Controllerless Networks

Reply
Contributor I

Uploadiong certificates to Iap105

HI,

This device has been driving me mad for the past week. I an trying to use WPA-2 Enterprise setup.

I have configured One of our windows 2008 R2 servers as a Radius server and A certificate Authority.

I have very little understanding of certificates and have attempted to read many documents reguarding them to little or no avail.

 

I really don tknow if the IAP needs a ceritificate or not . I have the 220page Instant user guide.

I tried to upload a certificaet to the IAP but no matter what certificate  I chose or what format I Copy it to file as I always get the message from the IAP saying the certificate is not a properly formatted certificate file.

 

The user guide says i need a server and CA certificate, I really dont know how to tell which is which.

When I user the certificate export wizard either in windows 7 or Server 2008 I have chosen DER encoding X.509 and Base-64 encoded X509 file formats.

 

This seems to be ridiculously difficult just so I can automate our users experience with wireless connections.

The aim is to not need to explain to every user individually how to set up WPA2-Enterprise wireless connections.

I can use group policy to set it up for them so all they have to do is click on connect.

So far all I get is the client being unable to connect to the IAP.

 

If a use WPA2-Personal and manually configure the client I have no problem.

 

Can anyone please help?

Aruba

Re: Uploadiong certificates to Iap105

If you are doing WPA2-Enterprise authenticaiton, a certificate is not needed on the IAP.  If you are doing PEAP-MSCHAPv2; a certificate is only needed on the RADIUS server.  If you are doing EAP-TLS, you need one on the RADIUS server and on the client.   With NPS, you'll need to ensure the certificate is applied to the Network Policy and EAP configuration.

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor I

Re: Uploadiong certificates to Iap105

Hi, Thanks for the response.

Clearly I do not know what I am doing, sorry for that.

Ok, I set WPA Enterprise authentication, so no certificate for the IAP needed, right?

I have selected EAP-MSCHAPV2  dont know if its PEAP or not, simply says Microsoft Password EAP-MSCHAPV2 where you select it.

The Radius server has a certificate

 

I have attached an extract of several logs from the IAP itself and the Radius server.

 

 

Maybe someone can tell me what I am doing wrong.

The AP Authentication Frames log shows this

eap-failure    server rejected?

Is this telling me the RADIUS server does not like the user name and password . Its the domain user and password being sent and I logged on to the client with that user and password.

 

If I use the wrong secret on the IAP it says server timeout instead of server rejected so I guess I am convinced I am not using the wrong secret. I set it up of course, but at this point I have lost faith in anything I do.

 

Any help appreciated.

Contributor I

Re: Uploadiong certificates to Iap105

Obviously I dont know what I am doing on many fronts.

The attachment didnt attach.?????????? OMG here it is..

 

AP Authentication Frames

Nov 17 10:57:50 station-up * 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac - - wpa aes

Nov 17 10:57:50 eap-id-req <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 1 5

Nov 17 10:57:50 eap-start -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac - -

Nov 17 10:57:50 eap-id-req <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 1 5

Nov 17 10:57:50 eap-id-resp -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 1 23 SOPM\user_name

Nov 17 10:57:50 rad-req -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 65414 223

Nov 17 10:57:50 eap-id-resp -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 1 23 SOPM\user_name

Nov 17 10:57:50 rad-resp <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac/sopm-dc1 65414 118

Nov 17 10:57:50 eap-req <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 2 34

Nov 17 10:57:50 eap-nak -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 2 6

Nov 17 10:57:50 rad-req -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac/sopm-dc1 65415 244

Nov 17 10:57:50 rad-reject <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac/sopm-dc1 65415 44

Nov 17 10:57:50 eap-failure <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 2 4 server rejected

Nov 17 10:57:52 station-up * 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac - - wpa aes

Nov 17 10:57:52 eap-id-req <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 1 5

Nov 17 10:57:52 eap-start -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac - -

Nov 17 10:57:52 eap-id-req <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 1 5

Nov 17 10:57:52 eap-id-resp -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 1 23 SOPM\user_name

