Wireless Access

Reply
MVP
Posts: 1,412
Registered: ‎11-30-2011

Aruba and Windows 2008 NPS issue

im following the guide below:

http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/

 

but for some reason the machine accounts don't want to pass authentication, is there anything to check what might cause this? the NPS log show the Network Policy doesn't match the Wireless security one, but that computer is certainly in that group.

Retired Employee
Posts: 234
Registered: ‎04-19-2011

Re: Aruba and Windows 2008 NPS issue

Could you please provide the Event ID on the NPS Logs or if you could post the entire log from NPS. 

--
HT
Contributor II
Posts: 61
Registered: ‎02-20-2012

Re: Aruba and Windows 2008 NPS issue

I think you hit the Windows 2008 R2 known issue. First time you installed Certification Authority and Network Policy and Access services, the policy points to CA certificate, not a server certificate which should be used for 802.1x authentication. Please refer to the statement in bold.

 

Here I am going to explain required steps for Windows 2008 R2 server:

 

1. On Active directory or any member server (server which joins in the domain) install Active Directory Certificate Services

   On Server Manager click Add Roles

   Click Next to continue

   Choose Active Directory Certificate Services and click Next

   Click Next to continue

   Click Certification Authority and click Next

   Click Enterprise and click Next (Note: You need Windows 2008 R2 Enterprise version to choose Enterprise. If you have Windows 2008 R2 standard, you can only choose standalone)

   Click Root CA and click Next

   Choose Create a new private key and click Next

    Keep dafault values (RSA#Microsoft Software Key Storage Provider 2048 , SHA1) and click Next

   Keep the common name as displayed and click Next

   Set Validity period (5 Years for CA) and click Next

   Keep default values and click Next

   Confirm the setting values and click Install.

 

2. On Active directory or any member server (server which joins in the domain) install Network Policy and Access Services

    On Server Manager scren click Add Roles

    Click Next to continue

    Click Network Policy and Access Services and click Next

    Click Next to continue

    Select Network Policy Server and click Next

    Click Install to install Network Policy and Access Services

    On Server Manager screen, open the left pane and click on NPS(Local). On Getting started screen, choose RADIUS server for 802.1X Wireless or Wired Connections and click Configure 802.1X

    Choose Secure Wireless Connctions. Leave default name "Secure Wireless Connections" and click Next.

    Click Add to add RADIUS client.

    On New RADIUS client screen, type in Wireless controller's friendly name and IP address. Click on Manual radio button and type in shared secret. Shared secret should match with Wireless controller. [NOTE: If you specify Loopback IP address on Aruba controller, but you should specify Interface IP address. For example, if your VLAN interface IP is 192.168.1.100 and Loopback(Controller IP) is 192.168.1.101, you still need to specify 192.168.1.100 here. You can confirm which IP address tries to speak to Windows 2008 R2 RADIUS by capturing Wireshark trace. Filter TCP 1812 packets to narrow capturing packets.

     Choose Microsoft PEAP. [Note: This article only mentions about PEAP. There is another EAP-TLS. ]

     Choose the certificate "servername.domainname". "domainname-servername-CA" is CA certificate and CA certificate cannot be used for 802.1X. If you only see CA certificate in the window, you need to create server certificate manually. This is Windows 2008 R2 known issue. Please refer to Windows Server Techcenter - Windows server forums - Network Access Protection - Having Issues getting PEAP with EAP-MSCHAP v2 working on Windows 2008 R2. Perform Mr. Greg Lindsay's step (Friday April 22, 2011 5:44pm) Try this:  to re-issue a certificate.

 

     Specify User Groups such as domainname\Domain Users. [Note: If user cannot be authenticated, you need to Allow each user's dial-in profile]

 

     Configure Traffic Controls - click Next.

     Click Finish to create NPS Policy.

 

     Aruba controller setting:

 

     Confuguration - Security - Authentication - Server Group and add new server group "Win2008"

     Configuration - Security - Authentication - Radius server and add new radius server "Win2008RADIUS"

     On Win2008RADIUS setting, type in Host IP (Windows 2008's IP address). Type key, which should match with Windows 2008's RADIUS client. Click Apply

     Go back to Server Group Win2008 and under Servers click New. Choose Win2008RADIUS and click Add Server. Click Apply.

     Now you can test RADIUS authentication. Diagonostics - Network - AAA Test Server - Choose Win2008RADIUS in the server name. Choose MSCHAPv2. Type in Windows Active Directory's user and password and click Begin Test. If test is successful, your RADIUS configuration is right. If you set Wireshark trace, you can observe Radius requet and Radius accept (TCP 1812) in the trace.

    

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: Aruba and Windows 2008 NPS issue


boneyard wrote:

im following the guide below:

http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/

 

but for some reason the machine accounts don't want to pass authentication, is there anything to check what might cause this? the NPS log show the Network Policy doesn't match the Wireless security one, but that computer is certainly in that group.



If your computers do not match the policy, please make sure that if you have Windows Groups, it only has the group "Domain Computers'.  The computer will not match if it has "domain computers" and "Domain users".  Create a separate policy, exactly the same with only domain computers and see if it solves the problem.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: Aruba and Windows 2008 NPS issue

thanks all, ill come back on the full event log messages

 

mike: im running win 2008 R2 SP1, so it could be. but wouldn't that already cause an issue with 802.1x user authentication? that certificate isn't only used for machine authentication right?

