Wireless Access

Reply
Highlighted
Aruba
Posts: 1,642
Registered: ‎04-13-2009

Re: 802.1x Authentication with Microsoft NPS

[ Edited ]

You have a couple of options.  You can setup a self-signed certificate for NPS or you can terminate EAP on the Aruba controller (similiar to how your current setup is).    I recommend you put the certificate on NPS if you can.   Either way, Tim's comment about validation needs to be addressed.

 

There are many ways to create a self-signed certificate for Windows.   I sometimes use the makecert.exe utility (attached) or OpenSSL (link below).  If you run the makecert command on the NPS server with the following syntax (Edit as you need to) it will install the certificate with private key into the Computer store on the server.   You'll then need to change your authentications to only include Microsoft Protected EAP with MSCHAP-v2 as your inner authentication method in your NPS policy.

 

makecert.exe -n "CN=server.domain.com" -len 2048 -sr LocalMachine -ss my -r -pe -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -b 09/19/2014 -e 01/01/2024

 

-----------------------------------

 

There is also a procedure available here using openssl:

http://wifinigel.blogspot.com/2014/03/microsoft-nps-as-radius-server-for-wifi_15.html

 

-----------------------------------

 

You can also terminate EAP on the controller in the 802.1X authentication profile associated with that AAA profile.   This will use the certificate on the controller. 

 

 

aos-dot1x-term-mschap.png

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I
Posts: 7
Registered: ‎09-18-2014

Re: 802.1x Authentication with Microsoft NPS

Hi Chris,

 

Thank you so much. I've tested with the "termination" method and also with the certificate for PEAP. Both works perfectly. 

 

For now i will enable both. The termination method to allow my current users to transition to the Aruba controller smoothly. I have also created another SSID that is more seucre. This will allow us to configure my users in batches. We will eventually phase out the old SSID.

 

Thanks again.

Kee Wee

 

 

Occasional Contributor I
Posts: 7
Registered: ‎09-18-2014

Re: 802.1x Authentication with Microsoft NPS

Hi Tim,

 

Thank you so much for the advice. I have setup another SSID with PEAP. Will migrate my users to this new SSID.

 

Kee Wee

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: