Wireless Access

Note: Please see below for the solution to the problem, which was caused by an issue with the TLS version the NPS server was trying to use.

I'm trying to get radius authentication working on a Windows NPS with termination on the server, but I'm have the following error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

This is my Connection Request Policy:


This is my Network Policy:


This is the certificate for my NPS server:


It is correctly bound to the EAP policy.

802.1x Authentication is set up on the controller and works fine when terminated on the controller. My NPS rules work fine.  The only issue is that if I turn off termination on the controller I get the error above.

Any suggestions you could offer would be appreciated.

You specifically need a server certificate.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Sep 03, 2021 02:03 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm trying to get radius authentication working on a Windows NPS with termination on the server, but I'm have the following error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

This is my Connection Request Policy:


This is my Network Policy:


This is the certificate for my NPS server:


It is correctly bound to the EAP policy.

802.1x Authentication is set up on the controller and works fine when terminated on the controller. My NPS rules work fine.  The only issue is that if I turn off termination on the controller I get the error above.

Any suggestions you could offer would be appreciated.

I'm not sure I understand what you're saying, here.  Isn't that what 1.3.6.1.5.5.7.3.1 is?

ETA: I realize that I didn't show you the Enhanced Key Usage fields:



------------------------------
Richard Spaulding
------------------------------

Original Message:
Sent: Sep 03, 2021 05:58 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

You specifically need a server certificate.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 03, 2021 02:03 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm trying to get radius authentication working on a Windows NPS with termination on the server, but I'm have the following error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

This is my Connection Request Policy:


This is my Network Policy:


This is the certificate for my NPS server:


It is correctly bound to the EAP policy.

802.1x Authentication is set up on the controller and works fine when terminated on the controller. My NPS rules work fine.  The only issue is that if I turn off termination on the controller I get the error above.

Any suggestions you could offer would be appreciated.

Anyone have any ideas?  I'm really stumped on this one.

------------------------------
Richard Spaulding
------------------------------

Original Message:
Sent: Sep 03, 2021 06:09 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm not sure I understand what you're saying, here.  Isn't that what 1.3.6.1.5.5.7.3.1 is?

ETA: I realize that I didn't show you the Enhanced Key Usage fields:



------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 05:58 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

You specifically need a server certificate.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 03, 2021 02:03 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm trying to get radius authentication working on a Windows NPS with termination on the server, but I'm have the following error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

This is my Connection Request Policy:


This is my Network Policy:


This is the certificate for my NPS server:


It is correctly bound to the EAP policy.

802.1x Authentication is set up on the controller and works fine when terminated on the controller. My NPS rules work fine.  The only issue is that if I turn off termination on the controller I get the error above.

Any suggestions you could offer would be appreciated.

Where do you see "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."?

Do you see anything (further) in the Eventlog or NPS logs?

What is the authentication method you try to use? The screenshot is truncated at the PEAP inner methods and only lists MSCHAPv1 in the visible part.

Please note that PEAP-MSCHAPv2 is deprecated because of know weaknesses in the underlying MSCHAPv2 Better to use EAP-TLS.

Troubleshooting NPS can be a challenge, as the logging is not always as accessible and clear.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 07, 2021 10:54 AM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

Anyone have any ideas?  I'm really stumped on this one.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 06:09 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm not sure I understand what you're saying, here.  Isn't that what 1.3.6.1.5.5.7.3.1 is?

ETA: I realize that I didn't show you the Enhanced Key Usage fields:



------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 05:58 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

You specifically need a server certificate.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 03, 2021 02:03 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm trying to get radius authentication working on a Windows NPS with termination on the server, but I'm have the following error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

This is my Connection Request Policy:


This is my Network Policy:


This is the certificate for my NPS server:


It is correctly bound to the EAP policy.

802.1x Authentication is set up on the controller and works fine when terminated on the controller. My NPS rules work fine.  The only issue is that if I turn off termination on the controller I get the error above.