Nov 17 10:57:52 rad-req -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 65416 223

Nov 17 10:57:52 eap-id-resp -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 1 23 SOPM\user_name

Nov 17 10:57:52 rad-resp <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac/sopm-dc1 65416 118

Nov 17 10:57:52 eap-req <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 2 34

Nov 17 10:57:52 eap-nak -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 2 6

Nov 17 10:57:52 rad-req -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac/sopm-dc1 65417 244

Nov 17 10:57:52 rad-reject <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac/sopm-dc1 65417 44

Nov 17 10:57:52 eap-failure <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 2 4 server rejected

AP Log Security

Nov 17 10:57:50 stm[1022]: <132207> <ERRS> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 stm| RADIUS reject for station SOPM\user_name 00:1b:77:89:3e:5d from server sopm-dc1.

Nov 17 10:57:50 stm[1022]: <132053> <ERRS> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 stm| Dropping the radius packet for Station 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac doing 802.1x

Nov 17 10:57:52 stm[1022]: <132207> <ERRS> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 stm| RADIUS reject for station SOPM\user_name 00:1b:77:89:3e:5d from server sopm-dc1.

Nov 17 10:57:52 stm[1022]: <132053> <ERRS> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 stm| Dropping the radius packet for Station 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac doing 802.1x

 

AP Log User

Nov 17 10:57:50 cli[1016]: <541004> <WARN> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 cli| recv_sta_online: receive station msg, mac-00:1b:77:89:3e:5d bssid-6c:f3:7f:c3:e8:ac ssid-ShimSYDEnt.

Nov 17 10:57:50 cli[1016]: <541003> <WARN> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 cli| Client 00:1b:77:89:3e:5d is failed to authenticate, failure count is 5.

Nov 17 10:57:50 cli[1016]: <541004> <WARN> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 cli| recv_sta_offline: receive station msg, mac-00:1b:77:89:3e:5d bssid-00:00:00:00:25:73 ssid-.

Nov 17 10:57:52 cli[1016]: <541004> <WARN> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 cli| recv_sta_online: receive station msg, mac-00:1b:77:89:3e:5d bssid-6c:f3:7f:c3:e8:ac ssid-ShimSYDEnt.

Nov 17 10:57:52 cli[1016]: <541003> <WARN> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 cli| Client 00:1b:77:89:3e:5d is failed to authenticate, failure count is 6.

Nov 17 10:57:52 cli[1016]: <541004> <WARN> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 cli| recv_sta_offline: receive station msg, mac-00:1b:77:89:3e:5d bssid-00:00:00:00:25:73 ssid-.

AP Log System

Nov 17 10:59:24 cli[1016]: <341004> <WARN> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 cli| AP 172.20.40.114: Client 00:1b:77:89:3e:5d authenticate fail because RADIUS server authentication failure

AP ESSID Table

*********************************************************************************************************

11/17/2012 12:07:06 PM Target: 6c:f3:7f:c4:3e:8a Command: show network

*********************************************************************************************************

Networks

--------

Key Name Clients Type Band Authentication Method Key Management IP Assignment

--- ---- ------- ---- ---- --------------------- -------------- -------------

ShimGuest ShimGuest 0 employee all None WPA2-AES NAT Mode

ShimSYD ShimSYD 0 employee all None WPA-TKIP/WPA2-AES NAT Mode

ShimSYDEnt ShimSYDEnt 1 employee all Per User WPA-TKIP/WPA2-AES NAT Mode

 

