Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

User eertificate error when connecting

This thread has been viewed 1 times

  • 1.  User eertificate error when connecting

    Posted Feb 14, 2013 09:21 PM

    Hi All,

    Thanks before hand for reading/helping on the following:

     

    I have a deployed a comp-user cert scenario validation (windows 7 - Aruba controller - NPS) and does work fine when comp validates itself using comp cert (before login)
    The issue starts when client send user details. The following its some of tog entry that Im able to paste for your perusal

     

    Feb 13 18:53:11  station-up             *  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92                        -      -    wpa2 aes
    Feb 13 18:53:11  eap-id-req            <-  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92                        1      5
    Feb 13 18:53:11  eap-start             ->  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92                        -      -
    Feb 13 18:53:11  eap-id-req            <-  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92                        1      5
    Feb 13 18:53:11  eap-id-resp           ->  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92                        1      22   DOMAIN\username
    Feb 13 18:53:11  rad-req               ->  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92                        65457  218
    Feb 13 18:53:11  eap-id-resp           ->  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92                        1      22   DOMAIN\username
    Feb 13 18:53:11  rad-resp              <-  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92/COW-NPS-radius server  65457  90
    Feb 13 18:53:11  eap-req               <-  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92                        2      6
    Feb 13 18:53:11  eap-nak               ->  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92                        2      6
    Feb 13 18:53:11  rad-req               ->  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92/COW-NPS-radius server  65458  240
    Feb 13 18:53:11  rad-reject            <-  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92/COW-NPS-radius server  65458  44
    Feb 13 18:53:11  eap-failure           <-  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92                        2      4    server rejected
    Feb 13 18:53:31  eap-id-req            <-  00:26:82:09:16:c2  d8:c7:c8:2b:6d:9a                        18     5
    Feb 13 18:53:35  station-up             *  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        -      -    wpa2 aes
    Feb 13 18:53:35  station-data-ready     *  00:24:d7:05:63:cc  00:00:00:00:00:00                        101    -
    Feb 13 18:53:35  wpa2-key1             <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        -      117
    Feb 13 18:53:35  eap-start             ->  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        -      -
    Feb 13 18:53:35  eap-id-req            <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        2      5
    Feb 13 18:53:41  eap-id-req            <-  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92                        3      5
    Feb 13 18:54:01  eap-id-req            <-  00:26:82:09:16:c2  d8:c7:c8:2b:6d:9a                        19     5
    Feb 13 18:54:05  eap-id-req            <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        2      5
    Feb 13 18:54:11  eap-id-req            <-  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92                        4      5
    Feb 13 18:54:31  eap-id-req            <-  00:26:82:09:16:c2  d8:c7:c8:2b:6d:9a                        19     5
    Feb 13 18:54:35  eap-id-req            <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        2      5
    Feb 13 18:54:41  eap-id-req            <-  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92                        4      5
    Feb 13 18:55:01  eap-id-req            <-  00:26:82:09:16:c2  d8:c7:c8:2b:6d:9a                        19     5
    Feb 13 18:55:05  eap-failure           <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        2      4    station timeout
    Feb 13 18:55:05  eap-id-req            <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        3      5
    Feb 13 18:55:11  eap-id-req            <-  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92                        4      5
    Feb 13 18:55:31  eap-id-req            <-  00:26:82:09:16:c2  d8:c7:c8:2b:6d:9a                        20     5
    Feb 13 18:55:35  eap-id-req            <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        3      5
    Feb 13 18:55:41  eap-id-req            <-  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92                        5      5
    Feb 13 18:56:01  eap-id-req            <-  00:26:82:09:16:c2  d8:c7:c8:2b:6d:9a                        20     5
    Feb 13 18:56:05  eap-id-req            <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        3      5
    Feb 13 18:56:11  eap-id-req            <-  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92                        5      5
    Feb 13 18:56:31  eap-id-req            <-  00:26:82:09:16:c2  d8:c7:c8:2b:6d:9a                        20     5
    Feb 13 18:56:35  eap-id-req            <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        4      5
    Feb 13 18:56:41  eap-id-req            <-  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92                        5      5
    Feb 13 18:57:01  station-down           *  00:26:82:09:16:c2  d8:c7:c8:2b:6d:9a                        -      -
    Feb 13 18:57:05  eap-id-req            <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        4      5
    Feb 13 18:57:11  station-down           *  74:de:2b:a5:ae:5d  d8:c7:c8:2b:6d:92                        -      -

