Wireless Access

Reply

EAP-TLS Auth Failure

Hi Community,

 

We have an Aruba 7030 controller running 6.4.2.3 and are attempting to do EAP-TLS authentication to a Windows NPS server. The NPS server has been configured with a connection profile and network policy.

 

On the Aruba controller we have WPA2/AES configured with AAA profile that has dot1x profile assigned. Termination is NOT enabled. 

 

ran some logging on the controller to watch the authentication and I see the requests and rejects coming back from NPS. The error we receive in NPS is "The client could not be authenticated becaues the Extensible Authentication Protocol (EAP) Type cannot be processed by the server". We have an internal CA and the certificate is installed on the computer. We verified the Root CA is trusted. 

 

Not sure where else to look now. Any ideas why this is coming through?

 

show_logs.png

 

controlpath-pcap.png


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Guru Elite

Re: EAP-TLS Auth Failure

Do you see anything in the NPS event viewer? 


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: EAP-TLS Auth Failure

Yes, it is showing and the info in the request shows EAP but no EAP-Type and the error is "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

 

We configured the client device with WPA2/AES and security is Microsoft smart card or other certificate. 

 

device_config.png

 

We added the server in "connect to these servers" and checked the certificate in the list.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Guru Elite

Re: EAP-TLS Auth Failure

Just for testing, can you uncheck validation? 


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: EAP-TLS Auth Failure

Unchecking validate server certificate, the connection continued to spin and after a while it just failed.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com

Re: EAP-TLS Auth Failure

We have opened a case with Aruba TAC and I will post changes that resolved the issue.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com

Re: EAP-TLS Auth Failure

Is the clock on both client and server correct?


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294

Re: EAP-TLS Auth Failure

Clocks are the same, no deviation.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Guru Elite

Re: EAP-TLS Auth Failure

Mharing,

 

Did the CA issue the Radius Server Certificate and the Client Certificate?

 

If not, is the CA that issued the certificate listed as one of the trusted CAs on the NPS server?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: EAP-TLS Auth Failure

just a wild guess but is this is a new NPS server? does it actually have the certificate to use for Radius? so not the CA, but the one you select in one of the NPS profile settings.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: