Security

We just rolled out a pretty large Aruba implementation yesterday. We're having issues with certain Windows clients using cached credentials for authentication to our corporate network. Here is how we're setting clients up:

1. Create new wireless profile

2. Use WPA2-Enterprise secuirty

3. Don't validate the server cert

4. Forcing user auth versus computer or the "Computer or user" option

5. Telling Windows to use cached credentials (under the MSCHAP config)

 

We're running a 2k8 R2 NPS server to handle the .1x requests.

 

This worked awesome for our test group. Everyone connected up right away without being prompted for credentials or anything like that. Then we went to roll it out to everyone else....

 

About 1:4 people are being re-prompted for credentials, stating that their credentials (cached) are incorrect. This is not a stale cache issue as I had someone wire into the network and reboot. They had zero issues signing into their laptop and were prompted again once their wireless came up. Entering their credentials into the prompt just causes another failure. We're having people get locked out left at right because of this. There is a work around which is to specify the credentials to use under wireless profile properties -> security tab -> advanced settings. This for some reason has no issue connecting but will create quite the headache every month when passwords expire.

 

I was in the test group and was able to connect fine following the steps above until I started trying to reproduce the problem. I went into the profile properties and told it not to remember my credentials and rebooted. After doing so, the only way I can connect  is to enter my credentials manually like mentioned above. 

 

Any one have any ideas on what could be causing Windows to pass the wrong credentials? I've been fighting this all day and have come up empty handed.

- Turn on Computer or User Authentication

- Make sure on the NPS/IAS side, you have a remote access policy that allows users from the group "Domain Computers".

No dice there. I added a condition in our policy to match the machine to the domain computers group. I then set my machine back to computer or user, also tried leaving it unspecified. It just straight up fails to connect when not specified. Computer or user and just user auth presents the same the symptoms as the OP.

Make your ONLY condition in the policy nas-port-type = IEEE 802.11.  Remove any other condition for now.

 

Log your computer out to the ctrl-alt-delete screen and look at the eventviewer on the NPS server under Server Roles> NPS and make sure the computer successfully authenticates.

 

Why do you have "Validate Server Certificate" unchecked?  Do you have Termination Enabled in the 802.1x profile on the controller? If so, it needs to be off, and the NPS server needs to have a Valid server certificate fthat your clients trust for Machine Authentication to occur..

 

 

Not 100% certain why the validation is disabled. We actually paid for an Aruba partner who we purcahsed the equipment from to set this up. We're going through some physical changes at our office and a strong wireless network was a must. I wasn't involved in any of the Aruba configuration (nor the RADIUS/NPS side of things). We purchased Clear Pass and they suggested we not worry about the certs until that was in place. I figured they were the experts and didn't argue.  Today is the first time I've even seen the GUI :(. 

 

In short, can you point me to where I can check the termination settings?

Nevermind, think I found it:

This looks more like a Active directory issue not a Wireless controller issue neither a NPS issue...

Do you have a healthy AD? i mean no errors and all that? For those users do you see any errors on the AD for those users?

I mean it looks like your credential and the credential on the AD are out of sync for some users

 

You might have  AD credentials and the cached credentials became out of sync

 

You can try maybe clearing the credentials in the computer?  so it then cache it again ?

 

The other thing isthat you using this without a certificate on the NPS server? and not even checking for the server or the cert? without that you have good security using EAP PEAP...

 

Cheers

Carlos

 

 

Also here is a manual of how you should set up clients...

http://community.arubanetworks.com/t5/Authentication-and-Access/Correctly-configure-EAP-PEAP-Windows-client/m-p/43398

 

On the NPS you should use a Cert... if you got Cert authority you can use a Machine template to create a certificate for the NPS and use that one.

Yes our AD is healthy, busy, but healthy.

 

Here is someone else I found who is having the same unsolved mistery:

http://freeradius.1045715.n5.nabble.com/PEAP-MSCHAPv2-failing-with-Windows-7-td4383068.html

 

 

Well i actually have no experience implementing with termination on the controller as always the clients got a NPS in the local side where the controller is... so.. well ill leave Collin advice you better

Didnt know it was terminating on the controller

Also if you purchase this with the aruba partner why you dont ask them for help? mean at least my company if i implement something and it doesnt work properly after the implementation we do help our custumer... if it something on our side we willl help with no charge but if it something that the client introduce or did then we will have to charge them... but well sometimes we dont to make them happy :)

 

 

Joseph, what isn't working is about a fourth of our Win 7 clients have to manually store their credentials in order to get on our wireless. I'm not about to start creating a new member of our domain so I can follow that document (not to mention we keep domain controllers as server core installations and NPS doesn't work in core). I will however forward it over to our Windows team.

 

I have a follow up call with the third party who set this up and it probably won't be pleasant. They told us native LDAP was supported at first so I had to ask my Windows guys to throw a RADIUS server together for me. They told me we shouldn't have to mess with any certificates until we get Clear Pass up and running and that's now proving to be misinformation as well. I don't even want to get into what they told us we could do using bridge mode. Wasted almost a day creating a config on my switches just to back it out since hardly anything is supported that way. 

 

NightShade, they can't figure out what the issue is either and suggested we pay them more money to have one of their Windows experts look at it. 

not sure where your network was in the first place and what is not Working now. You do need to go over the steps to set it up right so that you are not troubleshooting symptoms instead of arriving at a solution. http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113

If it just happen on 4 machines i still think its a cache issue of the redentials... do those users get any issue accesing network resources loke a shared folder or anything like that?

1/4th Nightshade ;). That was just a guestimate.

 

 

My help desk just told me it's more like half the company though. 

Sorry i didn read properly i was asnwering that one from my cellphone hehe...

 

Do you really need to terminate it on the controller? is the NPS server out of that office?

Normally you use that when you don thave a NPS server locally where the controller is...

No, the NPS server is local just on a different subnet. Now that I know a little more about the setup, I'll bring some of this stuff up in my call on Monday. I'm going to head out for the weekend guys. Thanks for your knowledge. I'll let you know what I find out.