Skip to main content
fguerra
fguerra
New Member
March 15, 2016
Question

WPA2 Enterprise RADIUS authentication not working with Windows 2012 NPS

  • March 15, 2016
  • 1 reply
  • 18679 views

I am trying to get our WiFi to authenticate using Windows NPS. I had a running RADIUS server with Cisco ACS but the device is EoL and the certificate expired. All WiFi worked fine before moving to NPS. I am running a FortiGate 1500D (5.2.3) that are managing FortiAP 320C's. The FG RADIUS is configured with an authentication method of MS-CHAP-v2 and I successfully tested the connection in the CLI using the diag test authserver radius <server> mschap2 <username> <password>. I configured the NPS server using the following KB document; http://kb.fortinet.com/kb...do?externalID=FD36088. The Windows 2012 server was an existing domain server with NPS newly configured. So, when I tested the RADIUS using the CLI, I get new events in NPS indicating Full Access. But, when I attempt to authenticate from a laptop, I do not get any events in the NPS server. Any help with further troubleshooting or suggestions would be greatly appreciated.

    1 reply

    Jeff_FTNT
    Staff
    Jeff_FTNT
    Staff
    March 28, 2016

    You may try using FGT EAP-proxy feature firstly.

    config wireless-controller vap     edit "jeff"         set vdom "lab"         set security wpa2-only-enterprise         set auth usergroup         set usergroup "radiusgrp"  ----add Radius server as a member     next end It will not ask RADIUS  server to  support EAP.

     

    If this is works, which mean your NPS EAP setting have issue, then check NPS EAP setting. Then test it with normal wpa2-only-enterprise +RADIUS EAP .

    config wireless-controller vap     edit "jeff"         set vdom "lab"         set security wpa2-only-enterprise         set auth radius         set radius-server "test"     next end

     

    fguerra
    fguerraAuthor
    New Member
    March 31, 2016

    The FGT EAP-proxy feature worked and then going back to WPA2 Enterprise + RADIUS did not. In NPS I have changed the EAP Type settings, in the Network Policies, with no success. Currently, I have a case open with Fortinet #1641968.

    Jeff_FTNT
    Staff
    Jeff_FTNT
    Staff
    March 31, 2016

    I guess you may use Windows PEAP  to connect to Wireless AP.Mostly its wireless profile  enable "Validate server certificate " check by default.

    For FGT EAP-proxy, it use public certificate, so it is easy to setup.

    For WPA2 Enterprise + RADIUS case, normally need import CA certificate use by RADIUS into desktop. You may try to manually create wireless profile on PC to ignore this step. Hope it have some help.Thanks.

     

    Terms & ConditionsAccessibility statement