Home > Wireless LAN > Encryption and Authentication > Common Wireless RADIUS Configuration Issues

Common Wireless RADIUS Configuration Issues

This knowledge base article discusses common configuration errors when implementing WPA2 Enterprise with PEAP-MSCHAPv2, using a Windows 2008 NPS environment for error codes. This article addresses Windows event log messages, possible causes for the error events, and recommended solutions.

Windows Event Viewer can be found by navigating to Start > All Programs > Administrative Tools > Event Viewer.  The 2 logs that will be referenced are Network Policy and Access Services logs and Security logs, see the image below:

3b8c613b-1af3-4c4e-86ba-1dca61bd4f28

Common Configuration Errors

The following common configuration errors may result in RADIUS authentication failing. Though the error codes outlined below are specific to Windows NPS, the following configuration check should be made regardless of RADIUS server vendor:

1. No certificate installed on the RADIUS Server or the certificate has expired.

2. Cisco Meraki Access Points are not added as a RADIUS Client or are Configured for DHCP  

3. Incorrect Secret on the Dashboard

4. Network Policy is Misconfigured

5. Connection Request Policy is Misconfigured

6. Mismatch in Authentication Settings

7. Incorrect Username or Password

8. Root Certificate is not added to the client Device

Event ID 6273 with reason code 23 (bad/missing certificate)

Often times connection issues occur because a digital certificate is not installed on the RADIUS Server or the certificate has expired.  If this is the case, you will see Event ID 6273 with Reason Code 23 in the Network Policy and Access Services logs, shown below.  

To resolve this, a certificate will need to be installed or renewed on your NPS server, in order to establish TLS.

f83bec82-9adf-45ff-9b75-73cf0b7e1c0a

Event ID 13:  A RADIUS message was received from the invalid RADIUS client (APs not added as clients)

WPA2 Enterprise authentication requires your Cisco Meraki Access Points be added as RADIUS Clients on your NPS Server. Because of this, it is imperative that a static IP assignment or a DHCP fixed IP assignment be used on your APs.  If your AP is not added as a RADIUS Client you will see Event ID 13 in the Network Policy and Access Services logs, as shown below.

To resolve, see the below KB articles on adding a RADIUS client and setting static IP addresses on access points.

f5a7578f-a4cc-41ec-bd80-ed547c830ce8

Event ID 18: An Access-Request message was received from RADIUS client x.x.x.x with a Message-Authenticator attribute that is not valid (bad shared secret)

On the Dashboard, Configure > Access Control, you must enter a secret when specifying your RADIUS server.  This secret must match the shared secret you enter when you adding the MR Access Points as RADIUS clients.  When the Secrets do no match, you will see Event ID 18 in the Network Policy and Access Services logs as shown below.

To resolve, ensure when Adding a Gateway AP as a RADIUS Client in NPS that the Shared Secret matches the Secret on Configure > Access Control on the Dashboard.

0d4f5991-7d31-48cf-b265-91ff9c383a3a

Event ID 6273 Reason Code 48 (bad network policy)

If you receive Event ID 6273 with Reason Code 48 when testing with the RADIUS Test feature on Dashboard, this is usually indicative of an incorrectly configured Network Policy on your NPS server. 

To resolve please refer to our documentation on creating an NPS policy for PEAP MSCHAPv2.

If the Dashboard test passes and you receive this error when testing with a Windows 7 client ensure the client's WPA-2 Enterprise settings are correct.

b97d9a8a-e19b-4ce7-9560-d20f9d9cbcc9

Event ID 6273 Reason Code 49 (bad request policy)

If you receive Event ID 6273 with Reason Code 49 when testing with the RADIUS Test feature on Dashboard, this is usually indicative of an incorrectly configured Connection Request Policy on your NPS server. 

To resolve visit our KB on Creating a Policy in NPS to Support PEAP-MSCHAPv2 Authentication.  

df477d44-4807-4dcc-8516-3d5ce3806cf0

Event ID 6273 Reason Code 66 (auth settings mismatch)

If you receive Event ID 6273 with Reason Code 66 when testing with the RADIUS Test feature on Dashboard, this is usually indicative of the authentication settings incorrectly configured the Network Policy on your NPS server. 

To resolve visit our KB on Creating a Policy in NPS to Support PEAP-MSCHAPv2 Authentication.  

If the Dashboard test passes and you receive this error when testing with a Windows 7 client ensure the client's authentication settings are correct by viewing our KB on Pushing a PEAP Wireless Profile to a Windows 7 domain computer via GPO.

381d36b7-bc8d-4df5-8ef0-3d9b57217cc9

Event ID 6273 Reason Code 8 (bad username or password)

When testing RADIUS authentication it is possible that the username may be incorrect or may not be located in the Windows group specified in the Network Policy.  If this is the case, you will see Event ID 6273 with Reason Code 8 in the Network Policy and Access Services logs, see the image below.

To resolve ensure the username is correct and is present in the Windows group specified on your network policy. Please refer to our documentation regarding NPS policy configuration.

7b695c1c-9e17-47b8-ba9b-b425f303ec4a

 

When testing RADIUS authentication it is possible that the user password may be incorrect.  If this is the case, you will see Event ID 4625 in the Windows Security logs, shown below.  

To resolve, confirm the users password and/or perform a password reset in Active Directory. 

a0baa142-4f8e-48b4-bfd8-b5249ff6388c

Event ID 6273 Reason Code 265 (untrusted CA)

On Windows end-user devices you have the option to validate the server certificate presented by the server when using WPA-2 Enterprise, which is strongly recommended for RADIUS. If this option is selected, the Certificate Authority must be added to the client's list of Trusted Root Certification Authorities.  If the Certificate Authority is not added to the Windows Client you may see Event 6273 Reason Code 265 in the Network Policy and Access Services logs:

b61433b5-8413-4e84-bbd8-4c9377e88fd6

You must to post a comment.
Last modified
14:17, 12 Aug 2015

Tags

Classifications

This page has no classifications.

Article ID

ID: 2158

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community