Any suggestions you could offer would be appreciated.

Sorry for the delay responding; it's been crazy here.

The "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" error message is in Event Viewer for the NPS server. I don't see anything else there.

The auth-buff on the controller shows the following:

Sep 12 11:43:10 eap-id-req <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 5
Sep 12 11:43:10 eap-id-resp -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 12 [Redacted]
Sep 12 11:43:10 rad-req -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 5 205 192.168.1.5
Sep 12 11:43:10 rad-reject <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5/[Redacted] 5 44
Sep 12 11:43:10 eap-failure <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 4 server rejected

I'm still trying to figure what the issue is.


Original Message:
Sent: Sep 08, 2021 03:49 AM
From: Herman Robers
Subject: Radius Authentication terminating on Windows Server NPS

Where do you see "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."?

Do you see anything (further) in the Eventlog or NPS logs?

What is the authentication method you try to use? The screenshot is truncated at the PEAP inner methods and only lists MSCHAPv1 in the visible part.

Please note that PEAP-MSCHAPv2 is deprecated because of know weaknesses in the underlying MSCHAPv2 Better to use EAP-TLS.

Troubleshooting NPS can be a challenge, as the logging is not always as accessible and clear.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 07, 2021 10:54 AM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

Anyone have any ideas?  I'm really stumped on this one.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 06:09 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm not sure I understand what you're saying, here.  Isn't that what 1.3.6.1.5.5.7.3.1 is?

ETA: I realize that I didn't show you the Enhanced Key Usage fields:



------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 05:58 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

You specifically need a server certificate.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 03, 2021 02:03 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm trying to get radius authentication working on a Windows NPS with termination on the server, but I'm have the following error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

This is my Connection Request Policy:


This is my Network Policy:


This is the certificate for my NPS server:


It is correctly bound to the EAP policy.

802.1x Authentication is set up on the controller and works fine when terminated on the controller. My NPS rules work fine.  The only issue is that if I turn off termination on the controller I get the error above.

Any suggestions you could offer would be appreciated.

The controller is agnostic to the radius protocols in use.  The configuration needs to be correct on the radius server and the client, but the controller only tunnels the authentication.  Please look at this old document to check your work https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedAssets/Using+Microsoft+Windows+2008+Server+With+Aruba.pdf

Also, use a mobile phone to test authentication, because it is much more forgiving than a Windows client.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Sep 12, 2021 06:51 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

Sorry for the delay responding; it's been crazy here.

The "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" error message is in Event Viewer for the NPS server. I don't see anything else there.

The auth-buff on the controller shows the following:

Sep 12 11:43:10 eap-id-req <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 5
Sep 12 11:43:10 eap-id-resp -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 12 tws-nps
Sep 12 11:43:10 rad-req -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 5 205 192.168.1.5
Sep 12 11:43:10 rad-reject <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5/Test-NPS 5 44
Sep 12 11:43:10 eap-failure <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 4 server rejected

I'm still trying to figure what the issue is.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 08, 2021 03:49 AM
From: Herman Robers
Subject: Radius Authentication terminating on Windows Server NPS

Where do you see "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."?

Do you see anything (further) in the Eventlog or NPS logs?

What is the authentication method you try to use? The screenshot is truncated at the PEAP inner methods and only lists MSCHAPv1 in the visible part.

Please note that PEAP-MSCHAPv2 is deprecated because of know weaknesses in the underlying MSCHAPv2 Better to use EAP-TLS.

Troubleshooting NPS can be a challenge, as the logging is not always as accessible and clear.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 07, 2021 10:54 AM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

Anyone have any ideas?  I'm really stumped on this one.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 06:09 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm not sure I understand what you're saying, here.  Isn't that what 1.3.6.1.5.5.7.3.1 is?

ETA: I realize that I didn't show you the Enhanced Key Usage fields:



------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 05:58 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

You specifically need a server certificate.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 03, 2021 02:03 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm trying to get radius authentication working on a Windows NPS with termination on the server, but I'm have the following error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

This is my Connection Request Policy:


This is my Network Policy:


This is the certificate for my NPS server:


It is correctly bound to the EAP policy.

802.1x Authentication is set up on the controller and works fine when terminated on the controller. My NPS rules work fine.  The only issue is that if I turn off termination on the controller I get the error above.

Any suggestions you could offer would be appreciated.

Original Message:
Sent: Sep 12, 2021 07:12 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

The controller is agnostic to the radius protocols in use.  The configuration needs to be correct on the radius server and the client, but the controller only tunnels the authentication.  Please look at this old document to check your work https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedAssets/Using+Microsoft+Windows+2008+Server+With+Aruba.pdf

Also, use a mobile phone to test authentication, because it is much more forgiving than a Windows client.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 12, 2021 06:51 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

Sorry for the delay responding; it's been crazy here.

The "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" error message is in Event Viewer for the NPS server. I don't see anything else there.

The auth-buff on the controller shows the following:

Sep 12 11:43:10 eap-id-req <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 5
Sep 12 11:43:10 eap-id-resp -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 12 tws-nps
Sep 12 11:43:10 rad-req -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 5 205 192.168.1.5
Sep 12 11:43:10 rad-reject <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5/Test-NPS 5 44
Sep 12 11:43:10 eap-failure <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 4 server rejected

I'm still trying to figure what the issue is.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 08, 2021 03:49 AM
From: Herman Robers
Subject: Radius Authentication terminating on Windows Server NPS

Where do you see "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."?

Do you see anything (further) in the Eventlog or NPS logs?

What is the authentication method you try to use? The screenshot is truncated at the PEAP inner methods and only lists MSCHAPv1 in the visible part.

Please note that PEAP-MSCHAPv2 is deprecated because of know weaknesses in the underlying MSCHAPv2 Better to use EAP-TLS.

Troubleshooting NPS can be a challenge, as the logging is not always as accessible and clear.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 07, 2021 10:54 AM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

Anyone have any ideas?  I'm really stumped on this one.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 06:09 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm not sure I understand what you're saying, here.  Isn't that what 1.3.6.1.5.5.7.3.1 is?

ETA: I realize that I didn't show you the Enhanced Key Usage fields:



------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 05:58 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

You specifically need a server certificate.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 03, 2021 02:03 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm trying to get radius authentication working on a Windows NPS with termination on the server, but I'm have the following error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

This is my Connection Request Policy:


This is my Network Policy:


This is the certificate for my NPS server:


It is correctly bound to the EAP policy.

802.1x Authentication is set up on the controller and works fine when terminated on the controller. My NPS rules work fine.  The only issue is that if I turn off termination on the controller I get the error above.

Any suggestions you could offer would be appreciated.

Is your installl for any domain computers?  If yes, you should have an internal CA and try generating the server certificate from there.  There is no specific advantage to having a public 802.1x server certificate.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Sep 13, 2021 02:56 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I feel like it's got to be a certificate issue, but everything looks fine and I've even rekeyed the certificate without success.

This is the certificate that's set in the PEAP settings for the policy, too:

I'm at a loss.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 12, 2021 07:12 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

The controller is agnostic to the radius protocols in use.  The configuration needs to be correct on the radius server and the client, but the controller only tunnels the authentication.  Please look at this old document to check your work https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedAssets/Using+Microsoft+Windows+2008+Server+With+Aruba.pdf

Also, use a mobile phone to test authentication, because it is much more forgiving than a Windows client.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 12, 2021 06:51 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

Sorry for the delay responding; it's been crazy here.

The "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" error message is in Event Viewer for the NPS server. I don't see anything else there.

