+ Post New Thread
Results 1 to 14 of 14
Wireless Networks Thread, Radius Authentication - Credential Mismatch in Technical; I'm trying to setup Radius on a Windows 2008 R2 (clients with problem are Win 7 pro) and having a ...
  1. #1

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,799
    Thank Post
    272
    Thanked 1,134 Times in 1,030 Posts
    Rep Power
    349

    Radius Authentication - Credential Mismatch

    I'm trying to setup Radius on a Windows 2008 R2 (clients with problem are Win 7 pro) and having a bit of a nightmare. The Wireless system is Meraki and the Meraki test with Radius works fine and I am able to connect to the SSID using an IPAD and manually entering data.

    When trying to connect from a domain joined Win 7 laptop I get the following errors. But can't seem to work it out??

    Code:
    Network Policy Server denied access to a user.
    
    Contact the Network Policy Server administrator for more information.
    
    User:
    	Security ID:			NULL SID
    	Account Name:			host/machine.domain.Local
    	Account Domain:			domain
    	Fully Qualified Account Name:	domain\machine$
    
    Client Machine:
    	Security ID:			NULL SID
    	Account Name:			-
    	Fully Qualified Account Name:	-
    	OS-Version:			-
    	Called Station Identifier:		0Mac-Address:SSIDNAME - Secure WLAN
    	Calling Station Identifier:		0Mac-Address
    
    NAS:
    	NAS IPv4 Address:		AP-IP
    	NAS IPv6 Address:		-
    	NAS Identifier:			-
    	NAS Port-Type:			Wireless - IEEE 802.11
    	NAS Port:			0
    
    RADIUS Client:
    	Client Friendly Name:		RADIUS CLIENT NAME
    	Client IP Address:			RADIUS CLIENT IP
    
    Authentication Details:
    	Connection Request Policy Name:	NAP 802.1X (Wireless)
    	Network Policy Name:		-
    	Authentication Provider:		Windows
    	Authentication Server:		Server.domain.Local
    	Authentication Type:		PEAP
    	EAP Type:			-
    	Account Session Identifier:		-
    	Logging Results:			Accounting information was written to the local log file.
    	Reason Code:			16
    	Reason:				Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
    Code:
    Network Policy Server denied access to a user.
    
    Contact the Network Policy Server administrator for more information.
    
    User:
    	Security ID:			NULL SID
    	Account Name:			domain\username
    	Account Domain:			domain
    	Fully Qualified Account Name:	domain\username
    
    Client Machine:
    	Security ID:			NULL SID
    	Account Name:			-
    	Fully Qualified Account Name:	-
    	OS-Version:			-
    	Called Station Identifier:		Mac-Address:SSID - Secure WLAN
    	Calling Station Identifier:		MAC-Address
    
    NAS:
    	NAS IPv4 Address:		AP-IP
    	NAS IPv6 Address:		-
    	NAS Identifier:			-
    	NAS Port-Type:			Wireless - IEEE 802.11
    	NAS Port:			0
    
    RADIUS Client:
    	Client Friendly Name:		RADIUS CLIENT NAME
    	Client IP Address:			RADIUS CLIENT IP
    
    Authentication Details:
    	Connection Request Policy Name:	NAP 802.1X (Wireless)
    	Network Policy Name:		-
    	Authentication Provider:		Windows
    	Authentication Server:		Server.domain.Local
    	Authentication Type:		PEAP
    	EAP Type:			-
    	Account Session Identifier:		-
    	Logging Results:			Accounting information was written to the local log file.
    	Reason Code:			16
    	Reason:				Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

  2. #2
    Jamo's Avatar
    Join Date
    Jan 2009
    Posts
    1,349
    Thank Post
    66
    Thanked 175 Times in 147 Posts
    Rep Power
    60
    Quote Originally Posted by glennda View Post
    I'm trying to setup Radius on a Windows 2008 R2 (clients with problem are Win 7 pro) and having a bit of a nightmare. The Wireless system is Meraki and the Meraki test with Radius works fine and I am able to connect to the SSID using an IPAD and manually entering data.

    When trying to connect from a domain joined Win 7 laptop I get the following errors. But can't seem to work it out??

    Code:
    Network Policy Server denied access to a user.
    
    Contact the Network Policy Server administrator for more information.
    
