Hi Clembo (thanks for your promptly reponse),
Its the plan to achieve the use of computer and user certificate. The below describe current problem further;
1. LAB Environment
Client set up to use EAP-TLS for machine and user login
PC is member of domain and both machine and user certificate is installed in client.
Once pc is boot up it successfully connected to network using machine certificate.
Feb 13 18:36:08 eap-start -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 - -
Feb 13 18:36:08 eap-id-req <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 22 5
Feb 13 18:36:08 eap-id-resp -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 22 31 host/AAT33100.LAB.LOCAL
Feb 13 18:36:08 rad-req -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 63 238
Feb 13 18:36:08 rad-resp <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4/LAB_NPS 63 90
Feb 13 18:36:08 eap-req <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 23 6
Feb 13 18:36:08 eap-resp -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 23 167
Feb 13 18:36:08 rad-req -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4/LAB_NPS 64 412
Feb 13 18:36:08 rad-resp <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4/LAB_NPS 64 232
Feb 13 18:36:08 eap-req <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 24 148
Feb 13 18:36:08 eap-resp -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 24 69
Feb 13 18:36:08 rad-req -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4/LAB_NPS 65 314
Feb 13 18:36:08 rad-accept <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4/LAB_NPS 65 242
Feb 13 18:36:08 eap-success <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 24 4
Feb 13 18:36:08 station-data-ready * 00:24:d7:21:10:e4 00:00:00:00:00:00 41 -
Feb 13 18:36:08 m-auth cache * 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 - -
Feb 13 18:36:08 wpa2-key1 <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 - 117
Feb 13 18:36:08 wpa2-key2 -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 - 119
Feb 13 18:36:08 wpa2-key3 <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 - 151
Feb 13 18:36:08 wpa2-key4 -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 - 95
User initiates logging (ALT+CLT+DEL) and user connected to network succesfully.
Feb 13 18:36:21 eap-start -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 - -
Feb 13 18:36:21 eap-id-req <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 26 5
Feb 13 18:36:21 eap-id-resp -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 26 23 username@LAB.LOCAL
Feb 13 18:36:21 rad-req -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 66 222
Feb 13 18:36:21 rad-resp <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4/LAB_NPS 66 90
Feb 13 18:36:21 eap-req <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 27 6
Feb 13 18:36:21 eap-resp -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 27 132
Feb 13 18:36:21 rad-req -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4/LAB_NPS 67 369
Feb 13 18:36:21 rad-resp <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4/LAB_NPS 67 1188
Feb 13 18:36:21 eap-req <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 28 1096
Feb 13 18:36:21 eap-resp -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 28 6
Feb 13 18:36:21 rad-req -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4/LAB_NPS 68 243
Feb 13 18:36:21 rad-resp <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4/LAB_NPS 68 1188
Feb 13 18:36:21 eap-req <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 29 1096
Feb 13 18:36:21 eap-resp -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 29 6
Feb 13 18:36:21 rad-req -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4/LAB_NPS 69 243
Feb 13 18:36:21 rad-resp <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4/LAB_NPS 69 371
Feb 13 18:36:21 eap-req <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 30 285
Feb 13 18:36:21 eap-resp -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 30 1492
Feb 13 18:36:21 rad-req -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4/LAB_NPS 70 1739
Feb 13 18:36:21 rad-resp <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4/LAB_NPS 70 90
Feb 13 18:36:21 eap-req <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 31 6
Feb 13 18:36:21 eap-resp -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 31 406
Feb 13 18:36:21 rad-req -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4/LAB_NPS 71 645
Feb 13 18:36:21 rad-resp <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4/LAB_NPS 71 153
Feb 13 18:36:21 eap-req <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 32 69
Feb 13 18:36:21 eap-resp -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 32 6
Feb 13 18:36:21 rad-req -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4/LAB_NPS 72 243
Feb 13 18:36:21 rad-accept <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4/LAB_NPS 72 242
Feb 13 18:36:21 eap-success <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 32 4
Feb 13 18:36:21 station-data-ready * 00:24:d7:21:10:e4 00:00:00:00:00:00 41 -
Feb 13 18:36:21 station-data-ready * 00:24:d7:21:10:e4 00:00:00:00:00:00 41 -
Feb 13 18:36:21 m-auth resp * 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 - - authenticated
Feb 13 18:36:21 wpa2-key1 <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 - 117
Feb 13 18:36:21 wpa2-key1 <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 - 117
Feb 13 18:36:22 wpa2-key1 <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 - 117
Feb 13 18:36:23 wpa2-key1 <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 - 117
Feb 13 18:36:23 wpa2-key2 -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 - 119
Feb 13 18:36:23 wpa2-key3 <- 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 - 151
