Security

last person joined: 34 minutes ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Radius failing on Windows 7, but not 10.

  • 1.  Radius failing on Windows 7, but not 10.

    Posted Jun 12, 2019 01:13 PM

    Hey guys, I've been working on this problem for a couple of days now without much movement.

     

    I am running Aruba 105's in our office. They connect to our DC which is running our NPS. I had 0 issues until we recently did some patching. Now Windows 7 machines CANNOT authenticate. I get EAP errors and rejections. Windows 10 have no problems. I have looked at certs and uninstalled patches on the DC with no avail.

     

    What I have done now is setup a brand new DC without patching on it as a test machine and have joined it to the domain. I am getting these errors now along with Error code reason 7 when I try to do an AAA auth.

     

    Jun 12 11:47:50  eap-failure           <-  64:80:99:a2:2a:24  d8:c7:c8:66:cf:9b        7    4     server rejected
    Jun 12 11:48:07  server out-of-service  *  64:80:99:a2:2a:24  d8:c7:c8:66:cf:9b/Test   -    -     server timeout
    Jun 12 11:52:06  station-up             *  00:24:d7:ac:31:44  d8:c7:c8:66:cf:9b        -    -     wpa2 aes
    Jun 12 11:52:06  eap-id-req            <-  00:24:d7:ac:31:44  d8:c7:c8:66:cf:9b        1    5     
    Jun 12 11:53:04  station-up             *  70:f0:87:d0:d4:7b  d8:c7:c8:66:cf:9a        -    -     open system

    Any suggestions on why this is failing to connecting to the AP or even better, why Windows 7 might be failing from the original DC?

     

    Thanks!



  • 2.  RE: Radius failing on Windows 7, but not 10.

    Posted Jun 12, 2019 01:47 PM

    See what the radius logs say. 



  • 3.  RE: Radius failing on Windows 7, but not 10.

    Posted Jun 12, 2019 02:00 PM

    I've checked the radius logs. The only error I get is "There is no domain controller available for domain XYZ" NPS Event 4402. I'm assuming that's because someone is trying to login and it's hitting the new Radius/DC before the old one currently on the correct domain.



  • 4.  RE: Radius failing on Windows 7, but not 10.

    Posted Jun 12, 2019 03:34 PM

    I would try to add a Windows 7 computer without the wireless GPO and configure it manually.  If You have no problems, the problem is the GPO.



  • 5.  RE: Radius failing on Windows 7, but not 10.

    Posted Jun 12, 2019 03:46 PM

    @cjoseph wrote:

    I would try to add a Windows 7 computer without the wireless GPO and configure it manually.  If You have no problems, the problem is the GPO.


    I don't think I understand what you're saying. The only policy on the test DC is that which allows windows groups (which the account is in) to connect to the wireless network. The old radius server doesn't have a problem connecting, but keeps failing windows 7 machines only.



  • 6.  RE: Radius failing on Windows 7, but not 10.

    Posted Jun 12, 2019 04:01 PM

    Is the wireless configuration on laptops done via group policy?



  • 7.  RE: Radius failing on Windows 7, but not 10.

    Posted Jun 13, 2019 09:55 AM

    @cjoseph wrote:

    Is the wireless configuration on laptops done via group policy?


    No. The only thing we are doing is via the new DC is the NPS. I can share what that looks like if needed, but it's very basic. I wanted to elimate the updates being a problem on the old DC.



  • 8.  RE: Radius failing on Windows 7, but not 10.

    Posted Jun 13, 2019 10:15 AM

    Maybe someone can chime in about if they experienced this before.



  • 9.  RE: Radius failing on Windows 7, but not 10.

    Posted Jun 13, 2019 10:34 AM

    @cjoseph wrote:

    Maybe someone can chime in about if they experienced this before.


    I hope so. I appreciate the assistance thus far.



  • 10.  RE: Radius failing on Windows 7, but not 10.

    Posted Jun 13, 2019 12:11 PM

    Try to delete Windows 7 wireless profile in "Control Panel - Network and Internet - Manage Wireless Networks" and rebuild a new profile manually.  Pay attention in "authentication method" and probably uncheck the "Validate server certificate"  



  • 11.  RE: Radius failing on Windows 7, but not 10.

    Posted Jun 13, 2019 12:37 PM

    @ngutri wrote:

    Try to delete Windows 7 wireless profile in "Control Panel - Network and Internet - Manage Wireless Networks" and rebuild a new profile manually.  Pay attention in "authentication method" and probably uncheck the "Validate server certificate"  


    I did that and it didn't work out. I even attempted to type in the domain and password as well instead of using windows credentials.



  • 12.  RE: Radius failing on Windows 7, but not 10.

    Posted Jun 13, 2019 04:04 PM

    Try this in the profile:

    1. In Advanced settings, force it to use user authentication

    1.PNG

    2. Make sure uncheck valid server cert and Automatic use windows logon

    2.PNG

    Also check and update wireless network driver  



  • 13.  RE: Radius failing on Windows 7, but not 10.

    Posted Jun 13, 2019 04:33 PM

    @ngutri wrote:

    Try this in the profile:

    1. In Advanced settings, force it to use user authentication

    1.PNG

    2. Make sure uncheck valid server cert and Automatic use windows logon

    2.PNG

    Also check and update wireless network driver  


    I've done right about every configuration change I could think of in that. Along with the one that you've shown. I read a lot online and it was one of the suggestions. Sadly, it didn't seem to work in my case. I've also completely reformatted the test machine just so it didn't have all the patches and still I have no luck with it. I've checked the computer cert and it's still vaild as well.



  • 14.  RE: Radius failing on Windows 7, but not 10.

    Posted Jun 17, 2019 12:04 PM

    Do you know what you patched? Was it cables? Switches? Access Points? The client? Win 7, Win 10, both? Was it the NPS server? Certificates? What version is the Windows server that NPS runs on?

     

    Is it just on Wireless, or also on Wired (if deployed wired 802.1X)?

    Have you tried to run a packet capture on the client and NPS server already to see if there is an indication in there?