So it seems like Windows 10 has changed behavior recently, by requiring TLS 1.2 during the session setup. ArubaOS 3.x or 5.x do not support TLS 1.2 for EAP Termination; however I do not see any reason why it shouldn't with an external NPS server. However make sure that NPS does support TLS 1.2.
May be the following information may help you:
- Problem Statement:
- When the controller is configured to perform EAP termination, newer clients that support TLS1.2 may fail 802.1X authentication
- 1X authentication is NOT affected if a) EAP termination is disabled and b) the authentication server supports TLS 1.2 (e.g. ClearPass v. 6.5.2)
- Windows 10 WiFi clients are using TLS 1.2 by default and is failing 802.1X authentication when controller is configured with EAP Termination
- Disable EAP termination on the controller and make sure the authentication server supports TLS 1.2
- Please take a look at https://support.microsoft.com/en-us/kb/3121002. There is a method to modify registry keys to use a different TLS version, e.g. TLS 1.0
It does not really make sense that with an external NPS RADIUS server, setup with certificates for EAP-802.1x, it does work for a Ruckus AP while it does not for the Aruba controller, as in that setup all communication is tunneled and performed on the RADIUS server. If you connect to the SSID, do you see the correct certifcate?? If you have an iOS device is nicely shows the server certificate so you can check if you are indeed seeing the cert from the RADIUS server, not the controller internal.
The advise I gave you to put your own cert on the controller and still use EAP termination has been obsoleted by this new information about Windows 10 requiring TLS1.2.