The auth-buff on the controller shows the following:

Sep 12 11:43:10 eap-id-req <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 5
Sep 12 11:43:10 eap-id-resp -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 12 tws-nps
Sep 12 11:43:10 rad-req -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 5 205 192.168.1.5
Sep 12 11:43:10 rad-reject <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5/Test-NPS 5 44
Sep 12 11:43:10 eap-failure <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 4 server rejected

I'm still trying to figure what the issue is.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 08, 2021 03:49 AM
From: Herman Robers
Subject: Radius Authentication terminating on Windows Server NPS

Where do you see "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."?

Do you see anything (further) in the Eventlog or NPS logs?

What is the authentication method you try to use? The screenshot is truncated at the PEAP inner methods and only lists MSCHAPv1 in the visible part.

Please note that PEAP-MSCHAPv2 is deprecated because of know weaknesses in the underlying MSCHAPv2 Better to use EAP-TLS.

Troubleshooting NPS can be a challenge, as the logging is not always as accessible and clear.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 07, 2021 10:54 AM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

Anyone have any ideas?  I'm really stumped on this one.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 06:09 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm not sure I understand what you're saying, here.  Isn't that what 1.3.6.1.5.5.7.3.1 is?

ETA: I realize that I didn't show you the Enhanced Key Usage fields:



------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 05:58 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

You specifically need a server certificate.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 03, 2021 02:03 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm trying to get radius authentication working on a Windows NPS with termination on the server, but I'm have the following error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

This is my Connection Request Policy:


This is my Network Policy:


This is the certificate for my NPS server:


It is correctly bound to the EAP policy.

802.1x Authentication is set up on the controller and works fine when terminated on the controller. My NPS rules work fine.  The only issue is that if I turn off termination on the controller I get the error above.

Any suggestions you could offer would be appreciated.

I can certainly test it that way, but I do not have the ability to push an internal root certificate to all of the client devices, so using an internal CA is not a practical long-term solution...especially since the newest versions of Android and ChromeOS require validation of EAP server certificates.

------------------------------
Richard Spaulding
------------------------------

Original Message:
Sent: Sep 13, 2021 03:30 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

Is your installl for any domain computers?  If yes, you should have an internal CA and try generating the server certificate from there.  There is no specific advantage to having a public 802.1x server certificate.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 13, 2021 02:56 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I feel like it's got to be a certificate issue, but everything looks fine and I've even rekeyed the certificate without success.

This is the certificate that's set in the PEAP settings for the policy, too:

I'm at a loss.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 12, 2021 07:12 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

The controller is agnostic to the radius protocols in use.  The configuration needs to be correct on the radius server and the client, but the controller only tunnels the authentication.  Please look at this old document to check your work https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedAssets/Using+Microsoft+Windows+2008+Server+With+Aruba.pdf

Also, use a mobile phone to test authentication, because it is much more forgiving than a Windows client.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 12, 2021 06:51 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

Sorry for the delay responding; it's been crazy here.

The "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" error message is in Event Viewer for the NPS server. I don't see anything else there.

The auth-buff on the controller shows the following:

Sep 12 11:43:10 eap-id-req <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 5
Sep 12 11:43:10 eap-id-resp -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 12 tws-nps
Sep 12 11:43:10 rad-req -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 5 205 192.168.1.5
Sep 12 11:43:10 rad-reject <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5/Test-NPS 5 44
Sep 12 11:43:10 eap-failure <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 4 server rejected

I'm still trying to figure what the issue is.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 08, 2021 03:49 AM
From: Herman Robers
Subject: Radius Authentication terminating on Windows Server NPS

Where do you see "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."?

Do you see anything (further) in the Eventlog or NPS logs?

What is the authentication method you try to use? The screenshot is truncated at the PEAP inner methods and only lists MSCHAPv1 in the visible part.

Please note that PEAP-MSCHAPv2 is deprecated because of know weaknesses in the underlying MSCHAPv2 Better to use EAP-TLS.

