last person joined: 19 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

unable to authenticate NPS with aruba controller.

This thread has been viewed 15 times
  • 1.  unable to authenticate NPS with aruba controller.

    Posted Oct 14, 2021 11:04 AM
    Hello Team,

    we have created a new dotx SSID which is authenticated by the NPS server. In auth trace buf we could see the server rejecting the radius request. Below logs for reference.

    Need step by step integration and configuration NPS with Aruba controller documents.

     Oct  7 11:58:22  station-down           *  34:cf:f6:7e:d1:1e  24:62:ce:2e:55:73          -    -

    Oct  7 11:58:22  rad-reject            <-  34:cf:f6:7e:d1:1e  24:62:ce:2e:55:73/nps      112  44

    Oct  7 11:58:22  eap-failure           <-  34:cf:f6:7e:d1:1e  24:62:ce:2e:55:73          1    4    server rejected

    Oct  7 11:58:23  eapol-pkt-drop         *  34:cf:f6:7e:d1:1e  24:62:ce:2e:55:73          -    -    received eapol-pkt before assos

    Oct  7 11:58:23  station-up             *  34:cf:f6:7e:d1:1e  24:62:ce:2e:55:73          -    -    wpa2 aes

    Oct  7 11:58:23  eap-id-req            <-  34:cf:f6:7e:d1:1e  24:62:ce:2e:55:73          1    5

    Oct  7 11:58:27  eap-id-resp           ->  34:cf:f6:7e:d1:1e  24:62:ce:2e:55:73          1    31   domain\james.K

    Oct  7 11:58:27  rad-req               ->  34:cf:f6:7e:d1:1e  24:62:ce:2e:55:73          103  223

    Oct  7 11:58:27  rad-reject            <-  34:cf:f6:7e:d1:1e  24:62:ce:2e:55:73/nps      103  44

    Oct  7 11:58:27  station-down           *  34:c

    Abhijeet Bhapkar

  • 2.  RE: unable to authenticate NPS with aruba controller.

    Posted Oct 14, 2021 03:10 PM
    Hi Abhijeet,

    You can find a lot of good step-by-steps guides when you google for it. Some you can find here

    Please don't use eap-peap mschapv2 with AD credentials since this is considered as insecure and easly can leak your credentials. For better security use  eap-tls certificated based authentication or at least no AD credentials but credentials dedicated to used for Wi-Fi only.

    On your instant or controller site you only need to set the Radius Server IP and Radius Pre-shared Key, the controller will only bypass the traffic. The rest of the setup is done in your NPS server. Be sure you have installed a RADIUS server certificated and that the NPS server is AD joined, which is required for eap-peap mschapv2 only. 

    Iám not really familar with the NPS configuration, NPS is end of development, better use much better authentication server like Aruba ClearPass, which have much more configuration possibilities, insight and troubleshoot options then NPS.

    Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own