the server validation settings on the client.
But there's also a slight possibility that the validation feature was doing its job and you're connecting to a different RADIUS server, maybe even from an attacker's fake network trying to perform man-in-the-middle attacks.
To further troubleshoot the server validation, verify/change some settings before re-enabling it and connecting:
- Ensure the computer or device has been using the correct Certificate Authority certificate for the server validation and consider reinstalling the certificate anyways.
- For Windows and other devices that allow you to specify the RADIUS server's IP or FQDN, verify they're correct and consider temporarily removing them to see if that might be your issue.
- For Windows and other devices that allow you to set the client to not prompt users for trusting new servers or Certificate Authorities, consider disabling that option in case you've made a change to your RADIUS server recently.
- Verify the system time of the client is correct because an incorrect time or date can cause issues if it doesn't fall inside the validity period of Certificate Authority certificate.
If the client still can't connect after verifying the server validation settings and disabling the validation altogether, next check other client settings that can be misconfigured:
- Verify the correct authentication mode (machine or user) is being used. In Windows 7 and later, click the advanced button on the network's properties dialog and verify the selected authentication mode. For Windows Vista and later, refer to Microsoft's support site.
- If using EAP-TLS, verify the system time of the client is correct because an incorrect time or date can cause issues if it doesn't fall inside the validity period of the user certificate.
- If problems still persist, lastly consider reinstalling the network adapter driver on the client and verifying user attributes (VLAN ID, log-time, etc) on the RADIUS server.
Solve connectivity issues with a switch or access point
If multiple clients can't connect to your 802.1X network via a single switch or access point, first check if it's a general network issue, like the Ethernet/network connection and also consider power cycling the switch or access point. And then if problems persist, verify the RADIUS server settings in the switch or access point:
- Make sure the Shared Secret is the same as defined by the RADIUS server for that particular access point's IP address.
- Ensure the RADIUS IP address is set to the IP of the server.
- Ensure the defined RADIUS ports are those that your server is using, keeping in mind servers may use two different port pairs: 1812/1813 or 1645/1646.
Keep in mind: you want the RADIUS server and all switches and access points to have static IP addresses because if they change it will cause issues.
Turn to troubleshooting tools
For further troubleshooting, you might try using client-based tools and utilities. In Windows Vista or later, for instance, you can perform wireless tracing with the netsh wlan commands. Plus there are also third-party applications you might consider:
- NTRADPING 1.5: it is an old but very useful RADIUS test tool, working on all Windows platforms, freeware, and it will give you also the possibility to specify multiple attributes to send to a specific RADIUS server to check his response.
- Radlogin is a freeware RADIUS test client, available for Windows, FreeBSD, Sparc Solaris and Linux platforms. You can use to simulate, debug and monitor your RADIUS server. Its monitoring capabilities give you the ability to keep stats on RADIUS servers and supports email alerts.
NOTE: you can download these utilities down here, and downloads are hosted on HeelpBook.net.
[wpfilebase tag="file" id="257"]
[wpfilebase tag="file" id="258"]
[wpfilebase tag="file" id="259"]
[wpfilebase tag="file" id="260"]
[wpfilebase tag="file" id="261"]