Feb 13 18:36:23 wpa2-key4 -> 00:24:d7:21:10:e4 d8:c7:c8:a8:86:e4 - 95
Above setup work sucessfully in lab
- 2. PROD environment
Aruba and NPS configured same as Lab
Feb 14 09:43:12 station-up * 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a - - wpa2 aes
Feb 14 09:43:12 eap-id-req <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 1 5
Feb 14 09:43:12 eap-start -> 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a - -
Feb 14 09:43:12 eap-id-req <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 1 5
Feb 14 09:43:12 eap-id-resp -> 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 1 39 host/Computerclient.prod.local
Feb 14 09:43:12 rad-req -> 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 29 252
Feb 14 09:43:12 eap-id-resp -> 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 1 39 host/Computerclient.prod.local
Feb 14 09:43:12 rad-resp <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a/PROD-NPS-radius server 29 90
Feb 14 09:43:12 eap-req <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 2 6
Feb 14 09:43:12 eap-resp -> 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 2 105
Feb 14 09:43:12 rad-req -> 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a/PROD-NPS-radius server 30 356
Feb 14 09:43:12 rad-resp <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a/PROD-NPS-radius server 30 1188
Feb 14 09:43:12 eap-req <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 3 1096
Feb 14 09:43:12 eap-resp -> 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 3 6
Feb 14 09:43:12 rad-req -> 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a/PROD-NPS-radius server 31 257
Feb 14 09:43:12 rad-resp <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a/PROD-NPS-radius server 31 1188
Feb 14 09:43:12 eap-req <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 4 1096
Feb 14 09:43:12 eap-resp -> 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 4 6
Feb 14 09:43:12 rad-req -> 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a/PROD-NPS-radius server 32 257
Feb 14 09:43:12 rad-resp <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a/PROD-NPS-radius server 32 287
Feb 14 09:43:12 eap-req <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 5 203
Feb 14 09:43:13 eap-resp -> 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 5 1492
Feb 14 09:43:13 rad-req -> 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a/PROD-NPS-radius server 33 1753
Feb 14 09:43:13 rad-resp <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a/PROD-NPS-radius server 33 90
Feb 14 09:43:13 eap-req <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 6 6
Feb 14 09:43:13 eap-resp -> 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 6 825
Feb 14 09:43:13 rad-req -> 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a/PROD-NPS-radius server 34 1082
Feb 14 09:43:13 rad-resp <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a/PROD-NPS-radius server 34 153
Feb 14 09:43:13 eap-req <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 7 69
Feb 14 09:43:13 eap-resp -> 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 7 6
Feb 14 09:43:13 rad-req -> 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a/PROD-NPS-radius server 35 257
Feb 14 09:43:13 rad-accept <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a/PROD-NPS-radius server 35 218
Feb 14 09:43:13 eap-success <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 7 4
Feb 14 09:43:13 station-data-ready * 00:24:d7:05:63:cc 00:00:00:00:00:00 101 -
Feb 14 09:43:13 wpa2-key1 <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a - 117
Feb 14 09:43:13 wpa2-key2 -> 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a - 119
Feb 14 09:43:13 wpa2-key3 <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a - 151
Feb 14 09:43:13 wpa2-key4 -> 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a - 95
User initiates logging (ALT+CLT+DEL) and failed
Feb 14 09:44:37 eap-start -> 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a - -
Feb 14 09:44:37 eap-id-req <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 9 5
Feb 14 09:45:07 eap-id-req <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 9 5
Feb 14 09:45:37 eap-id-req <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 9 5
Feb 14 09:46:07 eap-failure <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 9 4 station timeout
Feb 14 09:46:07 eap-id-req <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 10 5
Feb 14 09:46:37 eap-id-req <- 00:24:d7:05:63:cc d8:c7:c8:2b:6d:9a 10 5
No logs in NPS regards user logging attempts. Looking at Aruba auth-trace-buff, client did not respond to eap-id request. We were unable to enable local event logger in client due to group policy restrictions.
Config extract
!machine and user role set to allow all only for testing
!
user-role sh-corp-machine-role
access-list session allowall
!
!
user-role sh-corp-user-role
access-list session allowall
!
!
aaa server-group "PROD-NPS-Server Group"
allow-fail-through
auth-server "PROD-NPS-radius server"
!
aaa profile "corp-aaa_prof"
mac-default-role "logon"
authentication-dot1x "NPS-corp-802.1x-authprofile"
dot1x-server-group "PROD-NPS-Server Group"
radius-accounting "PROD-NPS-Server Group"
!
! termination on controller un-ticked.
!
aaa authentication dot1x "NPS-corp-802.1x-authprofile"
machine-authentication enable
machine-authentication machine-default-role "sh-corp-machine-role"
machine-authentication user-default-role "sh-corp-user-role"
timer idrequest_period 5
server server-retry-period 5
termination eap-type eap-tls
! only wpa2-aes selected
!
wlan ssid-profile "corp-ssid_prof"
essid "ssid-corp"
opmode wpa2-aes
!
!
wlan virtual-ap "corp-vap_prof"
aaa-profile "corp-aaa_prof"
ssid-profile "corp-ssid_prof"
vlan 101
dos-prevention
band-steering
!
(some of the "names" were modified intentionally to prevent security disclose)