Troubleshooting NPS can be a challenge, as the logging is not always as accessible and clear.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 07, 2021 10:54 AM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

Anyone have any ideas?  I'm really stumped on this one.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 06:09 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm not sure I understand what you're saying, here.  Isn't that what 1.3.6.1.5.5.7.3.1 is?

ETA: I realize that I didn't show you the Enhanced Key Usage fields:



------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 05:58 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

You specifically need a server certificate.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 03, 2021 02:03 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm trying to get radius authentication working on a Windows NPS with termination on the server, but I'm have the following error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

This is my Connection Request Policy:


This is my Network Policy:


This is the certificate for my NPS server:


It is correctly bound to the EAP policy.

802.1x Authentication is set up on the controller and works fine when terminated on the controller. My NPS rules work fine.  The only issue is that if I turn off termination on the controller I get the error above.

Any suggestions you could offer would be appreciated.

The root should be pushed to domain computers automatically via group policy if you have already setup an enterprise CA in your domain.  You can just do a GPUPDATE for any computers out of the update cycle.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Sep 13, 2021 04:31 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I can certainly test it that way, but I do not have the ability to push an internal root certificate to all of the client devices, so using an internal CA is not a practical long-term solution...especially since the newest versions of Android and ChromeOS require validation of EAP server certificates.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 13, 2021 03:30 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

Is your installl for any domain computers?  If yes, you should have an internal CA and try generating the server certificate from there.  There is no specific advantage to having a public 802.1x server certificate.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 13, 2021 02:56 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I feel like it's got to be a certificate issue, but everything looks fine and I've even rekeyed the certificate without success.

This is the certificate that's set in the PEAP settings for the policy, too:

I'm at a loss.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 12, 2021 07:12 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

The controller is agnostic to the radius protocols in use.  The configuration needs to be correct on the radius server and the client, but the controller only tunnels the authentication.  Please look at this old document to check your work https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedAssets/Using+Microsoft+Windows+2008+Server+With+Aruba.pdf

Also, use a mobile phone to test authentication, because it is much more forgiving than a Windows client.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 12, 2021 06:51 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

Sorry for the delay responding; it's been crazy here.

The "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" error message is in Event Viewer for the NPS server. I don't see anything else there.

The auth-buff on the controller shows the following:

Sep 12 11:43:10 eap-id-req <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 5
Sep 12 11:43:10 eap-id-resp -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 12 tws-nps
Sep 12 11:43:10 rad-req -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 5 205 192.168.1.5
Sep 12 11:43:10 rad-reject <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5/Test-NPS 5 44
Sep 12 11:43:10 eap-failure <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 4 server rejected

I'm still trying to figure what the issue is.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 08, 2021 03:49 AM
From: Herman Robers
Subject: Radius Authentication terminating on Windows Server NPS

Where do you see "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."?

Do you see anything (further) in the Eventlog or NPS logs?

What is the authentication method you try to use? The screenshot is truncated at the PEAP inner methods and only lists MSCHAPv1 in the visible part.

Please note that PEAP-MSCHAPv2 is deprecated because of know weaknesses in the underlying MSCHAPv2 Better to use EAP-TLS.

Troubleshooting NPS can be a challenge, as the logging is not always as accessible and clear.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 07, 2021 10:54 AM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

Anyone have any ideas?  I'm really stumped on this one.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 06:09 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm not sure I understand what you're saying, here.  Isn't that what 1.3.6.1.5.5.7.3.1 is?

ETA: I realize that I didn't show you the Enhanced Key Usage fields:



------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 05:58 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

You specifically need a server certificate.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 03, 2021 02:03 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm trying to get radius authentication working on a Windows NPS with termination on the server, but I'm have the following error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

This is my Connection Request Policy:


This is my Network Policy:


This is the certificate for my NPS server:


It is correctly bound to the EAP policy.

802.1x Authentication is set up on the controller and works fine when terminated on the controller. My NPS rules work fine.  The only issue is that if I turn off termination on the controller I get the error above.

Any suggestions you could offer would be appreciated.

