Controllerless Networks

Our IAP-105 network has been working fine until recently when our ELHS-SECURE SSID network has not authenticated clients. Our Windows Server 2012 has RADIUS 802.1x setup, but for some reason all the sudden our Aruba IAP-105 can no longer authenticate. I am looking for a path to find the cause of the issue. No changes to the server have occurred other than standard Windows updates.

I have looked at the Event Viewer and see the following message:

Event ID: 18 NPS Server Communication -

An Access-Request message was received from RADIUS client %1 with a message authenticator attribute that is not valid.

While I am researching the issue, I am not the person who originally set this configuration up, so any clues to issues to check are appreciated here in this forum.

Currently, when users try to connect to ELHS-SECURE which uses the 802.1x authentication, smartphones and MacBooks work fine. However, Windows 10 machines throw a fit.

Prior to this wireless connectivity snafu, wireless access has been pretty flawless.

Have you seen this?  http://community.arubanetworks.com/t5/Security/2nd-NPS-server-gives-Message-Authenticator-attribute-not-valid/m-p/31610#M1396

Colin,

I looked at that thread and it does not seem to apply to our situation.

Did you compare the keys?  Was the Server Certificate Changed recently?  Mobile devices and macs easily accept a new key; windows does not.  Either way we need to know what changed on the NPS server recently, otherwise we won't really get anywhere.  If the IAP configuration was not changed, it is the NPS server we need to be looking at.. 

I agree that the issue is with the NPS server. The keys are good. The server certificate was not changed to my knowledge recently and does not expire until summer 2018. I do believe the IAP is all good as well. There is one other person involved in our Windows Server 2012 install who setup the server and has helped with issues. I will try to bring him into this discussion.

Please bear with my newbie status as I am the lead person at this small private school and trying my best to figure things out.

No problem.  We just need to ask as many questions as possible to see how to fix this...

Colin -

I am at the school now. I can confirm that SmartPhones (iOS and Android) connect fine. MacOS devices connect fine. ChromeOS can connect as well. Windows 7 and Windows 10 devices do not connect. 

So now we know the credentials between IAP and the RADIUS server are working. Just something in the policy settings or certificate on the Windows Server 2012 must have issue.

What is the error message in the event viewer?  When did this problem start happening?  What CA issued the server certificate on the NPS server?  Try unchecking "Validate Server Certificate" on the Windows 802.1x supplicant.

What is the error message in the event viewer?  

Currently, there are no errors NPS is generating. We did have a Type 18 error which has been fixed. The keys are verified as matching in IAP and WS2012 NAP.

When did this problem start happening?

The problem became pronounced August 2-3 when a couple Windows 10 devices would not connect.

What CA issued the server certificate on the NPS server?  

No external CA was used. The person setup an internally generated certificate.

Try unchecking "Validate Server Certificate" on the Windows 802.1x supplicant.

Not sure where to do this at in NAP. I will be looking.

Seems like there are 2 wireless policies. Seems odd, but I did not set it up.

See screenshots attached of RADIUS configuration on WS2012.

Uncheck "Must contain the message authenticator attribute".

Unchecking the box for that option did not fix the issue. However, it is good to know that it should be unchecked. I have a photo of the certificates and found that the person who installed the certificate let the wireless certificate lapse on August 3rd.

We regenerated a 1 year personal certificate and attached it to the NAP policy and Windows device can login.