     

    I'd like to mention that I have deployed comp-user cert scenario in my LAB (only Windows default policies) and works fine. Replicating same scenario in PROD produces de above (btw, PROD environment uses lots more AD policies)

     

    Cheers,

     

     

     



  • 2.  RE: User eertificate error when connecting

    Posted Feb 14, 2013 09:43 PM

     

    • Is your goal to use only computer certificates; or also use both computer and then user certificates when the user logs on?
    • At the time of the failed user attempt; can you send what the NPS logs report?

     

     



  • 3.  RE: User eertificate error when connecting

    Posted Feb 14, 2013 11:59 PM

    Hi Clembo (thanks for your promptly reponse),

     

    Its the plan to achieve the use of computer and user certificate. The below describe current problem further;

     

    1.        LAB Environment

     

    Client set up to use EAP-TLS for machine and user login

    PC is member of domain and both machine and user certificate is installed in client.

     

    Once pc is boot up it successfully connected to network using machine certificate. 

     

    Feb 13 18:36:08  eap-start             ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             -   -   

    Feb 13 18:36:08  eap-id-req            <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             22  5   

    Feb 13 18:36:08  eap-id-resp           ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             22  31   host/AAT33100.LAB.LOCAL

    Feb 13 18:36:08  rad-req               ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             63  238 

    Feb 13 18:36:08  rad-resp              <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4/LAB_NPS  63  90  

    Feb 13 18:36:08  eap-req               <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             23  6   

    Feb 13 18:36:08  eap-resp              ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             23  167 

    Feb 13 18:36:08  rad-req               ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4/LAB_NPS  64  412 

    Feb 13 18:36:08  rad-resp              <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4/LAB_NPS  64  232 

    Feb 13 18:36:08  eap-req               <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             24  148 

    Feb 13 18:36:08  eap-resp              ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             24  69   

    Feb 13 18:36:08  rad-req               ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4/LAB_NPS  65  314  

    Feb 13 18:36:08  rad-accept            <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4/LAB_NPS  65  242  

    Feb 13 18:36:08  eap-success           <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             24  4    

    Feb 13 18:36:08  station-data-ready     *  00:24:d7:21:10:e4  00:00:00:00:00:00             41  -    

    Feb 13 18:36:08  m-auth cache           *  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             -   -    

    Feb 13 18:36:08  wpa2-key1             <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             -   117  

    Feb 13 18:36:08  wpa2-key2             ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             -   119  

    Feb 13 18:36:08  wpa2-key3             <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             -   151  

    Feb 13 18:36:08  wpa2-key4             ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             -   95   

     

    User initiates logging (ALT+CLT+DEL) and user connected to network succesfully.

     

    Feb 13 18:36:21  eap-start             ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             -   -    

    Feb 13 18:36:21  eap-id-req            <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             26  5    

    Feb 13 18:36:21  eap-id-resp           ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             26  23    username@LAB.LOCAL

    Feb 13 18:36:21  rad-req               ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             66  222  

    Feb 13 18:36:21  rad-resp              <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4/LAB_NPS  66  90   

    Feb 13 18:36:21  eap-req               <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             27  6    

    Feb 13 18:36:21  eap-resp              ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             27  132  

    Feb 13 18:36:21  rad-req               ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4/LAB_NPS  67  369  

    Feb 13 18:36:21  rad-resp              <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4/LAB_NPS  67  1188 

    Feb 13 18:36:21  eap-req               <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             28  1096 

    Feb 13 18:36:21  eap-resp              ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             28  6    

    Feb 13 18:36:21  rad-req               ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4/LAB_NPS  68  243  