Sure, but most of the clients that need to be authenticated are not domain computers.  We don't manage student or faculty personal devices, only computers owned by the school.

------------------------------
Richard Spaulding
------------------------------

Original Message:
Sent: Sep 13, 2021 04:37 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

The root should be pushed to domain computers automatically via group policy if you have already setup an enterprise CA in your domain.  You can just do a GPUPDATE for any computers out of the update cycle.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 13, 2021 04:31 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I can certainly test it that way, but I do not have the ability to push an internal root certificate to all of the client devices, so using an internal CA is not a practical long-term solution...especially since the newest versions of Android and ChromeOS require validation of EAP server certificates.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 13, 2021 03:30 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

Is your installl for any domain computers?  If yes, you should have an internal CA and try generating the server certificate from there.  There is no specific advantage to having a public 802.1x server certificate.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 13, 2021 02:56 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I feel like it's got to be a certificate issue, but everything looks fine and I've even rekeyed the certificate without success.

This is the certificate that's set in the PEAP settings for the policy, too:

I'm at a loss.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 12, 2021 07:12 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

The controller is agnostic to the radius protocols in use.  The configuration needs to be correct on the radius server and the client, but the controller only tunnels the authentication.  Please look at this old document to check your work https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedAssets/Using+Microsoft+Windows+2008+Server+With+Aruba.pdf

Also, use a mobile phone to test authentication, because it is much more forgiving than a Windows client.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 12, 2021 06:51 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

Sorry for the delay responding; it's been crazy here.

The "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" error message is in Event Viewer for the NPS server. I don't see anything else there.

The auth-buff on the controller shows the following:

Sep 12 11:43:10 eap-id-req <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 5
Sep 12 11:43:10 eap-id-resp -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 12 tws-nps
Sep 12 11:43:10 rad-req -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 5 205 192.168.1.5
Sep 12 11:43:10 rad-reject <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5/Test-NPS 5 44
Sep 12 11:43:10 eap-failure <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 4 server rejected

I'm still trying to figure what the issue is.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 08, 2021 03:49 AM
From: Herman Robers
Subject: Radius Authentication terminating on Windows Server NPS

Where do you see "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."?

Do you see anything (further) in the Eventlog or NPS logs?

What is the authentication method you try to use? The screenshot is truncated at the PEAP inner methods and only lists MSCHAPv1 in the visible part.

Please note that PEAP-MSCHAPv2 is deprecated because of know weaknesses in the underlying MSCHAPv2 Better to use EAP-TLS.

Troubleshooting NPS can be a challenge, as the logging is not always as accessible and clear.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 07, 2021 10:54 AM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

Anyone have any ideas?  I'm really stumped on this one.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 06:09 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm not sure I understand what you're saying, here.  Isn't that what 1.3.6.1.5.5.7.3.1 is?

ETA: I realize that I didn't show you the Enhanced Key Usage fields:



------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 05:58 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

You specifically need a server certificate.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 03, 2021 02:03 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm trying to get radius authentication working on a Windows NPS with termination on the server, but I'm have the following error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

This is my Connection Request Policy:


This is my Network Policy:


This is the certificate for my NPS server:


It is correctly bound to the EAP policy.

802.1x Authentication is set up on the controller and works fine when terminated on the controller. My NPS rules work fine.  The only issue is that if I turn off termination on the controller I get the error above.

Any suggestions you could offer would be appreciated.

