AAA, NAC, Guest Access & BYOD

How to fix the Windows Security Alert appears during radius authentication.

Environment : While connecting to a wireless network on a Windows system that is part of a workgroup, a Windows Security Alert dialog similar to the following may be displayed:

 

rtaImage.jpg

 

The server “<Authentication server>” presented a valid certificate issued by “<CA name>”, but “<CA name>” is not configured as a valid trust anchor for this profile. Further, the server “<Authentication server>” is not configured as a valid NPS server to connect to this profile.

or

The server “<Authentication server>” presented a valid certificate issued by “<CA name>”, but “<CA name>” is not configured as a valid trust anchor for this profile.

If you click the Connect button on the dialog box, the wireless connection will be established successfully.

 

To validate the server certificate, Windows will check if the second element in the chain, the Certification Authority (CA) that issued the end certificate, is a trusted CA for Windows NT Authentication. A CA is considered to be trusted if it exists in the "NTAuth" system registry store found in the CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE store location. If this verification fails, either of the warning messages in the Symptoms section could occur. By default, the CA certificate is not in the NTAuth store on a Windows system that is part of a workgroup.

 

To workaround the issue, you can export the certificate of the CA that issued the certificate to the authentication server to a file. Copy the file to the workgroup machine and then run the following command from an elevated Command Prompt: certutil -enterprise -addstore NTAuth CA_CertFilename.cer

 

Once the certificate of the CA is added to the cert store, the cert check during authentication will not show the Windows security Alert.

Version History
Revision #:
1 of 1
Last update:
‎04-08-2015 06:39 AM
Updated by:
 
Labels (1)
Contributors
Comments
ChuckW

We are having this same issue except that choosing "Connect" also fails.

 

Current setup is Aruba 6000 chassis with M3 cards running ArubaOS 6.4.3.7, Airwave and Clearpass running 6.6.5.

DigiCert certificate installed on all devices/servers and yet the "Radius Server: aruba-2" is not the name of any configured server/device/appliance.

 

Not only can you not connect, but we are at a loss as to where the certificate is coming from.

Most of this was in place before I entered the department, and being new(er) in networking, I am stumped as to where to fix this.

I would have thought the certificate would either come from (the one installed on) the Controller or Clearpass, but this name is neither.

 

Thank you for any help or direction.

 

 

Guru Elite Guru Elite
Can you do a packet capture and look for the TLS Server Hello + Certificate packet(s) and take a look at the certificate?
ChuckW
cappalli, Thanks for the reply. I was not able to do a packet capture, but since my Macbook was connecting (Apple being more forgiving) I was able to look in the keychain and find the certificate and see the IP it was coming from. Turns out it was the secondary CP server as it was not configured the same as the primary. Once I had that, it was just a matter of matching the primary. Appreciate the response.
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.