NPS Accounting Log IN1211.log

<Event>

<Timestamp data_type="4">11/17/2012 11:57:52.650</Timestamp>

<Computer-Name data_type="1">SOPM-DC1</Computer-Name>

<Event-Source data_type="1">IAS</Event-Source>

<Class data_type="1">311 1 172.20.40.10 11/17/2012 00:21:06 13</Class>

<EAP-Friendly-Name data_type="1"></EAP-Friendly-Name>

<Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant>

<Client-IP-Address data_type="3">172.20.40.114</Client-IP-Address>

<Client-Vendor data_type="0">0</Client-Vendor>

<Client-Friendly-Name data_type="1">ShimSYDAP01</Client-Friendly-Name>

<NP-Policy-Name data_type="1">Secure Wireless Connections</NP-Policy-Name>

<Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name>

<Provider-Type data_type="0">1</Provider-Type>

<SAM-Account-Name data_type="1">SOPM\user_name</SAM-Account-Name>

<Fully-Qualifed-User-Name data_type="1">SOPM\user_name</Fully-Qualifed-User-Name>

<Authentication-Type data_type="0">5</Authentication-Type>

<Packet-Type data_type="0">3</Packet-Type>

<Reason-Code data_type="0">22</Reason-Code>

</Event>

 

 

 

 

Aruba

Re: Uploadiong certificates to Iap105

The NPS error; "Reason Code 22" typically means a problem with the EAP authentication.  

 

In NPS; on the Authentication Methods section (Constraints tab), make sure you have Microsoft: Protected EAP (PEAP) chosen as an EAP type; not EAP-MSCHAP v2.   Then Edit the settings of Microsoft: Protected EAP make sure the proper certificate is listed and that Secured password (EAP-MSCHAP v2) is listed here.  Screenshot attached.

 

On the client:

Make sure you have the settings matched; so using Microsoft Protected EAP; with EAP-MSCHAP v2 as the authentication type. 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor I

Re: Uploadiong certificates to Iap105

Hi, Again thank you for the response, I followed your suggestions but still no connection, the reason code is now 23, see the following text.

I also checked the client side as you suggested. It is now using Microsoft Protected EAP; with EAP-MSCHAP v2 as the authentication type.

 

AP Authentication Frames

Nov 17 17:08:56 station-up * 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac - - wpa2 aes

Nov 17 17:08:56 eap-id-req <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 1 5

Nov 17 17:08:56 eap-start -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac - -

Nov 17 17:08:56 eap-id-req <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 1 5

Nov 17 17:08:56 eap-id-resp -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 1 23 SOPM\user_name

Nov 17 17:08:56 rad-req -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 65475 223

Nov 17 17:08:56 eap-id-resp -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 1 23 SOPM\user_name

Nov 17 17:08:56 rad-resp <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac/sopm-dc1 65475 90

Nov 17 17:08:56 eap-req <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 2 6

Nov 17 17:08:56 eap-resp -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 2 127

Nov 17 17:08:56 rad-req -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac/sopm-dc1 65476 365

Nov 17 17:08:56 rad-resp <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac/sopm-dc1 65476 1188

Nov 17 17:08:56 eap-req <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 3 1096

Nov 17 17:08:56 eap-resp -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 3 6

Nov 17 17:08:56 rad-req -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac/sopm-dc1 65477 244

Nov 17 17:08:56 rad-resp <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac/sopm-dc1 65477 1188

Nov 17 17:08:56 eap-req <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 4 1096

Nov 17 17:08:56 eap-resp -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 4 6

Nov 17 17:08:56 rad-req -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac/sopm-dc1 65478 244

Nov 17 17:08:56 rad-resp <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac/sopm-dc1 65478 775

Nov 17 17:08:56 eap-req <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 5 687

Nov 17 17:08:56 eap-resp -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 5 343

Nov 17 17:08:56 rad-req -> 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac/sopm-dc1 65479 583

Nov 17 17:08:56 rad-reject <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac/sopm-dc1 65479 44

Nov 17 17:08:56 eap-failure <- 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac 5 4 server rejected

 

Ap Log Security

Nov 17 17:08:55 stm[1022]: <132207> <ERRS> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 stm| RADIUS reject for station SOPM\user_name 00:1b:77:89:3e:5d from server sopm-dc1.

Nov 17 17:08:55 stm[1022]: <132053> <ERRS> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 stm| Dropping the radius packet for Station 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac doing 802.1x

Nov 17 17:08:57 stm[1022]: <132207> <ERRS> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 stm| RADIUS reject for station SOPM\user_name 00:1b:77:89:3e:5d from server sopm-dc1.