 

cjoseph: wouldn't it work if i configure User Groups\Domain Users OR User Groups\Domain Computers? then it can hit on either computer or user.

 

 

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: Aruba and Windows 2008 NPS issue


boneyard wrote:

thanks all, ill come back on the full event log messages

 

mike: im running win 2008 R2 SP1, so it could be. but wouldn't that already cause an issue with 802.1x user authentication? that certificate isn't only used for machine authentication right?

 

cjoseph: wouldn't it work if i configure User Groups\Domain Users OR User Groups\Domain Computers? then it can hit on either computer or user.

 

 



I believe those conditions are AND, not or...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 61
Registered: ‎02-20-2012

Re: Aruba and Windows 2008 NPS issue

>mike: im running win 2008 R2 SP1, so it could be. but wouldn't that already cause an issue with 802.1x user authentication? that certificate isn't only used for machine authentication right?

 

I am not sure if you are already using the certificate for "Wired 802.1x authentication". Even the certificate itself is used for another purpose, NPS policy should point the right certificate.

If you look at NPS(Local) - Policies - Network Policy, click on the policy that you have created for 802.1x wireless (Dafault name is Secure Wireless Connection), Choose Properties, Click on Authentication Methods. You will see EAP type in the window. Click on EAP type (for my case EAP type is PEAP. The certificate name should be servername-domainname, such as server.test.local. If the certificate is CA certificate (xxxxx-xxxxx-CA) PEAP does not work.

 

When I had 802.1x authentication problem, like other authors mentioned, I obtained NPS return code from NPS log.

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: Aruba and Windows 2008 NPS issue

cjoseph, see the attached file: nps2008-domain-users-computers.png it makes me believe that it is an OR and not an AND, right?

 

mike, see the attached file: nps2008-certificate.png, i believe im using the correct certificate, not the CA one, right?

 

below is an example log entry for a machine authentication request that fails (access denied), this happens because the wrong network policy is selected, not the Secure Wireless Connections but the Connections to other access servers. I have double checked and the computer is in the Domain Computers group.

 

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			BRT\TLT-04$
	Account Name:			host/tlt-04.brt.loc
	Account Domain:			BRT
	Fully Qualified Account Name:	brt.loc/Computers/TLT-04

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		D8C7C8C8EF71
	Calling Station Identifier:		0019D2AF162C

NAS:
	NAS IPv4 Address:		192.168.20.128
	NAS IPv6 Address:		-
	NAS Identifier:			192.168.20.128
	NAS Port-Type:			Wireless - IEEE 802.11
	NAS Port:			0

RADIUS Client:
	Client Friendly Name:		IAP-93-IP
	Client IP Address:			192.168.20.128

Authentication Details:
	Connection Request Policy Name:	Secure Wireless Connections
	Network Policy Name:		Connections to other access servers
	Authentication Provider:		Windows
	Authentication Server:		TDC-BRT-01.brt.loc
	Authentication Type:		EAP
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			65
	Reason:				The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.

 user authentication goes fine, there is no issue there, the correct network policy is matched and access is allowed.

 

what could cause this wrong group match? anything else to check or do?

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: Aruba and Windows 2008 NPS issue

[ Edited ]

perhaps insert image works beter then using attachments, it seems to do so.

 

nps2008-certificate.png

 

nps2008-domain-users-computers.png

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: Aruba and Windows 2008 NPS issue


boneyard wrote:

cjoseph, see the attached file: nps2008-domain-users-computers.png it makes me believe that it is an OR and not an AND, right?

 

mike, see the attached file: nps2008-certificate.png, i believe im using the correct certificate, not the CA one, right?

 

below is an example log entry for a machine authentication request that fails (access denied), this happens because the wrong network policy is selected, not the Secure Wireless Connections but the Connections to other access servers. I have double checked and the computer is in the Domain Computers group.

 

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			BRT\TLT-04$
	Account Name:			host/tlt-04.brt.loc
	Account Domain:			BRT
	Fully Qualified Account Name:	brt.loc/Computers/TLT-04

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		D8C7C8C8EF71
	Calling Station Identifier:		0019D2AF162C

NAS:
	NAS IPv4 Address:		192.168.20.128
	NAS IPv6 Address:		-
	NAS Identifier:			192.168.20.128
	NAS Port-Type:			Wireless - IEEE 802.11
	NAS Port:			0

RADIUS Client:
	Client Friendly Name:		IAP-93-IP
	Client IP Address:			192.168.20.128

Authentication Details:
	Connection Request Policy Name:	Secure Wireless Connections
	Network Policy Name:		Connections to other access servers
	Authentication Provider:		Windows
	Authentication Server:		TDC-BRT-01.brt.loc
	Authentication Type:		EAP
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			65
	Reason:				The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.

 user authentication goes fine, there is no issue there, the correct network policy is matched and access is allowed.

 

what could cause this wrong group match? anything else to check or do?


Boneyard,

 

The reason is because the dialin property on the computer's user account is not enabled.  The "Connections to other access servers" is the last built in rule on the radius server and is normally triggered when nothing else matches.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: