Can you please confirm what type of authentication we are trying to accomplish here? EAP-TLS or EAP-PEAP.
Are we terminiating the EAP on the controller? If yes, we need to install the server cert and trusted-ca on the controller.
If no, we need to make sure NPO contains the right authentication type which includes one of the authentication method which client trying to negotiate with the valid cert present on radius.
From the security logs on the NPS server, we need to make sure client is getting the right policy which we are expecting.
Below debugging woud give more info about the communcition between the controller and the server.
From the config mode,
logging level debugging security process authmgr
logging level debuging security subcat aaa
We amy need to disable the debugigng once we found the root cause or done with the troubleshooting to avoid the authmgr module busy on the controller if we have more volume dialing in to the controller.
You can also email me at srirams@arubanetworks.com with the above debugging enabled to look at the issue.
show auth-tracebuf will also provide more information about the client communication against radius server to see where it stops.
Thanks & Regards,
Sriram Subramanian
Technical Support Engineer
srirams@arubanetworks.com
408.585.1928