    User:
        Security ID:            NULL SID
        Account Name:            host/machine.domain.Local
        Account Domain:            domain
        Fully Qualified Account Name:    domain\machine$
    
    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        0Mac-Address:SSIDNAME - Secure WLAN
        Calling Station Identifier:        0Mac-Address
    
    NAS:
        NAS IPv4 Address:        AP-IP
        NAS IPv6 Address:        -
        NAS Identifier:            -
        NAS Port-Type:            Wireless - IEEE 802.11
        NAS Port:            0
    
    RADIUS Client:
        Client Friendly Name:        RADIUS CLIENT NAME
        Client IP Address:            RADIUS CLIENT IP
    
    Authentication Details:
        Connection Request Policy Name:    NAP 802.1X (Wireless)
        Network Policy Name:        -
        Authentication Provider:        Windows
        Authentication Server:        Server.domain.Local
        Authentication Type:        PEAP
        EAP Type:            -
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            16
        Reason:                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
    Code:
    Network Policy Server denied access to a user.
    
    Contact the Network Policy Server administrator for more information.
    
    User:
        Security ID:            NULL SID
        Account Name:            domain\username
        Account Domain:            domain
        Fully Qualified Account Name:    domain\username
    
    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        Mac-Address:SSID - Secure WLAN
        Calling Station Identifier:        MAC-Address
    
    NAS:
        NAS IPv4 Address:        AP-IP
        NAS IPv6 Address:        -
        NAS Identifier:            -
        NAS Port-Type:            Wireless - IEEE 802.11
        NAS Port:            0
    
    RADIUS Client:
        Client Friendly Name:        RADIUS CLIENT NAME
        Client IP Address:            RADIUS CLIENT IP
    
    Authentication Details:
        Connection Request Policy Name:    NAP 802.1X (Wireless)
        Network Policy Name:        -
        Authentication Provider:        Windows
        Authentication Server:        Server.domain.Local
        Authentication Type:        PEAP
        EAP Type:            -
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            16
        Reason:                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

    Are you using MS-CHAP?

    Tis worth double checking the certificates for clients and servers. You can tick a box somewhere in the settings to not validate the server certificate for testing, if that works then that points to a non trusted certificate in your infrastructure.

  3. #3

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,799
    Thank Post
    272
    Thanked 1,134 Times in 1,030 Posts
    Rep Power
    349
    Quote Originally Posted by Jamo View Post
    Are you using MS-CHAP?

    Tis worth double checking the certificates for clients and servers. You can tick a box somewhere in the settings to not validate the server certificate for testing, if that works then that points to a non trusted certificate in your infrastructure.
    It is configured allow it - shall i just try with normal CHAP?

    I'm guessing its just a case of pulling the radius servers cert out and installing on the client?

  4. #4
    Jamo's Avatar
    Join Date
    Jan 2009
    Posts
    1,349
    Thank Post
    66
    Thanked 175 Times in 147 Posts
    Rep Power
    60
    Quote Originally Posted by glennda View Post
    It is configured allow it - shall i just try with normal CHAP?

    I'm guessing its just a case of pulling the radius servers cert out and installing on the client?
    MS-CHAP is fine, just requires the server certificate to be trusted on the machine if you have validation on. Did you mean you have it turned on atm? Turn it off for a sec to test, if it works then its at least narrowed it down to this!

  5. #5

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,328
    Thank Post
    622
    Thanked 1,577 Times in 1,414 Posts
    Rep Power
    413
    Have you set up a machine group that is allowed access or did you just used domain computers?

    Ben

  6. #6

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,799
    Thank Post
    272
    Thanked 1,134 Times in 1,030 Posts
    Rep Power
    349
    Quote Originally Posted by Jamo View Post
    MS-CHAP is fine, just requires the server certificate to be trusted on the machine if you have validation on. Did you mean you have it turned on atm? Turn it off for a sec to test, if it works then its at least narrowed it down to this!
    I have kind of inherited this so not 100% sure if its by the book. I have 4 rules currently
    rule 1: Health Policy - NAP802.1x (Wireless Compliant) - users have to be in ad group auth set to Microsoft Encrypted Auth Version 2 (MS-CHAP-v2) user can change password along with Microsoft Encrypted Auth (MS-Chap) user can change password.
    rule 2: Health Policy NAP 802.1X (Wireless) Noncompliant. Auth same as above
    Rules 3: Nap-Cable Value Computer is non NAP-capable, nas port type Wireless - other OR Wireless - IEE 802.11, user is required to be in group.
    rule 4: user is Member of said group auth methods Microsoft Encrypted Auth Version 2 (MS-CHAP-v2) user can change password along with Microsoft Encrypted Auth (MS-Chap) user can change password, Encrypted Chap Unencrypted auth PAP, SPAP.
    @plexer I have created a group which both the user and the machine are part of.

  7. #7

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,799
    Thank Post
    272
    Thanked 1,134 Times in 1,030 Posts
    Rep Power
    349
    I think this boils back to the SSL cert on the clients being issued by a different internal CA to the Domain controller's present one. I've now imported that SSL cert from the root ca on the client side and imported into the domain controllers trusted root ca.

