RADIUS - EAP-MSCHAP

Good afternoon all,

I'm having some issues configuring NPS for EAP-MSCHAPv2. What I've done so far:

1. Added the NPS server role

2. Configured a RADIUS-client with a shared secret. Configured RADIUS on the AP and verified connectivity.

3. Added a AD-group called WiFi and added all the computers/accounts for WiFi access.

4. Created a new Network Policy and Connection Request Policy by using the 'RADIUS Server for 802.1X Wireless or Wired Connections' using following settings:

- Type of 802.1X Connections: Secure Wireless Connections

- RADIUS Clients: Added the previously configured RADIUS client from step 2.

- Type: Choose EAP -MSCHAPv2 and set the Authentication Retry to 20 (for debugging reasons).

- Groups: Added the WiFi group

But when trying to connect to the RADIUS WiFi the client keeps verifying. The following are snippets from the RAS tracing-logs.

[8204] 10-01 15:03:44:357: EapChapBeginMSChapV2
[8204] 10-01 15:03:44:357: ReadConnectionData
[8204] 10-01 15:03:44:357: EapChapBeginCommon
[8204] 10-01 15:03:44:357: ChapBegin(fS=1,bA=0x81)
[8204] 10-01 15:03:44:357: ChapBegin done.
[8204] 10-01 15:03:44:357: EapMSChapv2MakeMessage
[8204] 10-01 15:03:44:357: EapMSChapv2SMakeMessage
[8204] 10-01 15:03:44:357: EMV2_Initial
[8204] 10-01 15:03:44:357: ChapMakeMessage,RBuf=0000000000000000
[8204] 10-01 15:03:44:357: ChapSMakeMessage
[8204] 10-01 15:03:44:357: CS_Initial...
[8204] 10-01 15:03:44:357: MakeChallengeMessage...
[8204] 10-01 15:03:44:357: GetChallenge.
[8204] 10-01 15:03:44:357: GetChallenge: LsaCallAuthenticationPackage succeeded
[8204] 10-01 15:03:44:357: GetChallenge.
[8204] 10-01 15:03:44:357: GetChallenge: LsaCallAuthenticationPackage succeeded
01 0A 00 1B 10 50 95 10 2C 97 65 EC 43 7B 19 1E |.....P..,.e.C{..|
DF 3E 51 29 C8 53 52 56 46 50 31 00 00 00 00 00 |.>Q).SRVFP1.....|
[5916] 10-01 15:03:44:361: EapMSChapv2End
[5916] 10-01 15:03:44:361: ChapEnd

[8204] 10-01 15:03:44:354: NT-SAM Names handler received request with user identity KANTOOR\btbadmin.
[8204] 10-01 15:03:44:355: Username is already an NT4 account name.
[8204] 10-01 15:03:44:355: SAM-Account-Name is "KANTOOR\btbadmin".
[8204] 10-01 15:03:44:355: Successfully created new RAP Based EAP session for user KANTOOR\btbadmin.
[8204] 10-01 15:03:44:355: No AUTHENTICATION extensions, continuing
[8204] 10-01 15:03:44:355: NT-SAM Authentication handler received request for KANTOOR\btbadmin.
[8204] 10-01 15:03:44:355: Validating windows user account KANTOOR\btbadmin
[8204] 10-01 15:03:44:355: Sending LDAP search to SRVFP1.kantoor.local.
[8204] 10-01 15:03:44:356: Successfully validated windows account KANTOOR\btbadmin.
[8204] 10-01 15:03:44:357: Allowed EAP type: 26
[8204] 10-01 15:03:44:357: Succesfully created EAP Host session with session id 455
[8204] 10-01 15:03:44:357: Processing output from EAP: action:1
[8204] 10-01 15:03:44:357: Inserting outbound EAP-Message of length 32.
[8204] 10-01 15:03:44:357: Issuing Access-Challenge.
[8204] 10-01 15:03:44:357: No AUTHORIZATION extensions, continuing
[5916] 10-01 15:03:44:361: Successfully retrieved session (455) for user KANTOOR\btbadmin.
[5916] 10-01 15:03:44:361: No AUTHENTICATION extensions, continuing
[5916] 10-01 15:03:44:361: Processing output from EAP: action:2
[5916] 10-01 15:03:44:361: Translating attributes returned by EAPHost.[5916] 10-01 15:03:44:361: EAP authentication failed.
[5916] 10-01 15:03:44:361: No AUTHORIZATION extensions, continuing

I got the feeling that I'm missing something small. Any tips would be greatly appreciated.

Kind regards,
MaartenDD

BehindTheButtons - STRONG IDEAS, FLEXIBLE SOLUTIONS - http://www.behindthebuttons.com