Security

last person joined: 15 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Windows NPS server public certificate problem

This thread has been viewed 4 times

  • 1.  Windows NPS server public certificate problem

    Posted Jul 08, 2013 12:18 PM

    I have gone through searching the sites and don't seem to find an answer to this.  There are a few dicussions but not clear or direct to my problem.

     

    We are implementing 802.1x authentication with Windows NPS servers.  If we choose to use Windows private AD certificate, users (both PC and MAC) are able to authentication except you have to either ignore validate certificate or add a private certificate to keychain.  But as soon as I switched to a public CA (I got two free trial from rapidssl.com and geocerts.com, single cers, not SAN or wildcard), I got error messges on NPS as "The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

     

    From Aruba user-debug log, it shows the user was authenticated successfully for a few seconds and failed right after.

     

    Any help would be much appreciated.   Do I need to upgrade to high end certificate like verisign?

     

    zhangy



  • 2.  RE: Windows NPS server public certificate problem

    Posted Jul 08, 2013 12:55 PM

    Can you please confirm what type of authentication we are trying to accomplish here? EAP-TLS or EAP-PEAP.

    Are we terminiating the EAP on the controller? If yes, we need to install the server cert and trusted-ca on the controller.

    If no, we need to make sure NPO contains the right authentication type which includes one of the authentication method which client trying to negotiate with the valid cert present on radius.

     

    From the security logs on the NPS server, we need to make sure client is getting the right policy which we are expecting.

     

    Below debugging woud give more info about the communcition between the controller and the server.

     

    From the config mode,

     

    logging level debugging security process authmgr

    logging level debuging security subcat aaa

     

    We amy need to disable the debugigng once we found the root cause or done with the troubleshooting to avoid the authmgr module busy on the controller if we have more volume dialing in to the controller.

     

    You can also email me at srirams@arubanetworks.com with the above debugging enabled to look at the issue.

     

    show auth-tracebuf will also provide more information about the client communication against radius server to see where it stops.

     

     

    Thanks & Regards,

    Sriram Subramanian

    Technical Support Engineer

    srirams@arubanetworks.com

    408.585.1928

     

     

     

     

     

     

     

     

     



  • 3.  RE: Windows NPS server public certificate problem

    Posted Jul 08, 2013 02:44 PM

    Thanks much for your call. We found the issue with Cert on the Radius server where there is no private key is attached to the cert; hence we are getting the error message "server reject messages on controller". Please kindly let me know if we still have issues.

     

    Regards

    Sriram Subramanian

    Technical Support Engineer

    srirams@arubanetworks.com

    408.585.1928



  • 4.  RE: Windows NPS server public certificate problem

    Posted Jul 10, 2013 10:00 AM

    you are right Sraram.  After I re-installed a new certificate (rapidssl.com),  it works out fine for both PC and Mac.  Thanks for the help.

     

    Yong



  • 5.  RE: Windows NPS server public certificate problem

    Posted Jul 10, 2013 10:35 AM

    HI Yong,

    Good news and thanks for the update. Please feel free to get back to us for any help you need.

     

    Thank you,

    Sriram S

    Technical Support Engineer

    srirams@arubanetworks.com