Security

Hi Team,

I am settting up Radius server in 2012 R2, I have setup the NPS and the network policies.

I have AP215 model on which I have also setup the Enterprise wifi and radius authentication.

 

 

Below is the attaced  error what I get, kindly can anyone provide me a solution as I am working on this since more than 3 weeks now

 

Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

A quick google gave this,

https://social.technet.microsoft.com/Forums/office/en-US/8abddd6a-b836-428e-b369-893449162171/the-client-could-not-be-authenticated-because-the-extensible-authentication-protocol-eap-type?forum=winserverNAP

Thanks, but technet quick Google search has no solution, 

 

I have made all my attempts in last 3 weeks, I am actually looking to have step to step instruction to compare with my settings

Please check the step by step instructions here: http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/ta-p/80672

---

@ashwin wrote:

Thanks, but technet quick Google search has no solution, 

 

I have made all my attempts in last 3 weeks, I am actually looking to have step to step instruction to compare with my settings

---

I think this is the most complete step by step guide on the internet : https://networklessons.com/wireless/peap-and-eap-tls-on-server-2008-and-cisco-wlc/

Yes, it's cisco, but it's really easy to replace the RADIUS client with Aruba at this point. Also it's 2008 but 2012 is almost identical.

Are you specifying "User Authentication" on the endpoint wi-fi profile ?
Why are you adding Smart card and PEAP if you plan to do TLS ? 

I would personnally keep only the minimum required for TLS which is Smart Card only.

Please provide pictures of the client wi-fi profile config.

What authentication \ encryption options you enabled on the NPS \ constraints tab ?



Get Outlook for iOS

Hi Victor,

kindly find the attached screenshots

Are you planning to use PEAP or TLS for your authentication ?

TLS requires a cert on the wireless devices and RADIUS server(NPS)


PEAP only requires a cert on the RADIUS server (NPS)

I believe EAP TLS is most secure, so I choose the same and configured the wifi profile on windows, also validated the domain certificate on client machine and NPS server too

Perfect , are you testing with a Domain Windows device ?

Hi,

The client machine is connected to Domain, I have an AD environment.

 

Now I get different error after some changes

Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.

 

 

 

Kindly also see my wifi settings screenshot

 

It should not be TTLS on the client or the NPS server.  It should be PEAP.  You need to look at the NPS step-by-step configuration document linked to before in this thread.

Change it to Smartcard or other certificate

Get Outlook for iOS

Hi Team,

I erased all the settings and recreated it back, attached is all the screenshot with error in event viewer

Does your NPS server have a server certificate?

Yes it does, It already had the Root certificate since beginning, also I created another certificate and imported the same in my  radius server

Hi Team,

I tried to connect to wifi again, without making any changes , it came to error code 66, earlier it was 22. Is this a bug on windows 2012 r2 does it needs any updates??

Your wireless device is not configured properly.

 

You need to match the authentication options you selected on your NPS policy with the setting on the client wireless profile 

 

If you are using EAP-TLS you need to select smart card or other certificates as your authentication option.

 

 

I think a bit of theory here will go a long way, because this can get overwhelming when you never did it before.

EAP-TLS is more complicated to configure then EAP-PEAP, so you should start by configuring EAP-PEAP and test it, when it works then you move on to EAP-TLS.

On the NPS side, you shouldn't put all the authentication types (TLS, EAP, PEAP, EAP-MSCHAPv2), you should put only PEAP.

NPS works as ACLs, it will go from top through bottom and stop on first match. If you put all into 1 entry, you don't really know where it blocks or why, I suggest doing one policy for EAP-PEAP and a new one for EAP-TLS.

Your client configuration is ok for EAP-PEAP right now (you should also check the "validate server certificate" feature later on when tests are good). If you configured your NPS policy for PEAP correctly, the client you posted should connect fine.

If you are not sure about client configuration, best tip I can give you is use a Iphone,MAC or Ipad. They will auto detect PEAP settings and validate server cert.

Cheers,

thank you, but still no success. I would like to use some CLI cmds using putty to test the connections 

does anyone has commands to run and test

IAP or controller ?

Better I get commands for both

For Instant:  http://www.arubanetworks.com/techdocs/Instant_42_WebHelp/InstantWebHelp.htm?_ga=1.43038629.1615771646.1440445030#CLI_commands/aaa_test_server.htm?Highlight=test

 

For the Controller:  http://www.arubanetworks.com/techdocs/ArubaOS_6.4.4.x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/aaa_test_server.htm?Highlight=test

 

Please search the online help or the knowledgebase.  There are many questions answered there

You can use this video as guidance on how to configure IAP/NPS for PEAP authentication
http://community.arubanetworks.com/t5/Video/VIDEO-Configuring-Aruba-Instant-802-1x/ta-p/90320