Nov 17 17:08:57 stm[1022]: <132053> <ERRS> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 stm| Dropping the radius packet for Station 00:1b:77:89:3e:5d 6c:f3:7f:c3:e8:ac doing 802.1x

Ap Log User

Nov 17 17:08:54 cli[1016]: <541004> <WARN> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 cli| recv_sta_online: receive station msg, mac-00:1b:77:89:3e:5d bssid-6c:f3:7f:c3:e8:ac ssid-ShimSYDEnt.

Nov 17 17:08:55 cli[1016]: <541003> <WARN> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 cli| Client 00:1b:77:89:3e:5d is failed to authenticate, failure count is 2.

Nov 17 17:08:55 cli[1016]: <541004> <WARN> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 cli| recv_sta_offline: receive station msg, mac-00:1b:77:89:3e:5d bssid-00:00:00:00:25:73 ssid-.

Nov 17 17:08:57 cli[1016]: <541004> <WARN> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 cli| recv_sta_online: receive station msg, mac-00:1b:77:89:3e:5d bssid-6c:f3:7f:c3:e8:ac ssid-ShimSYDEnt.

Nov 17 17:08:57 cli[1016]: <541003> <WARN> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 cli| Client 00:1b:77:89:3e:5d is failed to authenticate, failure count is 3.

Nov 17 17:08:57 cli[1016]: <541004> <WARN> |AP 6c:f3:7f:c4:3e:8a@172.20.40.114 cli| recv_sta_offline: receive station msg, mac-00:1b:77:89:3e:5d bssid-00:00:00:00:25:73 ssid-.

 

NPS Accounting log IN1211.log

<Event><Timestamp data_type="4">11/17/2012 18:08:57.527</Timestamp><Computer-Name data_type="1">SOPM-DC1</Computer-Name>

<Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 172.20.40.10 11/17/2012 00:21:06 67</Class>

<Authentication-Type data_type="0">11</Authentication-Type>

<Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant>

<NP-Policy-Name data_type="1">Secure Wireless Connections</NP-Policy-Name>

<Fully-Qualifed-User-Name data_type="1">SOPM\user_name</Fully-Qualifed-User-Name>

<SAM-Account-Name data_type="1">SOPM\user_name</SAM-Account-Name>

<Client-IP-Address data_type="3">172.20.40.114</Client-IP-Address>

<Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">ShimSYDAP01</Client-Friendly-Name>

<Provider-Type data_type="0">1</Provider-Type>

<Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name><Packet-Type data_type="0">3</Packet-Type>

<Reason-Code data_type="0">23</Reason-Code></Event>

 

This is my first experience with Aruba and Radius and its not going well. It so secure it never connects!!!

It seems stupid to have to fall back to WPA-2 Personal in a corporate environment but thats where this is leading to.

 

Any more suggestions would be greatly appreciate. I can't give up.

 