    Feb 13 18:36:21  rad-resp              <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4/LAB_NPS  68  1188 

    Feb 13 18:36:21  eap-req               <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             29  1096 

    Feb 13 18:36:21  eap-resp              ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             29  6    

    Feb 13 18:36:21  rad-req               ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4/LAB_NPS  69  243  

    Feb 13 18:36:21  rad-resp              <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4/LAB_NPS  69  371  

    Feb 13 18:36:21  eap-req               <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             30  285  

    Feb 13 18:36:21  eap-resp              ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             30  1492 

    Feb 13 18:36:21  rad-req               ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4/LAB_NPS  70  1739 

    Feb 13 18:36:21  rad-resp              <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4/LAB_NPS  70  90   

    Feb 13 18:36:21  eap-req               <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             31  6    

    Feb 13 18:36:21  eap-resp              ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             31  406  

    Feb 13 18:36:21  rad-req               ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4/LAB_NPS  71  645  

    Feb 13 18:36:21  rad-resp              <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4/LAB_NPS  71  153  

    Feb 13 18:36:21  eap-req               <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             32  69   

    Feb 13 18:36:21  eap-resp              ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             32  6    

    Feb 13 18:36:21  rad-req               ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4/LAB_NPS  72  243  

    Feb 13 18:36:21  rad-accept            <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4/LAB_NPS  72  242  

    Feb 13 18:36:21  eap-success           <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             32  4    

    Feb 13 18:36:21  station-data-ready     *  00:24:d7:21:10:e4  00:00:00:00:00:00             41  -    

    Feb 13 18:36:21  station-data-ready     *  00:24:d7:21:10:e4  00:00:00:00:00:00             41  -    

    Feb 13 18:36:21  m-auth resp            *  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             -   -     authenticated

    Feb 13 18:36:21  wpa2-key1             <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             -   117  

    Feb 13 18:36:21  wpa2-key1             <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             -   117  

    Feb 13 18:36:22  wpa2-key1             <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             -   117  

    Feb 13 18:36:23  wpa2-key1             <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             -   117  

    Feb 13 18:36:23  wpa2-key2             ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             -   119  

    Feb 13 18:36:23  wpa2-key3             <-  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             -   151  

    Feb 13 18:36:23  wpa2-key4             ->  00:24:d7:21:10:e4  d8:c7:c8:a8:86:e4             -   95   

     

    Above setup work sucessfully in lab

     

     

    1. 2.        PROD environment

    Aruba and NPS configured same as Lab 

     

    Feb 14 09:43:12  station-up             *  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        -    -     wpa2 aes

    Feb 14 09:43:12  eap-id-req            <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        1    5    

    Feb 14 09:43:12  eap-start             ->  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        -    -    

    Feb 14 09:43:12  eap-id-req            <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        1    5    

    Feb 14 09:43:12  eap-id-resp           ->  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        1    39    host/Computerclient.prod.local

    Feb 14 09:43:12  rad-req               ->  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        29   252  

    Feb 14 09:43:12  eap-id-resp           ->  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        1    39    host/Computerclient.prod.local

    Feb 14 09:43:12  rad-resp              <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a/PROD-NPS-radius server  29   90   

    Feb 14 09:43:12  eap-req               <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        2    6    

    Feb 14 09:43:12  eap-resp              ->  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        2    105  

    Feb 14 09:43:12  rad-req               ->  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a/PROD-NPS-radius server  30   356  

    Feb 14 09:43:12  rad-resp              <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a/PROD-NPS-radius server  30   1188 

    Feb 14 09:43:12  eap-req               <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        3    1096 

    Feb 14 09:43:12  eap-resp              ->  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        3    6    

    Feb 14 09:43:12  rad-req               ->  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a/PROD-NPS-radius server  31   257  

    Feb 14 09:43:12  rad-resp              <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a/PROD-NPS-radius server  31   1188 

    Feb 14 09:43:12  eap-req               <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        4    1096 

    Feb 14 09:43:12  eap-resp              ->  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        4    6    

