Wireless Access

 View Only
Expand all | Collapse all

Radius Authentication terminating on Windows Server NPS

This thread has been viewed 123 times
  • 1.  Radius Authentication terminating on Windows Server NPS

    Posted Sep 03, 2021 02:04 PM
    Edited by thelatinist Sep 13, 2021 08:33 PM
    Note: Please see below for the solution to the problem, which was caused by an issue with the TLS version the NPS server was trying to use.

    I'm trying to get radius authentication working on a Windows NPS with termination on the server, but I'm have the following error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

    This is my Connection Request Policy:


    This is my Network Policy:


    This is the certificate for my NPS server:


    It is correctly bound to the EAP policy.

    802.1x Authentication is set up on the controller and works fine when terminated on the controller. My NPS rules work fine.  The only issue is that if I turn off termination on the controller I get the error above.

    Any suggestions you could offer would be appreciated.


  • 2.  RE: Radius Authentication terminating on Windows Server NPS

    Posted Sep 03, 2021 05:58 PM
    You specifically need a server certificate.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: Radius Authentication terminating on Windows Server NPS

    Posted Sep 03, 2021 06:10 PM
    Edited by thelatinist Sep 03, 2021 06:14 PM
    I'm not sure I understand what you're saying, here.  Isn't that what 1.3.6.1.5.5.7.3.1 is?

    ETA: I realize that I didn't show you the Enhanced Key Usage fields:



    ------------------------------
    Richard Spaulding
    ------------------------------



  • 4.  RE: Radius Authentication terminating on Windows Server NPS

    Posted Sep 07, 2021 10:55 AM
    Anyone have any ideas?  I'm really stumped on this one.

    ------------------------------
    Richard Spaulding
    ------------------------------



  • 5.  RE: Radius Authentication terminating on Windows Server NPS

    Posted Sep 08, 2021 03:50 AM
    Where do you see "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."?

    Do you see anything (further) in the Eventlog or NPS logs?

    What is the authentication method you try to use? The screenshot is truncated at the PEAP inner methods and only lists MSCHAPv1 in the visible part.

    Please note that PEAP-MSCHAPv2 is deprecated because of know weaknesses in the underlying MSCHAPv2 Better to use EAP-TLS.

    Troubleshooting NPS can be a challenge, as the logging is not always as accessible and clear.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: Radius Authentication terminating on Windows Server NPS

    Posted Sep 12, 2021 06:51 PM
    Edited by thelatinist Sep 13, 2021 08:29 PM
    Sorry for the delay responding; it's been crazy here.

    The "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" error message is in Event Viewer for the NPS server. I don't see anything else there.

    The auth-buff on the controller shows the following:

    Sep 12 11:43:10 eap-id-req <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 5
    Sep 12 11:43:10 eap-id-resp -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 12 [Redacted]
    Sep 12 11:43:10 rad-req -> 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 5 205 192.168.1.5
    Sep 12 11:43:10 rad-reject <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5/[Redacted] 5 44
    Sep 12 11:43:10 eap-failure <- 7a:81:2c:57:2e:da 04:bd:88:98:2b:f5 1 4 server rejected

    I'm still trying to figure what the issue is.




  • 7.  RE: Radius Authentication terminating on Windows Server NPS

    Posted Sep 12, 2021 07:13 PM
    The controller is agnostic to the radius protocols in use.  The configuration needs to be correct on the radius server and the client, but the controller only tunnels the authentication.  Please look at this old document to check your work https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedAssets/Using+Microsoft+Windows+2008+Server+With+Aruba.pdf

    Also, use a mobile phone to test authentication, because it is much more forgiving than a Windows client.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 8.  RE: Radius Authentication terminating on Windows Server NPS

    Posted Sep 13, 2021 02:57 PM
    Edited by thelatinist Sep 13, 2021 08:28 PM