Contributor I

Re: Uploadiong certificates to Iap105

I set RAS tracing and this is the results. Still no clear indication of whats wrong. IASSAM.log set tracing on by netsh ras diagnostics set rastracing * ENABLED turn it off by netsh ras diagnostics set ractracing * DISABLED 336] 11-18 22:29:36:186: NT-SAM Names handler received request with user identity SOPM\user_name. [3336] 11-18 22:29:36:186: Username is already an NT4 account name. [3336] 11-18 22:29:36:186: SAM-Account-Name is "SOPM\user_name". [3336] 11-18 22:29:36:186: Successfully created new RAP Based EAP session for user SOPM\user_name. [3336] 11-18 22:29:36:186: No AUTHENTICATION extensions, continuing [3336] 11-18 22:29:36:186: NT-SAM Authentication handler received request for SOPM\user_name. [3336] 11-18 22:29:36:186: Validating windows user account SOPM\user_name [3336] 11-18 22:29:36:186: Sending LDAP search to SOPM-DC1.my.domain.com. [3336] 11-18 22:29:36:202: Successfully validated windows account SOPM\user_name. [3336] 11-18 22:29:36:202: Allowed EAP type: 26 [3336] 11-18 22:29:36:202: Succesfully created EAP Host session with session id 335 [3336] 11-18 22:29:36:202: Processing output from EAP: action:1 [3336] 11-18 22:29:36:202: Inserting outbound EAP-Message of length 34. [3336] 11-18 22:29:36:202: Issuing Access-Challenge. [3336] 11-18 22:29:36:202: No AUTHORIZATION extensions, continuing [3184] 11-18 22:29:36:202: Successfully retrieved session (335) for user SOPM\user_name. [3184] 11-18 22:29:36:202: No AUTHENTICATION extensions, continuing [3184] 11-18 22:29:36:202: Processing output from EAP: action:2 [3184] 11-18 22:29:36:202: Translating attributes returned by EAPHost. [3184] 11-18 22:29:36:202: EAP authentication failed. [3184] 11-18 22:29:36:202: No AUTHORIZATION extensions, continuing [3184] 11-18 22:29:36:202: Inserting outbound EAP-Message of length 4. [3184] 11-18 22:29:38:405: NT-SAM Names handler received request with user identity host/ITM2-WIN7.my.domain.com. [3184] 11-18 22:29:38:405: Successfully cracked username. [3184] 11-18 22:29:38:405: SAM-Account-Name is "SOPM\ITM2-WIN7$". [3184] 11-18 22:29:38:405: Successfully created new RAP Based EAP session for user SOPM\ITM2-WIN7$. [3184] 11-18 22:29:38:405: No AUTHENTICATION extensions, continuing [3184] 11-18 22:29:38:405: NT-SAM Authentication handler received request for SOPM\ITM2-WIN7$. [3184] 11-18 22:29:38:405: Validating windows user account SOPM\ITM2-WIN7$ [3184] 11-18 22:29:38:405: Sending LDAP search to SOPM-DC1.my.domain.com. [3184] 11-18 22:29:38:405: Successfully validated windows account SOPM\ITM2-WIN7$. [3184] 11-18 22:29:38:405: Allowed EAP type: 26 [3184] 11-18 22:29:38:405: Succesfully created EAP Host session with session id 337 [3184] 11-18 22:29:38:405: Processing output from EAP: action:1 [3184] 11-18 22:29:38:405: Inserting outbound EAP-Message of length 34. [3184] 11-18 22:29:38:405: Issuing Access-Challenge. [3184] 11-18 22:29:38:405: No AUTHORIZATION extensions, continuing [3336] 11-18 22:29:38:405: Successfully retrieved session (337) for user SOPM\ITM2-WIN7$. [3336] 11-18 22:29:38:405: No AUTHENTICATION extensions, continuing [3336] 11-18 22:29:38:405: Processing output from EAP: action:2 [3336] 11-18 22:29:38:405: Translating attributes returned by EAPHost. [3336] 11-18 22:29:38:405: EAP authentication failed. EAP authentication failed YES but why? I've been on this for 5 days its ridiculous.
Contributor I

Re: Uploadiong certificates to Iap105

Sorry the formatting was wrong in previous post.

Log below.

I set RAS tracing and this is the results. Still no clear indication of whats wrong.

IASSAM.log

set tracing on by

netsh ras diagnostics set rastracing * ENABLED

turn it off by

netsh ras diagnostics set ractracing * DISABLED

336] 11-18 22:29:36:186: NT-SAM Names handler received request with user identity SOPM\user_name.

[3336] 11-18 22:29:36:186: Username is already an NT4 account name.

[3336] 11-18 22:29:36:186: SAM-Account-Name is "SOPM\user_name".

[3336] 11-18 22:29:36:186: Successfully created new RAP Based EAP session for user SOPM\user_name.

[3336] 11-18 22:29:36:186: No AUTHENTICATION extensions, continuing

[3336] 11-18 22:29:36:186: NT-SAM Authentication handler received request for SOPM\user_name.