    Feb 14 09:43:12  rad-req               ->  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a/PROD-NPS-radius server  32   257  

    Feb 14 09:43:12  rad-resp              <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a/PROD-NPS-radius server  32   287  

    Feb 14 09:43:12  eap-req               <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        5    203  

    Feb 14 09:43:13  eap-resp              ->  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        5    1492 

    Feb 14 09:43:13  rad-req               ->  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a/PROD-NPS-radius server  33   1753 

    Feb 14 09:43:13  rad-resp              <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a/PROD-NPS-radius server  33   90   

    Feb 14 09:43:13  eap-req               <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        6    6    

    Feb 14 09:43:13  eap-resp              ->  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        6    825  

    Feb 14 09:43:13  rad-req               ->  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a/PROD-NPS-radius server  34   1082 

    Feb 14 09:43:13  rad-resp              <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a/PROD-NPS-radius server  34   153  

    Feb 14 09:43:13  eap-req               <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        7    69   

    Feb 14 09:43:13  eap-resp              ->  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        7    6    

    Feb 14 09:43:13  rad-req               ->  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a/PROD-NPS-radius server  35   257  

    Feb 14 09:43:13  rad-accept            <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a/PROD-NPS-radius server  35   218  

    Feb 14 09:43:13  eap-success           <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        7    4    

    Feb 14 09:43:13  station-data-ready     *  00:24:d7:05:63:cc  00:00:00:00:00:00                        101  -    

    Feb 14 09:43:13  wpa2-key1             <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        -    117  

    Feb 14 09:43:13  wpa2-key2             ->  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        -    119  

    Feb 14 09:43:13  wpa2-key3             <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        -    151  

    Feb 14 09:43:13  wpa2-key4             ->  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        -    95   

     

    User initiates logging (ALT+CLT+DEL) and failed

     

     

    Feb 14 09:44:37  eap-start             ->  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        -    -    

    Feb 14 09:44:37  eap-id-req            <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        9    5    

    Feb 14 09:45:07  eap-id-req            <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        9    5    

    Feb 14 09:45:37  eap-id-req            <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        9    5    

    Feb 14 09:46:07  eap-failure           <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        9    4     station timeout

    Feb 14 09:46:07  eap-id-req            <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        10   5    

    Feb 14 09:46:37  eap-id-req            <-  00:24:d7:05:63:cc  d8:c7:c8:2b:6d:9a                        10   5   

     

    No logs in NPS regards user logging attempts.  Looking at Aruba auth-trace-buff, client did not respond to eap-id request.  We were unable to enable local event logger in client due to group policy restrictions.

     

    Config extract

     

    !machine and user role set to allow all only for testing

    !

    user-role sh-corp-machine-role

     access-list session allowall

    !

    !

    user-role sh-corp-user-role

     access-list session allowall

    !

    !

    aaa server-group "PROD-NPS-Server Group"

       allow-fail-through

     auth-server "PROD-NPS-radius server"

    !

     

    aaa profile "corp-aaa_prof"

       mac-default-role "logon"

       authentication-dot1x "NPS-corp-802.1x-authprofile"

       dot1x-server-group "PROD-NPS-Server Group"

       radius-accounting "PROD-NPS-Server Group"

    !

    ! termination on controller un-ticked.

    !

    aaa authentication dot1x "NPS-corp-802.1x-authprofile"

       machine-authentication enable

       machine-authentication machine-default-role "sh-corp-machine-role"

       machine-authentication user-default-role "sh-corp-user-role"

       timer idrequest_period 5

       server server-retry-period 5

       termination eap-type eap-tls

     

     

    ! only wpa2-aes selected

    !

    wlan ssid-profile "corp-ssid_prof"

       essid "ssid-corp"

       opmode wpa2-aes

    !

    !

    wlan virtual-ap "corp-vap_prof"

       aaa-profile "corp-aaa_prof"

       ssid-profile "corp-ssid_prof"

       vlan 101

       dos-prevention

       band-steering

    !

     

     

    (some of the "names" were modified intentionally to prevent security disclose)