Does GoDaddy have instructions on how to install a radius certificate they issue onto an NPS server?  Please check.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Sep 13, 2021 04:42 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

Sure, but most of the clients that need to be authenticated are not domain computers.  We don't manage student or faculty personal devices, only computers owned by the school.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 13, 2021 04:37 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

The root should be pushed to domain computers automatically via group policy if you have already setup an enterprise CA in your domain.  You can just do a GPUPDATE for any computers out of the update cycle.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 13, 2021 04:31 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I can certainly test it that way, but I do not have the ability to push an internal root certificate to all of the client devices, so using an internal CA is not a practical long-term solution...especially since the newest versions of Android and ChromeOS require validation of EAP server certificates.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 13, 2021 03:30 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

Is your installl for any domain computers?  If yes, you should have an internal CA and try generating the server certificate from there.  There is no specific advantage to having a public 802.1x server certificate.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 13, 2021 02:56 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I feel like it's got to be a certificate issue, but everything looks fine and I've even rekeyed the certificate without success.

This is the certificate that's set in the PEAP settings for the policy, too:

I'm at a loss.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 12, 2021 07:12 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

The controller is agnostic to the radius protocols in use.  The configuration needs to be correct on the radius server and the client, but the controller only tunnels the authentication.  Please look at this old document to check your work https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedAssets/Using+Microsoft+Windows+2008+Server+With+Aruba.pdf

Also, use a mobile phone to test authentication, because it is much more forgiving than a Windows client.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 12, 2021 06:51 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

Sorry for the delay responding; it's been crazy here.

The "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" error message is in Event Viewer for the NPS server. I don't see anything else there.

The auth-buff on the controller shows the following:

Sep 12 11:43:10 eap-id-req <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 5
Sep 12 11:43:10 eap-id-resp -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 12 tws-nps
Sep 12 11:43:10 rad-req -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 5 205 192.168.1.5
Sep 12 11:43:10 rad-reject <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5/Test-NPS 5 44
Sep 12 11:43:10 eap-failure <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 4 server rejected

I'm still trying to figure what the issue is.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 08, 2021 03:49 AM
From: Herman Robers
Subject: Radius Authentication terminating on Windows Server NPS

Where do you see "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."?

Do you see anything (further) in the Eventlog or NPS logs?

What is the authentication method you try to use? The screenshot is truncated at the PEAP inner methods and only lists MSCHAPv1 in the visible part.

Please note that PEAP-MSCHAPv2 is deprecated because of know weaknesses in the underlying MSCHAPv2 Better to use EAP-TLS.

Troubleshooting NPS can be a challenge, as the logging is not always as accessible and clear.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 07, 2021 10:54 AM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

Anyone have any ideas?  I'm really stumped on this one.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 06:09 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm not sure I understand what you're saying, here.  Isn't that what 1.3.6.1.5.5.7.3.1 is?

ETA: I realize that I didn't show you the Enhanced Key Usage fields:



------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 05:58 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

You specifically need a server certificate.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 03, 2021 02:03 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm trying to get radius authentication working on a Windows NPS with termination on the server, but I'm have the following error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

This is my Connection Request Policy:


This is my Network Policy:


This is the certificate for my NPS server:


It is correctly bound to the EAP policy.

802.1x Authentication is set up on the controller and works fine when terminated on the controller. My NPS rules work fine.  The only issue is that if I turn off termination on the controller I get the error above.

Any suggestions you could offer would be appreciated.

I have fixed the issue!  The problem was TLS Version.  By default, Windows Server 2008 and 2012 NPS server uses only TLS 1.0.  Even if one has enabled TLS 1.2 through an update and disabled TLS 1.0, NPS will continue blithely to attempt to use TLS 1.0 and it will fail to create a TLS tunnel.  Instead of giving you an error that explains what is happening, however, it will only give you the message "Negotiation failed. No EAP method" and the other message I posted above.

The solution is to edit the registry to use TLS 1.2 with NPS.  I followed instructions I found here:

https://www.dot11.guru/2020/07/27/enforcing-tls-1-2-for-microsoft-nps-server-2008-2012/

But I had to modify them slightly because they are for EAP-TLS and PEAP-TLS, whereas I am using PEAP-MSCHAPv2. In short:

Add a new DWORD key named TlsVersion with the value C00 to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\26.

If you wish to enable TLS 1.1 and 1.2, use F00; for TLS 1.0, 1.1 and 1.2, use FC0.

