Security

Reply
Occasional Contributor II
Posts: 13
Registered: ‎09-20-2011

Windows NPS server public certificate problem

I have gone through searching the sites and don't seem to find an answer to this.  There are a few dicussions but not clear or direct to my problem.

 

We are implementing 802.1x authentication with Windows NPS servers.  If we choose to use Windows private AD certificate, users (both PC and MAC) are able to authentication except you have to either ignore validate certificate or add a private certificate to keychain.  But as soon as I switched to a public CA (I got two free trial from rapidssl.com and geocerts.com, single cers, not SAN or wildcard), I got error messges on NPS as "The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

 

From Aruba user-debug log, it shows the user was authenticated successfully for a few seconds and failed right after.

 

Any help would be much appreciated.   Do I need to upgrade to high end certificate like verisign?

 

zhangy

Aruba
Posts: 233
Registered: ‎11-19-2009

Re: Windows NPS server public certificate problem

Can you please confirm what type of authentication we are trying to accomplish here? EAP-TLS or EAP-PEAP.

Are we terminiating the EAP on the controller? If yes, we need to install the server cert and trusted-ca on the controller.

If no, we need to make sure NPO contains the right authentication type which includes one of the authentication method which client trying to negotiate with the valid cert present on radius.

 

From the security logs on the NPS server, we need to make sure client is getting the right policy which we are expecting.

 

Below debugging woud give more info about the communcition between the controller and the server.

 

From the config mode,

 

logging level debugging security process authmgr

logging level debuging security subcat aaa

 

We amy need to disable the debugigng once we found the root cause or done with the troubleshooting to avoid the authmgr module busy on the controller if we have more volume dialing in to the controller.

 

You can also email me at srirams@arubanetworks.com with the above debugging enabled to look at the issue.

 

show auth-tracebuf will also provide more information about the client communication against radius server to see where it stops.

 

 

Thanks & Regards,

Sriram Subramanian

Technical Support Engineer

srirams@arubanetworks.com

408.585.1928

 

 

 

 

 

 

 

 

 

Aruba
Posts: 233
Registered: ‎11-19-2009

Re: Windows NPS server public certificate problem

Thanks much for your call. We found the issue with Cert on the Radius server where there is no private key is attached to the cert; hence we are getting the error message "server reject messages on controller". Please kindly let me know if we still have issues.

 

Regards

Sriram Subramanian

Technical Support Engineer

srirams@arubanetworks.com

408.585.1928

Occasional Contributor II
Posts: 13
Registered: ‎09-20-2011

Re: Windows NPS server public certificate problem

you are right Sraram.  After I re-installed a new certificate (rapidssl.com),  it works out fine for both PC and Mac.  Thanks for the help.

 

Yong

Aruba
Posts: 233
Registered: ‎11-19-2009

Re: Windows NPS server public certificate problem

HI Yong,

Good news and thanks for the update. Please feel free to get back to us for any help you need.

 

Thank you,

Sriram S

Technical Support Engineer

srirams@arubanetworks.com

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: