Wireless Access

last person joined: 2 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Radius Authentication terminating on Windows Server NPS

Jump to Best Answer
This thread has been viewed 90 times
  • 1.  Radius Authentication terminating on Windows Server NPS

    Posted Sep 03, 2021 02:04 PM
    Note: Please see below for the solution to the problem, which was caused by an issue with the TLS version the NPS server was trying to use.

    I'm trying to get radius authentication working on a Windows NPS with termination on the server, but I'm have the following error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

    This is my Connection Request Policy:


    This is my Network Policy:


    This is the certificate for my NPS server:


    It is correctly bound to the EAP policy.

    802.1x Authentication is set up on the controller and works fine when terminated on the controller. My NPS rules work fine.  The only issue is that if I turn off termination on the controller I get the error above.

    Any suggestions you could offer would be appreciated.


  • 2.  RE: Radius Authentication terminating on Windows Server NPS

    Posted Sep 03, 2021 05:58 PM
    You specifically need a server certificate.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: Radius Authentication terminating on Windows Server NPS

    Posted Sep 03, 2021 06:10 PM
    I'm not sure I understand what you're saying, here.  Isn't that what 1.3.6.1.5.5.7.3.1 is?

    ETA: I realize that I didn't show you the Enhanced Key Usage fields:



    ------------------------------
    Richard Spaulding
    ------------------------------



  • 4.  RE: Radius Authentication terminating on Windows Server NPS

    Posted Sep 07, 2021 10:55 AM
    Anyone have any ideas?  I'm really stumped on this one.

    ------------------------------
    Richard Spaulding
    ------------------------------



  • 5.  RE: Radius Authentication terminating on Windows Server NPS

    Posted Sep 08, 2021 03:50 AM
    Where do you see "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."?

    Do you see anything (further) in the Eventlog or NPS logs?

    What is the authentication method you try to use? The screenshot is truncated at the PEAP inner methods and only lists MSCHAPv1 in the visible part.

    Please note that PEAP-MSCHAPv2 is deprecated because of know weaknesses in the underlying MSCHAPv2 Better to use EAP-TLS.

    Troubleshooting NPS can be a challenge, as the logging is not always as accessible and clear.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: Radius Authentication terminating on Windows Server NPS

    Posted Sep 12, 2021 06:51 PM
    Sorry for the delay responding; it's been crazy here.

    The "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" error message is in Event Viewer for the NPS server. I don't see anything else there.

    The auth-buff on the controller shows the following:

    Sep 12 11:43:10 eap-id-req <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 5
    Sep 12 11:43:10 eap-id-resp -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 12 [Redacted]
    Sep 12 11:43:10 rad-req -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 5 205 192.168.1.5
    Sep 12 11:43:10 rad-reject <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5/[Redacted] 5 44
    Sep 12 11:43:10 eap-failure <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 4 server rejected

    I'm still trying to figure what the issue is.




  • 7.  RE: Radius Authentication terminating on Windows Server NPS

    Posted Sep 12, 2021 07:13 PM
    The controller is agnostic to the radius protocols in use.  The configuration needs to be correct on the radius server and the client, but the controller only tunnels the authentication.  Please look at this old document to check your work https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedAssets/Using+Microsoft+Windows+2008+Server+With+Aruba.pdf

    Also, use a mobile phone to test authentication, because it is much more forgiving than a Windows client.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 8.  RE: Radius Authentication terminating on Windows Server NPS

    Posted Sep 13, 2021 02:57 PM
    I feel like it's got to be a certificate issue, but everything looks fine and I've even rekeyed the certificate without success.

    [ETA: It was not; see below re: TLS 2.0.]

    I'm at a loss.




  • 9.  RE: Radius Authentication terminating on Windows Server NPS

    Posted Sep 13, 2021 03:31 PM
    Is your installl for any domain computers?  If yes, you should have an internal CA and try generating the server certificate from there.  There is no specific advantage to having a public 802.1x server certificate.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 10.  RE: Radius Authentication terminating on Windows Server NPS

    Posted Sep 13, 2021 04:31 PM
    I can certainly test it that way, but I do not have the ability to push an internal root certificate to all of the client devices, so using an internal CA is not a practical long-term solution...especially since the newest versions of Android and ChromeOS require validation of EAP server certificates.

    ------------------------------
    Richard Spaulding
    ------------------------------



  • 11.  RE: Radius Authentication terminating on Windows Server NPS

    Posted Sep 13, 2021 04:38 PM
    The root should be pushed to domain computers automatically via group policy if you have already setup an enterprise CA in your domain.  You can just do a GPUPDATE for any computers out of the update cycle.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 12.  RE: Radius Authentication terminating on Windows Server NPS

    Posted Sep 13, 2021 04:43 PM
    Sure, but most of the clients that need to be authenticated are not domain computers.  We don't manage student or faculty personal devices, only computers owned by the school.

    ------------------------------
    Richard Spaulding
    ------------------------------



  • 13.  RE: Radius Authentication terminating on Windows Server NPS

    Posted Sep 13, 2021 04:51 PM
    Does GoDaddy have instructions on how to install a radius certificate they issue onto an NPS server?  Please check.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 14.  RE: Radius Authentication terminating on Windows Server NPS
    Best Answer

    Posted Sep 13, 2021 08:27 PM
    I have fixed the issue!  The problem was TLS Version.  By default, Windows Server 2008 and 2012 NPS server uses only TLS 1.0.  Even if one has enabled TLS 1.2 through an update and disabled TLS 1.0, NPS will continue blithely to attempt to use TLS 1.0 and it will fail to create a TLS tunnel.  Instead of giving you an error that explains what is happening, however, it will only give you the message "Negotiation failed. No EAP method" and the other message I posted above.

    The solution is to edit the registry to use TLS 1.2 with NPS.  I followed instructions I found here:

    https://www.dot11.guru/2020/07/27/enforcing-tls-1-2-for-microsoft-nps-server-2008-2012/

    But I had to modify them slightly because they are for EAP-TLS and PEAP-TLS, whereas I am using PEAP-MSCHAPv2. In short:

    Add a new DWORD key named TlsVersion with the value C00 to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\26.

    If you wish to enable TLS 1.1 and 1.2, use F00; for TLS 1.0, 1.1 and 1.2, use FC0.

    Everything is now working fine.  I'm going to go back and edit out some of the images I posted earlier because I didn't anonymize them.