[3336] 11-18 22:29:36:186: Validating windows user account SOPM\user_name

[3336] 11-18 22:29:36:186: Sending LDAP search to SOPM-DC1.my.domain.com.

[3336] 11-18 22:29:36:202: Successfully validated windows account SOPM\user_name.

[3336] 11-18 22:29:36:202: Allowed EAP type: 26

[3336] 11-18 22:29:36:202: Succesfully created EAP Host session with session id 335

[3336] 11-18 22:29:36:202: Processing output from EAP: action:1

[3336] 11-18 22:29:36:202: Inserting outbound EAP-Message of length 34.

[3336] 11-18 22:29:36:202: Issuing Access-Challenge.

[3336] 11-18 22:29:36:202: No AUTHORIZATION extensions, continuing

[3184] 11-18 22:29:36:202: Successfully retrieved session (335) for user SOPM\user_name.

[3184] 11-18 22:29:36:202: No AUTHENTICATION extensions, continuing

[3184] 11-18 22:29:36:202: Processing output from EAP: action:2

[3184] 11-18 22:29:36:202: Translating attributes returned by EAPHost.

[3184] 11-18 22:29:36:202: EAP authentication failed.

[3184] 11-18 22:29:36:202: No AUTHORIZATION extensions, continuing

[3184] 11-18 22:29:36:202: Inserting outbound EAP-Message of length 4.

[3184] 11-18 22:29:38:405: NT-SAM Names handler received request with user identity host/ITM2-WIN7.my.domain.com.

[3184] 11-18 22:29:38:405: Successfully cracked username.

[3184] 11-18 22:29:38:405: SAM-Account-Name is "SOPM\ITM2-WIN7$".

[3184] 11-18 22:29:38:405: Successfully created new RAP Based EAP session for user SOPM\ITM2-WIN7$.

[3184] 11-18 22:29:38:405: No AUTHENTICATION extensions, continuing

[3184] 11-18 22:29:38:405: NT-SAM Authentication handler received request for SOPM\ITM2-WIN7$.

[3184] 11-18 22:29:38:405: Validating windows user account SOPM\ITM2-WIN7$

[3184] 11-18 22:29:38:405: Sending LDAP search to SOPM-DC1.my.domain.com.

[3184] 11-18 22:29:38:405: Successfully validated windows account SOPM\ITM2-WIN7$.

[3184] 11-18 22:29:38:405: Allowed EAP type: 26

[3184] 11-18 22:29:38:405: Succesfully created EAP Host session with session id 337

[3184] 11-18 22:29:38:405: Processing output from EAP: action:1

[3184] 11-18 22:29:38:405: Inserting outbound EAP-Message of length 34.

[3184] 11-18 22:29:38:405: Issuing Access-Challenge.

[3184] 11-18 22:29:38:405: No AUTHORIZATION extensions, continuing

[3336] 11-18 22:29:38:405: Successfully retrieved session (337) for user SOPM\ITM2-WIN7$.

[3336] 11-18 22:29:38:405: No AUTHENTICATION extensions, continuing

[3336] 11-18 22:29:38:405: Processing output from EAP: action:2

[3336] 11-18 22:29:38:405: Translating attributes returned by EAPHost.

[3336] 11-18 22:29:38:405: EAP authentication failed.

 

5 Days of sheer frustration.

 

Guru Elite

Re: Uploadiong certificates to Iap105

It is most likely the radius server.  Please consult the thread here:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113

 

You can ignore all of the Aruba controller information, but go through the NPS 2008 server configuration and make sure you have done everything there.    Start with the "Request Certificates" portion.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: Uploadiong certificates to Iap105

i can only echo cjoseph reply. the radius server sends a reject, so something is failing there.

 

perhaps you can setup a test radius server to test more easily without disrupting production. also the event viewer should be able to give you some information about login attempts if event viewer logging is enable from the the NPS / IAS server. if you dont see entries coming up in the event viewer it might be something is wrong in the certificate part. as a workaround you can also disable the certificate check from the radius server on the client.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: