Wireless Access

i have succefully configured a virtual controller to authenticate Users usign Ldap (active directory). on WIndows 7 a user is able to connect succefully without any problem, but on windows 10 users are not able to authenticate. The username and password popup will just keep coming back. on both Win 7 and 10 i have installed the PEAP-GTW plugin and created my wireless network manullay on the PC. on windows 7 it connects well using the AD credentials. but on windows 10 nothing. 

Any ideas were i can start to look at.

If you have a Windows server, you should be installing NPS, a radius server instead of using LDAP with EAP offload.  The PEAP-GTC plugin has not been updated in years, because it was just a stopgap for people who could not stand up a Radius Server.  Anyone with a Windows Server can add NPS and authenticate their users there, instead of installing a piece of software on every client that will never be updated.

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113

So an update on this issue

When using LDAP

1. Windows 7 was connecting using PEAP plugin. (tried creating manaul connection in windows networking as well)

2. Windows 10 was nto able to connect using PEAP plugin.

3. IOS 11 not abel to connect

I have installed NSP on the WIndows server and confogured Radius on the Vortual controller. ( removed PEAP Plugin)

1. now Windows 7 is not able to connect.

2. Windows 10 is able to connect

3. IOS 11 able to connect.

Tried contacting Aruba TAC, but the guys seem not to be knowledgeble on how to troubleshoot this one. 

You should make sure that Termination is not enabled in the 802.1x profile, so that the Windows computers will see the certificate from the NPS Radius Server.

Fort this implimentation i did not install any certificate on the NSP or anywere. I just enabled EAP offlooad on the Virtual controller, so that the Clients see the VC certificate and the controller forwards the radiius request without any certificate involved. 

EAP offload enabled means that the controller certificate is involved and if your client does not trust this certificate, it will not work.  As a test, try disabling "Validate Server Certificate" on the devices that do not work.  In practice, there shold be a certificate on the nps server that all clients trust and EAP offload should be disabled.

just to get clarification on this line 

"In practice, there shold be a certificate on the nps server that all clients trust and EAP offload should be disabled."

if i put a certificate on the NSP, does this mean i have to install/push it out to every client who wants to connect using the NSP?

Yes.  That Certificate or the CA that issued the certificate must be in the client's trusted store.

If you have a domain and the domain's CA issues a certificate to the NPS server, by default all the clients in that domain trust that server's certificate.

PEAP is mutual authentication where:

- The server expects a valid username and password and

- The clients expects the server to have a server certificate that it trusts

then in my case this wont work, because this is just meant for internal office users to use their AD credentials for wifi authentication. 

if a sefl signed certificate wont work, then we are at a stale mate. tommorow i have another call with the Aruba team. Ill update on what we will have done, if we find a work around for the Windows 7 Pc's. 

A self-signed certificate can work, as long as that certificate is installed in the user's trusted store.

Final Sulution i did for this is as below.

1. on the same AD server i installed Windows NPS and registred it in AD

*** note that i did not install any certificate on this server

2. i enabled EAP offload on the IAP since i did not install certificate on the server.

3. configured IAP for radius to point to the Server