Security

Reply
Contributor I
Posts: 43
Registered: ‎06-28-2012

Windows 7 and Radius Auth not working

I have recently configured my 2008 Server to act as a Radius Server for the Aruba 620 Controlled Wireless network we are using. I am able to connect to the wireless using our Active Directory Credentials without any problem using iOS devices and Apple OSX devices, however I am unable to get Windows 7 devices to connect.

 

The w7 computer is a fresh install, on either a Windows native machine, or the bootcamp Partition of a Macbook Pro that was connecting in OSX. When I try to connect on windows, the machine asks for the credentials, and then processes for a few seconds and then reports that "Windows was unable to connect to Faculty (SSID)"

 

I tried running a windows hotfix that is related to cetrification errors in W7 but that did nothing to solve the problem. I feel bad constantly coming to THIS forum for help because a lot of my issues with the radius server endup being problems with my Win2008 configuration, however, Technet is just too slow to respond. So those with experience in WinServer Radius Config, I appreciate any help you could offer

 

I lack an in-depth understanding useful for effective diagnosis of the problem, but this is what I know,

 

-The Wireless Controller is able to succesfully Authenticate fia its Auth Diag

-Apple devices are able to authenticate, and automatically re-authenticate as they re enter network coverage.

-Windows 7 Devices SEE the network

-Windows 7 devices get the AUTH request; they ask for Username, and Password as credentials

-The NPS Event viewer in server 2008 does not show any event associated with a failed authentication.

-If I type a wrong password in intentionally, the NPS server does not log it, its as though the message is blocked well before.

-The win2008 server is functionally using the Microsoft PEAP authentication type, with MS-CHAPv2 and MS-CHAP enabled.

-The wireless is accessible only to those in the "Faculty" user-group, and again, this works on OSX/iOS, but same credentials fail in W7

 

this is the thread in the technet forum, that may have some other usefull information, but I think i covered most of the same ground here already.

http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/83ffd300-0f6c-411a-9231-3a0aa7c40250

 

Thanks in advance for any help you are able to render.

Dave

 

 

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: Windows 7 and Radius Auth not working

If NPS doesn't show an attempt, check the 'validate server certificate' settings on the Win7 machine. To check this, have the Win7 machine not validate the server certificate to see if changes anything and if a log entry appears.
------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor I
Posts: 43
Registered: ‎06-28-2012

Re: Windows 7 and Radius Auth not working

Thanks for the reply!

 

I tried to configure the wireless connection as you suggested, but I didnt have any success. I may have not done so propperly however. Based on what I googled, this is what I did.

 

In my network adapter settings, I manually created a new wireless connection profile, I entered exactly the SSID, the encryption (WPA2 enterprise) EAS, and then I de-selected the start this connection automatically box. The next screen confirms the creation of the profile, and allows you to further configure the network, I hit "Change Network Settings" and under the [security] tab i adjusted the settings of the authentication method, which was set to PEAP. There I UNchecked the "Validate server Certificate box" Closed the window and tried to connect.

 

once I had the newtwork manually added, It would nolonger request authentication. There was a box in the configuration settings that is checked by default that said to use the machine credentials, so I unchecked that, but still no Auth Request.


I then added the machine to the domain, hoping that It would use my AD credentials as that checkbox implied, but to no avail.

 

Furthermore, the NPS event viewer seems to be showing no sign of interaction, or attempts to.

 

Thanks again for your reply!

Any further thoughts?

 

I would wonder if the hardware was unable to utilize the WPA2 spec of encryption, but my macbook is able to connect in OSX, but not in Windows, ruling out (?) any hardware issue, or active directory machine access limits...

 

 

Guru Elite
Posts: 19,988
Registered: ‎03-29-2007

Re: Windows 7 and Radius Auth not working

On the commandline of the controller, type "show auth-tracebuf mac <mac address of computer>" while it is trying to authenticate to see what is happening.

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: Windows 7 and Radius Auth not working

Are you testing this from a physical Windows 7 installation as well as the boot camp installation?    If only in boot camp, can you see if you can connect to a WPA2-PSK network on the controller?

 

Lastly, when it comes to Windows 7 settings, try the following:

 

New Wireless Profile
Enter the exact SSID name and choose WPA2-Enterprise/AES

Edit the configuraiton settings

On the Security Tab

  1. Click Advanced --> Specify Authentication Mode and select User only (for this test).  Clic OK
  2. Bac on Security Tab, choose PEAP Settings --> Ensure Secured password (EAP-MSCHAP v2) and Uncheck validate server certificate (just for testing this out)
  3. Click Configure (uncheck automatically use my logged in account; to force a logon prompt). Click OK through the prompts. 

 

On the controller check the status of the authentication using the show auth-tracebuf mac [MAC]

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor I
Posts: 43
Registered: ‎06-28-2012

Re: Windows 7 and Radius Auth not working

here is the Auth Tracebuf.

Thanks for the help guys.

 

Auth Trace Buffer
-----------------


Aug  6 11:41:46  station-up             *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -     wpa2 aes
Aug  6 11:41:46  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Aug  6 11:41:46  eap-start             ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Aug  6 11:41:46  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Aug  6 11:41:52  eap-id-resp           ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   15    davidadmin
Aug  6 11:41:52  rad-req               ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          10  183
Aug  6 11:41:57  rad-resp              <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  10  90
Aug  6 11:41:57  eap-req               <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          2   6
Aug  6 11:41:57  eap-resp              ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          2   119
Aug  6 11:41:57  rad-req               ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  11  325
Aug  6 11:41:57  rad-resp              <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  11  1188
Aug  6 11:41:57  eap-req               <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          3   1096
Aug  6 11:41:57  eap-resp              ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          3   6
Aug  6 11:41:57  rad-req               ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  12  212
Aug  6 11:41:57  rad-resp              <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  12  1188
Aug  6 11:41:57  eap-req               <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          4   1096
Aug  6 11:41:57  eap-resp              ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          4   6
Aug  6 11:41:57  rad-req               ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  13  212
Aug  6 11:41:57  rad-resp              <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  13  126
Aug  6 11:41:57  eap-req               <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          5   42
Aug  6 11:42:12  eap-resp              ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          5   17
Aug  6 11:42:12  rad-req               ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  14  223
Aug  6 11:42:12  rad-reject            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  14  44
Aug  6 11:42:12  eap-failure           <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          5   4     server rejected
Aug  6 11:42:12  station-down           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Aug  6 11:42:12  station-up             *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -     wpa2 aes
Aug  6 11:42:12  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Aug  6 11:42:12  eap-start             ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Aug  6 11:42:12  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Aug  6 11:42:12  station-down           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -

 

Im going to take a wild guess and say that "server rejected" has something to do with my problem...

Guru Elite
Posts: 19,988
Registered: ‎03-29-2007

Re: Windows 7 and Radius Auth not working

Yes...  That looks like it..

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor I
Posts: 43
Registered: ‎06-28-2012

Re: Windows 7 and Radius Auth not working

Does this mean that the Aruba controller and the setup configuration is NOT the problem? The problem lies in the configuration of the Radius Server? I am sorry for being so dense, but I want to make sure that I am interpreting this result propperly so i know where to focus my efforts.

 

Thank you guys a ton. This forum has been of critical assistance and I really really appreciate it.

Guru Elite
Posts: 19,988
Registered: ‎03-29-2007

Re: Windows 7 and Radius Auth not working

It means that the Radius server is rejecting the connection, and the log on the Radius server has the answer about why.  You will get your direction from the logs on the Radius server.

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 13
Registered: ‎10-31-2012

Re: Windows 7 and Radius Auth not working

Hi, Im having the exact same issue here.Did you solve this and does anyone have anymore additional information?

Thanks.
Search Airheads
Showing results for 
Search instead for 
Did you mean: