Controllerless Networks

Reply
Highlighted
New Contributor

IAP external RADIUS (NPS) not responding

Hello All,

 

I'm trying to configure PEAP authentication on an AP-505 (Instant Mode with VC) using Microsoft NPS (Server 2016) as the RADIUS server. I am using WPA2-Enterprise. I've lost so many hours of my life trying to get it working!

 

I've tried connecting to the SSID from a few devices; I enter my username/password but am unable to join the network.

 

These are the events that always show up in the Aruba VC system log when I attempt to connect:

-------------------------

Feb 29 20:59:26  cli[4890]: <341004> <WARN> |AP b8:3a:5a:b2:84:11@10.1.1.50 cli|  AP 10.1.1.50: Client 74:42:8b:c9:31:44 authenticate fail because RADIUS server connection failure

 

Feb 29 21:03:18  syslog: <341004> <WARN> |AP b8:3a:5a:b2:84:11@10.1.1.50 cli|  is_factory_reset_on_running : Swarm quit factory default status by : ssid_config

--------------------------

10.1.1.50 is the Aruba access point

 

Virtual Controller IP is 10.1.1.51

 

In the Aruba System settings I have enabled Dynamic RADIUS Proxy. The ntp server is set to default. Time is accurate in the logs.

 

In the Aruba Security settings, I configured the Authentication Server using the IP address of my NPS server. I used "password" as the shared key for simplicity (checked it multiple times). The authorization and accounting ports are 1812 & 1813. I set NAS-IP-Address to the VC's IP (10.1.1.51). Under "Service-Type Framed-User" I selected 802.1X.

 

I created a firewall rule on the NPS server to allow UDP 1812,1813, and verified NPS is configured to listen on these ports.

 

On NPS, the RADIUS Client is configured with the VC IP address and the shared secret "password".

 

Connection Request Policy is set to authenticate "NAS Port Type - 802.11" requests on the local server.

 

Network Policies is also configured for "NAS Port Type - 802.11" requests with the addition of a Windows Security Group that's in Active Directory. I have enabled PEAP and ensured the server certificate is selected.

 

I created this certificate using the "RAS and IAS Server" template in AD CS. I set the Subject Name as CN '10.1.1.8", and alternative subject name as DNS "NPS-SERVER.mycompany.local". The client is configured to trust the CA.

 

 

The Windows Server Event Log doesn't have a single trace of my connection attempts. I installed Wireshark on the NPS and I can see "Access-Request" is coming through many times, but no response.

 

I'm usually good at solving these problems but at this point I'm going in circles. Any help would be beyond words! 

 

 

 

 


Accepted Solutions
Highlighted
Guru Elite

Re: IAP external RADIUS (NPS) not responding

Look in the "system" even log on the NPS server, to see if there are any issues.  You should not need to allow things on the firewall on the NPS server, unless you already have the firewall configured.

Look at this guide here for ideas about NPS server configuration:  https://community.arubanetworks.com/aruba/attachments/aruba/115/6113/1/Using+Microsoft+Windows+2008+Server+With+Aruba.pdf

 

Use "aaa test-server" on the Instant AP to generate requests:  https://www.arubanetworks.com/techdocs/Instant_85_WebHelp/Content/instant-cli/sh-air-cppm-ent.htm?Highlight=blocked

 

 

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide

View solution in original post


All Replies
Highlighted
Guru Elite

Re: IAP external RADIUS (NPS) not responding

Look in the "system" even log on the NPS server, to see if there are any issues.  You should not need to allow things on the firewall on the NPS server, unless you already have the firewall configured.

Look at this guide here for ideas about NPS server configuration:  https://community.arubanetworks.com/aruba/attachments/aruba/115/6113/1/Using+Microsoft+Windows+2008+Server+With+Aruba.pdf

 

Use "aaa test-server" on the Instant AP to generate requests:  https://www.arubanetworks.com/techdocs/Instant_85_WebHelp/Content/instant-cli/sh-air-cppm-ent.htm?Highlight=blocked

 

 

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide

View solution in original post

Highlighted

Re: IAP external RADIUS (NPS) not responding

Hi Joshua,

As you mention you Couldn't find any event relevant to NPS.

Frist add AP IP as radius Client.

then update the status

 

Dinusha Chandrasinghe
Network Engineer -Enterprise System Solution @PlexusGlobal
ACMP | ACSA | ACCA | MCSA
*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*


Highlighted

Re: IAP external RADIUS (NPS) not responding

Dear, 

 

Just tested it in my lab. The issue was the certificate. After getting 2 initial attempts errors in my log files, for some strange reason i wasnt getting any more errors for my failed attempts. Anyway, i generated the new certificate (see the snapshots) and select the new one. And then try, it worked like a charm for me

 

 




ACMP / ACSP / ACCP / ACEP / ACDX # 663
CCIE R/S - 37956
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: