09-18-2014 10:15 PM
In my current environment, i have a 3com wireless controller setup as a Radius client to a Windows 2008 NPS. I have configured the necessary policy in my NPS to allow authentication via MSCHAPv2
My existing wireless users have no issue logging in via 802.1x by supplying domain user name and password without any certificate requirement.
I've just purchased a Aruba Controller. I have configured the controller as a Radius client to the same NPS. Confgured a SSID to use 802.1x on the Aruba controller.
When i try to connect to the Aruba wireless, the connection is unsuccessful. On the event log in my NPS server, the error is as follows
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
Whereas for users connecting via the 3Com Controller, the event log shows MSCHAPv2 as the Authentication.
Am i missing any configuration on the Aruba to support MSCHAPv2?
Solved! Go to Solution.
09-19-2014 02:45 AM - edited 09-19-2014 03:01 AM
There should not be a difference. The EAP type is configured on the clients and the Radius server, not the WLC. Please make sure that your authentication requests are hitting the same policy on the NPS server and that there are no rules specific to the ip address of the 3com controller.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
09-19-2014 07:48 AM
Please make sure you have selected PEAP-MSCHAPv2; not MSCHAPv2 as a supported authentication method in your NPS policy.
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
09-19-2014 08:41 AM
09-19-2014 08:45 AM
Appreciate the reply. There is no other way to work around this? With my current wireless controller, i don't have to install any certs on my clients. My users just need to supply domain user and password
09-19-2014 08:47 AM
09-19-2014 08:57 AM
OK, so your controller likely has a certificate built in and your clients are probably configured to not validate the server certificate.
You can do a similar setup by using a self-signed certificate in NPS, but this is VERY, VERY insecure and can put your user's credentials in jeopardy.
09-19-2014 09:02 AM
You are right, on the client side, we disable the "validate server certificate" option.
Are you able to share how can i use a self-signed certificate in NPS? I will also feedback to my management about the security risk using self-signed cert and let them decide which option they prefer