Controllerless Networks

All,

 

We're trying to setup several IAP-205's to work with an NPS server to automatically authenticate active-directory users. We've set everything up according to some articles that we found linked from here and everything is working fine on Windows 8 systems, but on our Windows 7 systems we can't get them to connect. We are prompted for credentials on these machines, but it doesn't accept them and eventually times out. We've tried this on a range of Windows 7 laptops and we get the same results, but again, on Windows 8 systems it works fine. Has anyone had any issues like this and if so, any solutions?

Are you using a publicly or privately signed RADIUS server certificate?



If private, is the root CA or self-signed certificate installed on each
client?



Are you using Group Policy to configure the clients?

Thanks for the reply,

 

We're using a self-signed cert

 

The root/cert is distributed to all the clients via CMS, we've confirmed via certs snap-in.

We are not currently pushing authentication through group policy as we wanted to test/tinker before pushing the policy out.

Please enable user-debug for one of the problem clients, attempt an
authentication and then post the output of "show auth-tracebuf mac
macaddress".

When I try to enable user-debug loggin with config t logging level debugging user I get a failure on the logging command.

 

ac:a3:1e:c5:a0:86# config t logging level debugging user
                                             ^

 

Any suggestions?

Have you separated the "conf t" and "logging level debugging user" into two separate commands - it looks like you are entering them on the same line.

have tried seperating the commands and running them on the same line, same result

any other suggestions?

Sorry didn't realize you were on Instant:

 

http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-Instant-show-ap-debug-auth-trace-buf/idi-p/188766

I pasted the results of the command in the link in the follow up post. THanks !

What do the logs on the NPS side say?

 

Authentication attempts seem to be reaching it and I believe authentication is successful?

 

"DC1","IAS",08/14/2015,10:29:27,1,"DOMAIN\testaccount","DOMAIN\testaccount","aca31ec5a10e","70188b08204b",,,"192.168.253.242","192.168.253.249",0,0,"192.168.253.1","Kraft WLAN Auth",,,19,,,1,5,"Secure Wireless Connections",0,"311 1 192.168.254.209 08/05/2015 11:00:29 158",,,,"",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
"DC1","IAS",08/14/2015,10:29:27,3,,"DOMAIN\testaccount",,,,,,,,0,"192.168.253.1","Kraft WLAN Auth",,,,,,,5,"Secure Wireless Connections",22,"311 1 192.168.254.209 08/05/2015 11:00:29 158",,,,"",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,

 

The account referenced can auth from Windows 8 systems, so we know it's good there.

 

For reference:

192.168.253.242 = IAP

192.168.254.209 = DC/NPS

192.168.253.1 = gateway

 

The below is the result of the Show AP Debut Auth-Trace-Buf command that matches up with what I pasted above:

 

Aug 14 10:29:20  station-up             *  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      -   -     wpa2 aes
Aug 14 10:29:20  eap-id-req            <-  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      1   5
Aug 14 10:29:21  station-up             *  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      -   -     wpa2 aes
Aug 14 10:29:21  eap-id-req            <-  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      1   5
Aug 14 10:29:26  eap-start             ->  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      -   -
Aug 14 10:29:26  eap-id-req            <-  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      1   5
Aug 14 10:29:26  eap-id-resp           ->  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      1   33    domain\testaccount
Aug 14 10:29:26  rad-req               ->  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      85  230
Aug 14 10:29:26  rad-resp              <-  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1/DC1  85  90
Aug 14 10:29:26  eap-req               <-  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      2   6
Aug 14 10:29:26  eap-nak               ->  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      2   6
Aug 14 10:29:26  rad-req               ->  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1/DC1  86  241
Aug 14 10:29:26  rad-reject            <-  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1/DC1  86  44
Aug 14 10:29:26  eap-failure           <-  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      2   4     server rejected
Aug 14 10:29:27  station-up             *  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      -   -     wpa2 aes
Aug 14 10:29:27  eap-id-req            <-  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      1   5
Aug 14 10:29:27  eap-start             ->  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      -   -
Aug 14 10:29:27  eap-id-req            <-  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      1   5
Aug 14 10:29:27  station-up             *  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      -   -     wpa2 aes
Aug 14 10:29:27  eap-id-req            <-  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      1   5
Aug 14 10:29:28  station-up             *  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      -   -     wpa2 aes
Aug 14 10:29:28  eap-id-req            <-  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      1   5
Aug 14 10:29:59  eap-id-req            <-  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      1   5
Aug 14 10:29:59  eap-id-resp           ->  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      1   5     70188B08204B
Aug 14 10:29:59  rad-req               ->  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      87  186
Aug 14 10:29:59  rad-reject            <-  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1/DC1  87  44
Aug 14 10:29:59  eap-failure           <-  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      1   4     server rejected

oops, dupe post, sorry.

You should double-check the trust settings (serial numbers on your CA certs) on your Windows 8 devices:

 

Aug 14 10:29:59  rad-reject            <-  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1/DC1  87  44
Aug 14 10:29:59  eap-failure           <-  70:18:8b:08:20:4b  ac:a3:1e:da:10:e1      1   4     server rejected

 

What method do you use to push the trusted certs to the Windows 8 machine?