Hello All,
I'm trying to configure PEAP authentication on an AP-505 (Instant Mode with VC) using Microsoft NPS (Server 2016) as the RADIUS server. I am using WPA2-Enterprise. I've lost so many hours of my life trying to get it working!
I've tried connecting to the SSID from a few devices; I enter my username/password but am unable to join the network.
These are the events that always show up in the Aruba VC system log when I attempt to connect:
-------------------------
Feb 29 20:59:26 cli[4890]: <341004> <WARN> |AP b8:3a:5a:b2:84:11@10.1.1.50 cli| AP 10.1.1.50: Client 74:42:8b:c9:31:44 authenticate fail because RADIUS server connection failure
Feb 29 21:03:18 syslog: <341004> <WARN> |AP b8:3a:5a:b2:84:11@10.1.1.50 cli| is_factory_reset_on_running : Swarm quit factory default status by : ssid_config
--------------------------
10.1.1.50 is the Aruba access point
Virtual Controller IP is 10.1.1.51
In the Aruba System settings I have enabled Dynamic RADIUS Proxy. The ntp server is set to default. Time is accurate in the logs.
In the Aruba Security settings, I configured the Authentication Server using the IP address of my NPS server. I used "password" as the shared key for simplicity (checked it multiple times). The authorization and accounting ports are 1812 & 1813. I set NAS-IP-Address to the VC's IP (10.1.1.51). Under "Service-Type Framed-User" I selected 802.1X.
I created a firewall rule on the NPS server to allow UDP 1812,1813, and verified NPS is configured to listen on these ports.
On NPS, the RADIUS Client is configured with the VC IP address and the shared secret "password".
Connection Request Policy is set to authenticate "NAS Port Type - 802.11" requests on the local server.
Network Policies is also configured for "NAS Port Type - 802.11" requests with the addition of a Windows Security Group that's in Active Directory. I have enabled PEAP and ensured the server certificate is selected.
I created this certificate using the "RAS and IAS Server" template in AD CS. I set the Subject Name as CN '10.1.1.8", and alternative subject name as DNS "NPS-SERVER.mycompany.local". The client is configured to trust the CA.
The Windows Server Event Log doesn't have a single trace of my connection attempts. I installed Wireshark on the NPS and I can see "Access-Request" is coming through many times, but no response.
I'm usually good at solving these problems but at this point I'm going in circles. Any help would be beyond words!