We have an Aruba 7030 controller running 22.214.171.124 and are attempting to do EAP-TLS authentication to a Windows NPS server. The NPS server has been configured with a connection profile and network policy.
On the Aruba controller we have WPA2/AES configured with AAA profile that has dot1x profile assigned. Termination is NOT enabled.
ran some logging on the controller to watch the authentication and I see the requests and rejects coming back from NPS. The error we receive in NPS is "The client could not be authenticated becaues the Extensible Authentication Protocol (EAP) Type cannot be processed by the server". We have an internal CA and the certificate is installed on the computer. We verified the Root CA is trusted.
Not sure where else to look now. Any ideas why this is coming through?
Yes, it is showing and the info in the request shows EAP but no EAP-Type and the error is "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."
We configured the client device with WPA2/AES and security is Microsoft smart card or other certificate.
We added the server in "connect to these servers" and checked the certificate in the list.
Unchecking validate server certificate, the connection continued to spin and after a while it just failed.
We have opened a case with Aruba TAC and I will post changes that resolved the issue.
Is the clock on both client and server correct?
Clocks are the same, no deviation.
Did the CA issue the Radius Server Certificate and the Client Certificate?
If not, is the CA that issued the certificate listed as one of the trusted CAs on the NPS server?
just a wild guess but is this is a new NPS server? does it actually have the certificate to use for Radius? so not the CA, but the one you select in one of the NPS profile settings.
Customer was able to resolve this, here is what happened:
Customer was using the factory (default) computer certificate from Windows server, which must have been missing some information or was just not intended for use by machines. Customer created a new computer certificate, and pushed it out to the machines and authentication works successfully.
Just an FYI in case anybody runs into the same issue. I'm not super well versed in Windows Server Administration, so this will be something I keep in mind when doing more EAP-TLS deployments.
Thanks everyone for the help and input!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.