Aruba Instant & Cloud Wi-Fi

Reply
Occasional Contributor II
Posts: 51
Registered: ‎03-15-2014

802.1x and NPS2012

[ Edited ]

Attempting to enable PEAP Authenication using NPS 2012.

Users are able to access networks successfully when using aruba provided certificate and termination enabled.

However, when attempting to switch the certificate over to 3rd party - digicert on NPS server we are unable to authenticate.

Any suggestions?

 

We are running IAP 225s with 6.3.1.4

 

Successful Attempt Termination Enabled

 

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          8/5/2014 1:53:36 PM

Event ID:      6272

Task Category: Network Policy Server

Level:         Information

Keywords:      Audit Success

User:          N/A

Computer:      server1.ewg.lan

Description:

Network Policy Server granted access to a user.

 

User:

Security ID: Domain\Test

Account Name:test

Account Domain: Domain

Fully Qualified Account Name:Domain\test

 

Client Machine:

Security ID:NULL SID

Account Name:-

Fully Qualified Account Name:-

OS-Version: -

Called Station Identifier:18:64:72:C7:A2:14

Calling Station Identifier:0C:60:76:24:98:4B

 

NAS:

NAS IPv4 Address:192.168.70.25

NAS IPv6 Address: -

NAS Identifier:-

NAS Port-Type:Wireless - IEEE 802.11

NAS Port:0

 

RADIUS Client:

Client Friendly Name: MT 70 VC

Client IP Address: 192.168.70.25

 

Authentication Details:

Connection Request Policy Name: Secure Wireless Connections - 802.1x

Network Policy Name: Secure Wireless Connections - WiFiStudent - Secure

Authentication Provider: Windows

Authentication Server: server1.domain.lan

Authentication Type: MS-CHAPv2

EAP Type:-

Account Session Identifier:-

Logging Results:Accounting information was written to the local log file.

 

Quarantine Information:

Result:Full Access

Session Identifier:-

 

Fail Attempt Termination Disabled

 

Audit Failure8/5/2014 2:02:50 PMMicrosoft Windows security auditing.6273Network Policy Server

 

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          8/5/2014 2:02:50 PM

Event ID:      6273

Task Category: Network Policy Server

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:     Server1.domain.lan

Description:

Network Policy Server denied access to a user.

 

Contact the Network Policy Server administrator for more information.

 

User:

Security ID: Domain\Test

Account Name: test

Fully Qualified Account Name: Domain\test

 

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name:-

OS-Version: -

Called Station Identifier:18:64:72:C7:A2:40

Calling Station Identifier:0C:60:76:24:98:4B

 

NAS:

NAS IPv4 Address:192.168.70.25

NAS IPv6 Address: -

NAS Identifier:192.168.70.36

NAS Port-Type: Wireless - IEEE 802.11

NAS Port:0

 

RADIUS Client:

Client Friendly Name: MT 70 VC

Client IP Address:192.168.70.25

 

Authentication Details:

Connection Request Policy Name: Secure Wireless Connections - 802.1x 

Network Policy Name: Secure Wireless Connections - WiFiStudent - Secure

Authentication Provider: Windows

Authentication Server: Server1.domain.lan

Authentication Type: EAP

EAP Type: - 

Account Session Identifier: -

Logging Results: Accounting information was written to the local log file.

Reason Code: 22

Reason: The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: 802.1x and NPS2012

Are the clients' wireless settings configured using Group Policy?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 51
Registered: ‎03-15-2014

Re: 802.1x and NPS2012

They are not.

With termination enabled - clients are prompted for the certificate if they do not already have it.

After disabling termination we have tried manually providing access to the new certificate.

 

No luck.

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: 802.1x and NPS2012

[ Edited ]

Is the EAP type specified under the wireless settings on the client?   (PEAP/EAP-MSCHAPv2)

 

peap-win8.JPG

 

eap-mschapv2.JPG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 51
Registered: ‎03-15-2014

Re: 802.1x and NPS2012

Making Progress - on OSX 10.9

 

Manually setting this now prompts to install the certificate from NPS server.

Selecting Show Certificate shows the root certificate is not trusted:  This root certificate is not trusted

 

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/5/2014 4:28:33 PM
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Server1.ewg.lan
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: Domain\test2
Account Name: test2
Account Domain: Domain
Fully Qualified Account Name: Domain\TEST2

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 18:64:72:C7:A2:14
Calling Station Identifier: 64:76:BA:AC:74:92

NAS:
NAS IPv4 Address: 192.168.70.25
NAS IPv6 Address: -
NAS Identifier: 192.168.70.32
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0

RADIUS Client:
Client Friendly Name: MT 70 VC
Client IP Address: 192.168.70.25

Authentication Details:
Connection Request Policy Name: Secure Wireless Connections - 802.1x
Network Policy Name: Secure Wireless Connections - WiFiStaff - Secure
Authentication Provider: Windows
Authentication Server: Server1.ewg.lan
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

 

Occasional Contributor II
Posts: 51
Registered: ‎03-15-2014

Re: 802.1x and NPS2012

We are now also getting this event generated as well.

 

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/5/2014 4:35:11 PM
Event ID: 5061
Task Category: System Integrity
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Server1.ewg.lan
Description:
Cryptographic operation.

Subject:
Security ID: SYSTEM
Account Name: Server1$
Account Domain: Domain
Logon ID: 0x3E7

Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: domain-SERVER-CA-1
Key Type: Machine key.

Cryptographic Operation:
Operation: Decrypt.
Return Code: 0x80090010

MVP
Posts: 2,992
Registered: ‎10-25-2011

Re: 802.1x and NPS2012

[ Edited ]

Here is a tutorial that show you how to configure instant + windows 2012 server

The extra thing you will find in this tutorial would be that you are usind derived roles in it

 

http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/tutorial-802-1X-with-Server-Derived-user-role-Instant-Windows/m-p/146084

 

Here is the tutorial which show you how to configure the client

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Correctly-configure-EAP-PEAP-Windows-client/td-p/43398

 

Here is a video as well

https://www.youtube.com/watch?v=-SmeubOR9aE

 

Cheers

Carlos 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: 802.1x and NPS2012

Are the root and intermediate certs installed on the NPS server?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 2,992
Registered: ‎10-25-2011

Re: 802.1x and NPS2012

If he is using a 3rd party certificate he just should install that certificate in the NPS serrver and put it in personal  certificate store.

If it not there  it will not work.

 

Also what kind of certificate do you have?

Did you installed it correctly under the personal certificate store?

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Occasional Contributor II
Posts: 51
Registered: ‎03-15-2014

Re: 802.1x and NPS2012

[ Edited ]

We are using a digicert certificate.

I am also attempting using ADCS generated cert and receiving the same security log events.

Both are located under personal certificates.

 

***EDIT***

Will I need to import both the certificate and root certificate on the client or only the certficate?

Where should the root and cert be placed on the NPS server?

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: