Security

Hello to all,

I open this discussion to ask you for help.
Indeed, I am in charge of setting up a Wi-Fi network with a certificate-based RADIUS authentication to authenticate a specific group of computers.

My infrastructure (this is a lab, my end client's infrastructure is more complex and better organized but I made it like this for convenience):
- 1 Server AD,DNS,AC,NPS
- 1 Client PC
My PC Client is added to the domain and my NPS server is well integrated to Active Directory, is well part of the IAS & RAS group.
First I created a certificate template named RADIUS_Server_Client for my NPS server based on the IAS & RAS template.

I then have my network policy which states that all wireless connections belonging to the Windows group "Radius-Posts" which contains my computers can connect to the WiFi network. My Client PC is obviously part of this group.


I set up a GPO to first deploy my authority certificate and put it in the certificate store of my client PCs.

I have also enabled automatic enrollment of client certificates so that they can (logically) authenticate to the Radius.

With the following EAP properties :

After a gpudate, my wireless network created by GPO appears well, I can connect to it in theory, it shows me the fingerprint of the server of my Aruba terminal but while trying to connect to it I find myself with an EAP 25 error (report generated with the command "netsh wlan show wlanreport")


I thought that the problem comes from the ceritifcats of my AP-505 Wifi terminal, so I inserted my AC and NPS server certificates previously exported in .pem but it does not help me more, with this the server's fingerprint is no longer indicated but the connection attempt is looping and ends up displaying "Network not available").

Notes :
- My AP configuration  (IP : 192.168.1.160)

Conf WiFi :

- My server ADDS,NPS IP : 192.168.1.250 and firewall disabled for testing.

There are a lot of elements, but I hope I was accurate enough with the data I brought you. I don't know where my mistake is, I hope that one of you will be able to bring me a solution...

Sincerely.

Where is ClearPass in this flow?
Original Message:
Sent: Jan 24, 2023 11:57 AM
From: Ben
Subject: Authentication RADIUS with Certificate - Aruba AP-505

Hello to all,

I open this discussion to ask you for help.
Indeed, I am in charge of setting up a Wi-Fi network with a certificate-based RADIUS authentication to authenticate a specific group of computers.

My infrastructure (this is a lab, my end client's infrastructure is more complex and better organized but I made it like this for convenience):
- 1 Server AD,DNS,AC,NPS
- 1 Client PC
My PC Client is added to the domain and my NPS server is well integrated to Active Directory, is well part of the IAS & RAS group.
First I created a certificate template named RADIUS_Server_Client for my NPS server based on the IAS & RAS template.

I then have my network policy which states that all wireless connections belonging to the Windows group "Radius-Posts" which contains my computers can connect to the WiFi network. My Client PC is obviously part of this group.


I set up a GPO to first deploy my authority certificate and put it in the certificate store of my client PCs.

I have also enabled automatic enrollment of client certificates so that they can (logically) authenticate to the Radius.

With the following EAP properties :

After a gpudate, my wireless network created by GPO appears well, I can connect to it in theory, it shows me the fingerprint of the server of my Aruba terminal but while trying to connect to it I find myself with an EAP 25 error (report generated with the command "netsh wlan show wlanreport")


I thought that the problem comes from the ceritifcats of my AP-505 Wifi terminal, so I inserted my AC and NPS server certificates previously exported in .pem but it does not help me more, with this the server's fingerprint is no longer indicated but the connection attempt is looping and ends up displaying "Network not available").

Notes :
- My AP configuration  (IP : 192.168.1.160)

Conf WiFi :

- My server ADDS,NPS IP : 192.168.1.250 and firewall disabled for testing.

There are a lot of elements, but I hope I was accurate enough with the data I brought you. I don't know where my mistake is, I hope that one of you will be able to bring me a solution...

Sincerely.

I don't have ClearPass installed, I didn't know it was necessary to have it and to tell the truth I don't really know how it works. On the other hand my lab is on VMWare Workstation so is there any way to install it on it? Would you have a reliable link? Thanks in advance.
Original Message:
Sent: Jan 24, 2023 04:22 PM
From: Unknown User
Subject: Authentication RADIUS with Certificate - Aruba AP-505

Where is ClearPass in this flow?
Original Message:
Sent: Jan 24, 2023 11:57 AM
From: Ben
Subject: Authentication RADIUS with Certificate - Aruba AP-505

Hello to all,

I open this discussion to ask you for help.
Indeed, I am in charge of setting up a Wi-Fi network with a certificate-based RADIUS authentication to authenticate a specific group of computers.

My infrastructure (this is a lab, my end client's infrastructure is more complex and better organized but I made it like this for convenience):
- 1 Server AD,DNS,AC,NPS
- 1 Client PC
My PC Client is added to the domain and my NPS server is well integrated to Active Directory, is well part of the IAS & RAS group.
First I created a certificate template named RADIUS_Server_Client for my NPS server based on the IAS & RAS template.

I then have my network policy which states that all wireless connections belonging to the Windows group "Radius-Posts" which contains my computers can connect to the WiFi network. My Client PC is obviously part of this group.


I set up a GPO to first deploy my authority certificate and put it in the certificate store of my client PCs.

I have also enabled automatic enrollment of client certificates so that they can (logically) authenticate to the Radius.

With the following EAP properties :

After a gpudate, my wireless network created by GPO appears well, I can connect to it in theory, it shows me the fingerprint of the server of my Aruba terminal but while trying to connect to it I find myself with an EAP 25 error (report generated with the command "netsh wlan show wlanreport")


I thought that the problem comes from the ceritifcats of my AP-505 Wifi terminal, so I inserted my AC and NPS server certificates previously exported in .pem but it does not help me more, with this the server's fingerprint is no longer indicated but the connection attempt is looping and ends up displaying "Network not available").

Notes :
- My AP configuration  (IP : 192.168.1.160)

Conf WiFi :

- My server ADDS,NPS IP : 192.168.1.250 and firewall disabled for testing.

There are a lot of elements, but I hope I was accurate enough with the data I brought you. I don't know where my mistake is, I hope that one of you will be able to bring me a solution...

Sincerely.

I would look in the event viewer of the NPS server to see if there is a clue.   There is nothing to configure on the AP besides the radius server ip address:  All configuration happens on the client and radius server.

Use the certificates snapin (start> run> mmc.  Add/remove snapin.  Certificates snaping)  on the client to make sure that the computer certificate shows up as well as the CA that issued the server certificate.  You can always do "gpupdate" on the client if it is taking awhile to deliver the certificate.  On the client, enable the Verify Certificate Checkbox, but uncheck the "connect to servers" checkbox.  We can always enable the "connect only to servers" checkbox later when things are working.

Again, look in the event viewer on the NPS server to see if you have any clues about why things are failing.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Jan 24, 2023 05:07 PM
From: Ben
Subject: Authentication RADIUS with Certificate - Aruba AP-505

I don't have ClearPass installed, I didn't know it was necessary to have it and to tell the truth I don't really know how it works. On the other hand my lab is on VMWare Workstation so is there any way to install it on it? Would you have a reliable link? Thanks in advance.
Original Message:
Sent: Jan 24, 2023 04:22 PM
From: Unknown User
Subject: Authentication RADIUS with Certificate - Aruba AP-505

Where is ClearPass in this flow?
Original Message:
Sent: Jan 24, 2023 11:57 AM
From: Ben
Subject: Authentication RADIUS with Certificate - Aruba AP-505

Hello to all,

I open this discussion to ask you for help.
Indeed, I am in charge of setting up a Wi-Fi network with a certificate-based RADIUS authentication to authenticate a specific group of computers.

My infrastructure (this is a lab, my end client's infrastructure is more complex and better organized but I made it like this for convenience):
- 1 Server AD,DNS,AC,NPS
- 1 Client PC
My PC Client is added to the domain and my NPS server is well integrated to Active Directory, is well part of the IAS & RAS group.
First I created a certificate template named RADIUS_Server_Client for my NPS server based on the IAS & RAS template.

I then have my network policy which states that all wireless connections belonging to the Windows group "Radius-Posts" which contains my computers can connect to the WiFi network. My Client PC is obviously part of this group.


I set up a GPO to first deploy my authority certificate and put it in the certificate store of my client PCs.

I have also enabled automatic enrollment of client certificates so that they can (logically) authenticate to the Radius.

With the following EAP properties :

After a gpudate, my wireless network created by GPO appears well, I can connect to it in theory, it shows me the fingerprint of the server of my Aruba terminal but while trying to connect to it I find myself with an EAP 25 error (report generated with the command "netsh wlan show wlanreport")


I thought that the problem comes from the ceritifcats of my AP-505 Wifi terminal, so I inserted my AC and NPS server certificates previously exported in .pem but it does not help me more, with this the server's fingerprint is no longer indicated but the connection attempt is looping and ends up displaying "Network not available").

Notes :
- My AP configuration  (IP : 192.168.1.160)

Conf WiFi :

- My server ADDS,NPS IP : 192.168.1.250 and firewall disabled for testing.

There are a lot of elements, but I hope I was accurate enough with the data I brought you. I don't know where my mistake is, I hope that one of you will be able to bring me a solution...

Sincerely.

Hi Ben, in the eap properties you trust the CA trato-tlv-SRV-DC-CA, but your wifi client gets a certificate from securelogin.arubanetworks.com.




This is a default certificate from the aruba AP, and this is used as the Radius Server certificate.

You have enabled EAP offload in the wifi security settings.


That means that your Windows client does not set up the EAP tunnel with the NSP but with the AP.

This explains the error message when connecting to wifi. Set EAP offload to off, then it will work.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Jan 24, 2023 11:57 AM
From: Ben
Subject: Authentication RADIUS with Certificate - Aruba AP-505

Hello to all,

I open this discussion to ask you for help.
Indeed, I am in charge of setting up a Wi-Fi network with a certificate-based RADIUS authentication to authenticate a specific group of computers.

My infrastructure (this is a lab, my end client's infrastructure is more complex and better organized but I made it like this for convenience):
- 1 Server AD,DNS,AC,NPS
- 1 Client PC
My PC Client is added to the domain and my NPS server is well integrated to Active Directory, is well part of the IAS & RAS group.
First I created a certificate template named RADIUS_Server_Client for my NPS server based on the IAS & RAS template.

I then have my network policy which states that all wireless connections belonging to the Windows group "Radius-Posts" which contains my computers can connect to the WiFi network. My Client PC is obviously part of this group.


I set up a GPO to first deploy my authority certificate and put it in the certificate store of my client PCs.

I have also enabled automatic enrollment of client certificates so that they can (logically) authenticate to the Radius.

With the following EAP properties :

After a gpudate, my wireless network created by GPO appears well, I can connect to it in theory, it shows me the fingerprint of the server of my Aruba terminal but while trying to connect to it I find myself with an EAP 25 error (report generated with the command "netsh wlan show wlanreport")


I thought that the problem comes from the ceritifcats of my AP-505 Wifi terminal, so I inserted my AC and NPS server certificates previously exported in .pem but it does not help me more, with this the server's fingerprint is no longer indicated but the connection attempt is looping and ends up displaying "Network not available").

Notes :
- My AP configuration  (IP : 192.168.1.160)

Conf WiFi :

- My server ADDS,NPS IP : 192.168.1.250 and firewall disabled for testing.

There are a lot of elements, but I hope I was accurate enough with the data I brought you. I don't know where my mistake is, I hope that one of you will be able to bring me a solution...

Sincerely.

HI,

I would like to thank all of you, thanks to your precious advices I finally managed to make my Wi-Fi connection work by certificate!

When my connection was not working I had no logs surely because it was starting the EAP tunnel with the AP and not the NPS, this is becoming clearer in my mind. Now it works perfectly, I was not so far from the truth when I went back. :)

Your 2 advices helped me a lot, I thank you.

Have a nice day.

Best regards.
Original Message:
Sent: Jan 24, 2023 08:34 PM
From: lord
Subject: Authentication RADIUS with Certificate - Aruba AP-505

Hi Ben, in the eap properties you trust the CA trato-tlv-SRV-DC-CA, but your wifi client gets a certificate from securelogin.arubanetworks.com.




This is a default certificate from the aruba AP, and this is used as the Radius Server certificate.

You have enabled EAP offload in the wifi security settings.


That means that your Windows client does not set up the EAP tunnel with the NSP but with the AP.

This explains the error message when connecting to wifi. Set EAP offload to off, then it will work.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jan 24, 2023 11:57 AM
From: Ben
Subject: Authentication RADIUS with Certificate - Aruba AP-505

Hello to all,

I open this discussion to ask you for help.
Indeed, I am in charge of setting up a Wi-Fi network with a certificate-based RADIUS authentication to authenticate a specific group of computers.

My infrastructure (this is a lab, my end client's infrastructure is more complex and better organized but I made it like this for convenience):
- 1 Server AD,DNS,AC,NPS
- 1 Client PC
My PC Client is added to the domain and my NPS server is well integrated to Active Directory, is well part of the IAS & RAS group.
First I created a certificate template named RADIUS_Server_Client for my NPS server based on the IAS & RAS template.

I then have my network policy which states that all wireless connections belonging to the Windows group "Radius-Posts" which contains my computers can connect to the WiFi network. My Client PC is obviously part of this group.


I set up a GPO to first deploy my authority certificate and put it in the certificate store of my client PCs.

I have also enabled automatic enrollment of client certificates so that they can (logically) authenticate to the Radius.

With the following EAP properties :

After a gpudate, my wireless network created by GPO appears well, I can connect to it in theory, it shows me the fingerprint of the server of my Aruba terminal but while trying to connect to it I find myself with an EAP 25 error (report generated with the command "netsh wlan show wlanreport")


I thought that the problem comes from the ceritifcats of my AP-505 Wifi terminal, so I inserted my AC and NPS server certificates previously exported in .pem but it does not help me more, with this the server's fingerprint is no longer indicated but the connection attempt is looping and ends up displaying "Network not available").

Notes :
- My AP configuration  (IP : 192.168.1.160)

Conf WiFi :

- My server ADDS,NPS IP : 192.168.1.250 and firewall disabled for testing.

There are a lot of elements, but I hope I was accurate enough with the data I brought you. I don't know where my mistake is, I hope that one of you will be able to bring me a solution...

Sincerely.