    This now gets me to another error:

    Code:
    Network Policy Server denied access to a user.
    
    Contact the Network Policy Server administrator for more information.
    
    User:
    	Security ID:			NULL SID
    	Account Name:			host/clienthostname
    	Account Domain:			domain
    	Fully Qualified Account Name:	domain\clienthostname$
    
    Client Machine:
    	Security ID:			NULL SID
    	Account Name:			-
    	Fully Qualified Account Name:	-
    	OS-Version:			-
    	Called Station Identifier:		Mac-Address:SSID - Secure WLAN
    	Calling Station Identifier:		Mac-Address
    NAS:
    	NAS IPv4 Address:		AP-IP
    	NAS IPv6 Address:		-
    	NAS Identifier:			-
    	NAS Port-Type:			Wireless - IEEE 802.11
    	NAS Port:			0
    
    RADIUS Client:
    	Client Friendly Name:		RADIUSCLIENTNAME
    	Client IP Address:			RadiusClientIP same as NAS IP?
    
    Authentication Details:
    	Connection Request Policy Name:	NAP 802.1X (Wireless)
    	Network Policy Name:		-
    	Authentication Provider:		Windows
    	Authentication Server:		DomainController
    	Authentication Type:		EAP
    	EAP Type:			-
    	Account Session Identifier:		-
    	Logging Results:			Accounting information was written to the local log file.
    	Reason Code:			22
    	Reason:				The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

  8. #8

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,799
    Thank Post
    272
    Thanked 1,134 Times in 1,030 Posts
    Rep Power
    349
    *Bump*

  9. #9

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,658
    Thank Post
    858
    Thanked 646 Times in 429 Posts
    Rep Power
    498
    We've just had the Error 16 issue when trying to setup Eduroam and found that it was in fact SSL Certificate related as others have suggested (we were using PEAP as well as MS-Chapv2)

    Make sure your certs are correctly trusted at both ends, and all intermediates and roots are installed on servers and clients.

  10. #10

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,799
    Thank Post
    272
    Thanked 1,134 Times in 1,030 Posts
    Rep Power
    349
    Quote Originally Posted by Gatt View Post
    We've just had the Error 16 issue when trying to setup Eduroam and found that it was in fact SSL Certificate related as others have suggested (we were using PEAP as well as MS-Chapv2)

    Make sure your certs are correctly trusted at both ends, and all intermediates and roots are installed on servers and clients.
    Have successfully done that part but Now I get an error code 22!

  11. #11

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,658
    Thank Post
    858
    Thanked 646 Times in 429 Posts
    Rep Power
    498
    Have you enabled the cert in NPS (Policies -> Network Policies -> {your policy} -> Constraints -> Auth Method -> PEAP -> Edit)

  12. #12
    Jamo's Avatar
    Join Date
    Jan 2009
    Posts
    1,349
    Thank Post
    66
    Thanked 175 Times in 147 Posts
    Rep Power
    60
    Hehe I love error codes!!

    Did you turn off certificate validation? It will only check for a valid domain password then.

  13. #13

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,799
    Thank Post
    272
    Thanked 1,134 Times in 1,030 Posts
    Rep Power
    349
    Quote Originally Posted by Jamo View Post
    Hehe I love error codes!!

    Did you turn off certificate validation? It will only check for a valid domain password then.
    Nope where can I set that?

  14. #14
    Jamo's Avatar
    Join Date
    Jan 2009
    Posts
    1,349
    Thank Post
    66
    Thanked 175 Times in 147 Posts
    Rep Power
    60
    Quote Originally Posted by glennda View Post
    Nope where can I set that?
    In the wireless settings in group policy.

    Edit the network SSID you are connecting to, then in 802.1x tab choose settings and there should be a validate server certificate listed in the optinos, just untick for testing.

SHARE:
+ Post New Thread

Similar Threads

  1. Radius authentication of Endian firewall
    By dwayne_a in forum Windows Server 2000/2003
    Replies: 0
    Last Post: 3rd August 2012, 04:51 PM
  2. NPS Radius authentication via web page
    By BABVA in forum Internet Related/Filtering/Firewall
    Replies: 4
    Last Post: 23rd May 2011, 10:54 AM
  3. Authenticating Non domain machines on a RADIUS wireless system using IAS.
    By maniac in forum Network and Classroom Management
    Replies: 5
    Last Post: 11th May 2011, 11:46 PM
  4. NPS/Radius authentication with wireless clients using 2008 R2
    By ranj in forum Windows Server 2008 R2
    Replies: 7
    Last Post: 26th April 2010, 11:49 AM
  5. Wireless 802.1x RADIUS authentication using IAS server
    By spc-rocket in forum Wireless Networks
    Replies: 0
    Last Post: 3rd January 2008, 06:15 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •