Not sure what is incorrect but having clients randomly fail to authenticate via RADIUS for our Aruba WiFi. 99% of the time users will connect and be working fine, then randomly when moving APs or starting up will not be able to authenticate.
The following is logged when this occurs on the DC/NPS Server:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 24/07/2014 12:04:36 PM
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: *****.*****.private
Description:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: Domain\username
Account Domain: Domain
Fully Qualified Account Name: Domain\username
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 9C:1C:12:C8:AF:A9
Calling Station Identifier: E8:2A:EA:2E:CE:C6
NAS:
NAS IPv4 Address: 10.3.8.2
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: Craigieburn
Client IP Address: 10.3.8.2
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: DC.Domain.private
Authentication Type: MS-CHAPv2
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Below is a copy of the current Group Policy configuring the WiFi settings for clients:
| Policy Name | *****-ADMIN |
| Policy Description | *****-ADMIN |
| Policy Type | Windows Vista and Later Releases |
| Use Windows wireless LAN network services for clients | Enabled |
| Shared user credentials for network authentication | Enabled |
| Hosted networks | Enabled |
| Allow user to view denied networks | Enabled |
| Allow everyone to create all user profiles | Enabled |
| Only use Group Policy profiles for allowed networks | Disabled |
| Prevent connection to infrastructure networks | Disabled |
| Prevent connection to adhoc networks | Disabled |
| Network Name (SSID) | Network Type |
|---|---|
| *****-ADMIN | Infrastructure |
| Profile Name | *****-ADMIN |
| Network Type | Infrastructure |
| Automatically connect to this network | Enabled |
| Automatically switch to a more preferred network | Enabled |
| Network Name (SSID) | Network Broadcasts its SSID |
|---|---|
| *****-ADMIN | True |
| Authentication | WPA2 |
| Encryption | AES |
| Use 802.1X | Enabled |
| Pairwise Master Key (PMK) Caching | Enabled |
| PMK Time-to-Live (minutes) | 720 |
| Number of Entries in PMK Cache | 128 |
| Maximum Pre-authentication Failures | 3 |
| Cache user information for subsequent connections to this network | Enabled |
| Computer Authentication | User re-authentication |
| Maximum Authentication Failures | 100 |
| Maximum EAPOL-Start Messages Sent | |
| Held Period (seconds) | |
| Start Period (seconds) | |
| Authentication Period (seconds) | |
| Single Sign On type | preLogon |
| Maximum acceptable delay for network connectivity | 10 |
| This network uses different VLAN for authentication with computer and user credentials | Disabled |
| Allow additional dialogs during single sign on | Enabled |
| Authentication method | Protected EAP (PEAP) |
| Validate server certificate | Disabled |
| Enable fast reconnect | Enabled |
| Disconnect if server does not present cryptobinding TLV | Disabled |
| Enforce network access protection | Disabled |
| Authentication method | Secured password (EAP-MSCHAP v2) |
| Automatically use my Windows logon name and password(and domain if any) | Enabled |
We're running Aruba APs. The username/password for RADIUS is all correct - if it wasn't it would not work at all. The Aruba reports the deny for authenticating the client as a warning. At first I thought maybe the Aruba was sending the wrong credentials but the log on the NPS security's username matches what should be sent so not this.
Really at my whits end here. We've just followed the 1, 2, 3 etc. guides to set this up and should be working, but obviously it's not and something is wrong.