Controllerless Networks

last person joined: an hour ago 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

Radius Server Authentication Failure

Jump to Best Answer
  • 1.  Radius Server Authentication Failure

    Posted Aug 06, 2017 02:08 PM

    Our IAP-105 network has been working fine until recently when our ELHS-SECURE SSID network has not authenticated clients. Our Windows Server 2012 has RADIUS 802.1x setup, but for some reason all the sudden our Aruba IAP-105 can no longer authenticate. I am looking for a path to find the cause of the issue. No changes to the server have occurred other than standard Windows updates.

     



  • 2.  RE: Radius Server Authentication Failure

    Posted Aug 06, 2017 02:35 PM
    You should look at the event viewer of the radius server to get a clue.


  • 3.  RE: Radius Server Authentication Failure

    Posted Aug 06, 2017 03:19 PM

    I have looked at the Event Viewer and see the following message:

     

    Event ID: 18 NPS Server Communication -

    An Access-Request message was received from RADIUS client %1 with a message authenticator attribute that is not valid.

     

    While I am researching the issue, I am not the person who originally set this configuration up, so any clues to issues to check are appreciated here in this forum.



  • 4.  RE: Radius Server Authentication Failure

    Posted Aug 06, 2017 03:38 PM

    Currently, when users try to connect to ELHS-SECURE which uses the 802.1x authentication, smartphones and MacBooks work fine. However, Windows 10 machines throw a fit.

     

    Prior to this wireless connectivity snafu, wireless access has been pretty flawless.



  • 5.  RE: Radius Server Authentication Failure

    Posted Aug 06, 2017 04:13 PM


  • 6.  RE: Radius Server Authentication Failure

    Posted Aug 06, 2017 06:46 PM

    Colin,

     

    I looked at that thread and it does not seem to apply to our situation.

     



  • 7.  RE: Radius Server Authentication Failure

    Posted Aug 06, 2017 07:17 PM

    Did you compare the keys?  Was the Server Certificate Changed recently?  Mobile devices and macs easily accept a new key; windows does not.  Either way we need to know what changed on the NPS server recently, otherwise we won't really get anywhere.  If the IAP configuration was not changed, it is the NPS server we need to be looking at.. 



  • 8.  RE: Radius Server Authentication Failure

    Posted Aug 06, 2017 08:55 PM

    I agree that the issue is with the NPS server. The keys are good. The server certificate was not changed to my knowledge recently and does not expire until summer 2018. I do believe the IAP is all good as well. There is one other person involved in our Windows Server 2012 install who setup the server and has helped with issues. I will try to bring him into this discussion.

     

    Please bear with my newbie status as I am the lead person at this small private school and trying my best to figure things out.



  • 9.  RE: Radius Server Authentication Failure

    Posted Aug 06, 2017 09:59 PM

    No problem.  We just need to ask as many questions as possible to see how to fix this...



  • 10.  RE: Radius Server Authentication Failure

    Posted Aug 07, 2017 11:36 AM

    Colin -

     

    I am at the school now. I can confirm that SmartPhones (iOS and Android) connect fine. MacOS devices connect fine. ChromeOS can connect as well. Windows 7 and Windows 10 devices do not connect. 

     

    So now we know the credentials between IAP and the RADIUS server are working. Just something in the policy settings or certificate on the Windows Server 2012 must have issue.



  • 11.  RE: Radius Server Authentication Failure

    Posted Aug 07, 2017 11:39 AM

    What is the error message in the event viewer?  When did this problem start happening?  What CA issued the server certificate on the NPS server?  Try unchecking "Validate Server Certificate" on the Windows 802.1x supplicant.



  • 12.  RE: Radius Server Authentication Failure

    Posted Aug 07, 2017 11:59 AM

    What is the error message in the event viewer?  

    Currently, there are no errors NPS is generating. We did have a Type 18 error which has been fixed. The keys are verified as matching in IAP and WS2012 NAP.

     

    When did this problem start happening?

    The problem became pronounced August 2-3 when a couple Windows 10 devices would not connect.

     

    What CA issued the server certificate on the NPS server?  

    No external CA was used. The person setup an internally generated certificate.

     

    Try unchecking "Validate Server Certificate" on the Windows 802.1x supplicant.

    Not sure where to do this at in NAP. I will be looking.

     

    Seems like there are 2 wireless policies. Seems odd, but I did not set it up.

     

    See screenshots attached of RADIUS configuration on WS2012.



  • 13.  RE: Radius Server Authentication Failure
    Best Answer

    Posted Aug 07, 2017 12:25 PM

    Uncheck "Must contain the message authenticator attribute".

     

     



  • 14.  RE: Radius Server Authentication Failure

    Posted Aug 07, 2017 01:21 PM

    Unchecking the box for that option did not fix the issue. However, it is good to know that it should be unchecked. I have a photo of the certificates and found that the person who installed the certificate let the wireless certificate lapse on August 3rd.

     

    We regenerated a 1 year personal certificate and attached it to the NAP policy and Windows device can login.