We need to know:

- What version of Aruba OS?
- What type of Authentication?
- What Type of Encryption?
-What backend LDAP server?
- Did this ever work?

Thanks for your response. The required information is as follows:

- We are using Aruba650, with OS Version 3.4.0.4.

- This is the first time the device is configured with LDAP authentication settings.

- LDAP has been configured on Windows 2008 Server, which is also AD server.

- Configured 802.1x/WEP on controller.

I hope this info can give u good idea.

That looks like the problem here: http://superuser.com/questions/116541/what-is-a-valid-trust-anchor-in-windows-7-relating-to-wifi

But the problem is that I have manually configured the SSID and added the certificates but it is still not connecting and giving same certificate error.

Before that I have configured RADIUS but the problem with RADIUS was:

- Initially i faced the same certificate issue but after hitting connect 2 times, the network gets connected.
- Second and MAIN problem that it doesnt work with every AD user. Means with some of the users, when they try to connect to the WLAN, it asks for account password and keeps asking and doesnt join the WLAN.

So just for testing, we tried to configure LDAP but facing some other problems which I have already mentioned.

- Please use the radius server. Remove the LDAP server from the server group.

- Make sure that you have a certificate on the radius server under the remote access policy under PEAP.
- Make sure that on your client you have the CA certificate that issued the certificate to your radius server.
- Uncheck termination.

The message you are seeing is because the client does not have a certificate from the Certificate Authority that issued the certificate to the radius server in the trusted store. If you fix that, your problem should go away.

You should NOT use LDAP.

Hi joseph,

Thanks for your support, but problem is that i am still facing same problem after redoing all the exercise.

- Same certificate problem
- Some of AD user unable to join the network

You want me to send the screenshots of all the things?

The message in the server's event viewer when the clients fails authentication would be helpful.

Please carefully take a look at Microsoft's wireless 802.1x deployment guide here http://technet.microsoft.com/en-us/library/dd283093%28WS.10%29.aspx to ensure that you have everything setup correctly. Aruba's user guide also has an Appendix on setting things up with Windows Server that helps out a great deal, as well. Both documents will ensure that everything is where it is supposed to be.

Certificate issues can be troublesome, but ensuring that configuration of the certificate authority, radius server as well as the client is key to understanding why you are getting the error.

We are getting a similar error. We don't have a problem with Windows XP or Vista Clients. Windows 7 seems to really complain about valid Trust Anchors even though the Certificate on our Radius server is valid and we have all of the CA's in the chain.

I have already spoken with our Server Admins to see if there is something in a GPO or in Active Directory somewhere I need to follow up on that again... found that if the Group Policy isn't blocking you, you can connect with Win7 but you have to click connect on the error first.

I was looking into LDAP and the "Windows Server" options for this as a work around what are the reasons for avoiding these and staying with a Radius server?

Server Admins tell me we are not going to 2008 for a while we are currently on 2003.

Redundant Aruba 6000 with M3 modules
AOS 5.0.3
Cisco ACS 4.2 as radius server

Have you opened up a case with Microsoft to explain why you are seeing such an error, since everything is in place? You say your error is similar, has it always been this way or did it just start happening? If so, what changes were made recently?

Unless you have Termination enabled on the controller (and if you already have a certificate on your radius server, you should not have that), the controller is NOT part of the certificate process....

There is a way to change this to LDAP, but there are quite a few restrictions, including less flexibility, less troubleshooting information, and end-user usability issues, so it generally is not worth it.