Wireless Access

Reply
Occasional Contributor I

802.1x Authentication with Microsoft NPS

Hi,

In my current environment, i have a 3com wireless controller setup as a Radius client to a Windows 2008 NPS. I have configured the necessary policy in my NPS to allow authentication via MSCHAPv2

My existing wireless users have no issue logging in via 802.1x by supplying domain user name and password without any certificate requirement.

 

I've just purchased a Aruba Controller. I have configured the controller as a Radius client to the same NPS. Confgured a SSID to use 802.1x on the Aruba controller.

 

When i try to connect to the Aruba wireless, the connection is unsuccessful. On the event log in my NPS server, the error is as follows

 

Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

 

Whereas for users connecting via the 3Com Controller, the event log shows MSCHAPv2 as the Authentication.

 

Am i missing any configuration on the Aruba to support MSCHAPv2? 

 

 

Guru Elite

Re: 802.1x Authentication with Microsoft NPS

There should not be a difference.  The EAP type is configured on the clients and the Radius server, not the WLC.  Please make sure that your authentication requests are hitting the same policy on the NPS server and that there are no rules specific to the ip address of the 3com controller.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Highlighted
Aruba

Re: 802.1x Authentication with Microsoft NPS

Please make sure you have selected PEAP-MSCHAPv2; not MSCHAPv2 as a supported authentication method in your NPS policy.   

 

nps-eap-mschap.png

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I

Re: 802.1x Authentication with Microsoft NPS

Oh, my current policy is using MSCHAPv2. With PEAP-MSCHAPv2, i have to install a CA right?

Authentication

Guru Elite

Re: 802.1x Authentication with Microsoft NPS

You need a server certificate.

It can be either private or publicly signed.

The downside with a privately signed certificate is you need to distribute the CA certificate to all of the devices.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: 802.1x Authentication with Microsoft NPS

Appreciate the reply. There is no other way to work around this? With my current wireless controller, i don't have to install any certs on my clients. My users just need to supply domain user and password

 

 

Guru Elite

Re: 802.1x Authentication with Microsoft NPS

Can you show us either a config snippet or a screenshot of the 3com authentication configuration?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: 802.1x Authentication with Microsoft NPS

Here's the 802.1x policy on my 3Com controller

Screen Shot 2014-09-19 at 11.51.35 pm.pngScreen Shot 2014-09-19 at 11.51.50 pm.pngScreen Shot 2014-09-19 at 11.52.46 pm.png

Guru Elite

Re: 802.1x Authentication with Microsoft NPS

OK, so your controller likely has a certificate built in and your clients are probably configured to not validate the server certificate. 


You can do a similar setup by using a self-signed certificate in NPS, but this is VERY, VERY insecure and can put your user's credentials in jeopardy. 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: 802.1x Authentication with Microsoft NPS

Hi Tim,

 

You are right, on the client side, we disable the "validate server certificate" option.

 

Are you able to share how can i use a self-signed certificate in NPS? I will also feedback to my management about the security risk using self-signed cert and let them decide which option they prefer

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: