Controllerless Networks

Hello All,

I'm trying to configure PEAP authentication on an AP-505 (Instant Mode with VC) using Microsoft NPS (Server 2016) as the RADIUS server. I am using WPA2-Enterprise. I've lost so many hours of my life trying to get it working!

I've tried connecting to the SSID from a few devices; I enter my username/password but am unable to join the network.

These are the events that always show up in the Aruba VC system log when I attempt to connect:

-------------------------

Feb 29 20:59:26  cli[4890]: <341004> <WARN> |AP b8:3a:5a:b2:84:11@10.1.1.50 cli|  AP 10.1.1.50: Client 74:42:8b:c9:31:44 authenticate fail because RADIUS server connection failure

Feb 29 21:03:18  syslog: <341004> <WARN> |AP b8:3a:5a:b2:84:11@10.1.1.50 cli|  is_factory_reset_on_running : Swarm quit factory default status by : ssid_config

--------------------------

10.1.1.50 is the Aruba access point

Virtual Controller IP is 10.1.1.51

In the Aruba System settings I have enabled Dynamic RADIUS Proxy. The ntp server is set to default. Time is accurate in the logs.

In the Aruba Security settings, I configured the Authentication Server using the IP address of my NPS server. I used "password" as the shared key for simplicity (checked it multiple times). The authorization and accounting ports are 1812 & 1813. I set NAS-IP-Address to the VC's IP (10.1.1.51). Under "Service-Type Framed-User" I selected 802.1X.

I created a firewall rule on the NPS server to allow UDP 1812,1813, and verified NPS is configured to listen on these ports.

On NPS, the RADIUS Client is configured with the VC IP address and the shared secret "password".

Connection Request Policy is set to authenticate "NAS Port Type - 802.11" requests on the local server.

Network Policies is also configured for "NAS Port Type - 802.11" requests with the addition of a Windows Security Group that's in Active Directory. I have enabled PEAP and ensured the server certificate is selected.

I created this certificate using the "RAS and IAS Server" template in AD CS. I set the Subject Name as CN '10.1.1.8", and alternative subject name as DNS "NPS-SERVER.mycompany.local". The client is configured to trust the CA.

The Windows Server Event Log doesn't have a single trace of my connection attempts. I installed Wireshark on the NPS and I can see "Access-Request" is coming through many times, but no response.

I'm usually good at solving these problems but at this point I'm going in circles. Any help would be beyond words! 

Look in the "system" even log on the NPS server, to see if there are any issues.  You should not need to allow things on the firewall on the NPS server, unless you already have the firewall configured.

Look at this guide here for ideas about NPS server configuration:  https://community.arubanetworks.com/aruba/attachments/aruba/115/6113/1/Using+Microsoft+Windows+2008+Server+With+Aruba.pdf

Use "aaa test-server" on the Instant AP to generate requests:  https://www.arubanetworks.com/techdocs/Instant_85_WebHelp/Content/instant-cli/sh-air-cppm-ent.htm?Highlight=blocked

Hi Joshua,

As you mention you Couldn't find any event relevant to NPS.

Frist add AP IP as radius Client.

then update the status

Dear, 

Just tested it in my lab. The issue was the certificate. After getting 2 initial attempts errors in my log files, for some strange reason i wasnt getting any more errors for my failed attempts. Anyway, i generated the new certificate (see the snapshots) and select the new one. And then try, it worked like a charm for me

Attachment(s)

certs.pdf   1.96 MB 1 version