Everything is now working fine.  I'm going to go back and edit out some of the images I posted earlier because I didn't anonymize them.


Original Message:
Sent: Sep 13, 2021 04:50 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

Does GoDaddy have instructions on how to install a radius certificate they issue onto an NPS server?  Please check.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 13, 2021 04:42 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

Sure, but most of the clients that need to be authenticated are not domain computers.  We don't manage student or faculty personal devices, only computers owned by the school.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 13, 2021 04:37 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

The root should be pushed to domain computers automatically via group policy if you have already setup an enterprise CA in your domain.  You can just do a GPUPDATE for any computers out of the update cycle.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 13, 2021 04:31 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I can certainly test it that way, but I do not have the ability to push an internal root certificate to all of the client devices, so using an internal CA is not a practical long-term solution...especially since the newest versions of Android and ChromeOS require validation of EAP server certificates.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 13, 2021 03:30 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

Is your installl for any domain computers?  If yes, you should have an internal CA and try generating the server certificate from there.  There is no specific advantage to having a public 802.1x server certificate.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 13, 2021 02:56 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I feel like it's got to be a certificate issue, but everything looks fine and I've even rekeyed the certificate without success.

This is the certificate that's set in the PEAP settings for the policy, too:

I'm at a loss.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 12, 2021 07:12 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

The controller is agnostic to the radius protocols in use.  The configuration needs to be correct on the radius server and the client, but the controller only tunnels the authentication.  Please look at this old document to check your work https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedAssets/Using+Microsoft+Windows+2008+Server+With+Aruba.pdf

Also, use a mobile phone to test authentication, because it is much more forgiving than a Windows client.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 12, 2021 06:51 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

Sorry for the delay responding; it's been crazy here.

The "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" error message is in Event Viewer for the NPS server. I don't see anything else there.

The auth-buff on the controller shows the following:

Sep 12 11:43:10 eap-id-req <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 5
Sep 12 11:43:10 eap-id-resp -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 12 tws-nps
Sep 12 11:43:10 rad-req -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 5 205 192.168.1.5
Sep 12 11:43:10 rad-reject <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5/Test-NPS 5 44
Sep 12 11:43:10 eap-failure <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 4 server rejected

I'm still trying to figure what the issue is.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 08, 2021 03:49 AM
From: Herman Robers
Subject: Radius Authentication terminating on Windows Server NPS

Where do you see "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."?

Do you see anything (further) in the Eventlog or NPS logs?

What is the authentication method you try to use? The screenshot is truncated at the PEAP inner methods and only lists MSCHAPv1 in the visible part.

Please note that PEAP-MSCHAPv2 is deprecated because of know weaknesses in the underlying MSCHAPv2 Better to use EAP-TLS.

Troubleshooting NPS can be a challenge, as the logging is not always as accessible and clear.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 07, 2021 10:54 AM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

Anyone have any ideas?  I'm really stumped on this one.

------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 06:09 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm not sure I understand what you're saying, here.  Isn't that what 1.3.6.1.5.5.7.3.1 is?

ETA: I realize that I didn't show you the Enhanced Key Usage fields:



------------------------------
Richard Spaulding

Original Message:
Sent: Sep 03, 2021 05:58 PM
From: Colin Joseph
Subject: Radius Authentication terminating on Windows Server NPS

You specifically need a server certificate.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 03, 2021 02:03 PM
From: Richard Spaulding
Subject: Radius Authentication terminating on Windows Server NPS

I'm trying to get radius authentication working on a Windows NPS with termination on the server, but I'm have the following error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

This is my Connection Request Policy:


This is my Network Policy:


This is the certificate for my NPS server:


It is correctly bound to the EAP policy.

802.1x Authentication is set up on the controller and works fine when terminated on the controller. My NPS rules work fine.  The only issue is that if I turn off termination on the controller I get the error above.

Any suggestions you could offer would be appreciated.