Security

I have recently configured my 2008 Server to act as a Radius Server for the Aruba 620 Controlled Wireless network we are using. I am able to connect to the wireless using our Active Directory Credentials without any problem using iOS devices and Apple OSX devices, however I am unable to get Windows 7 devices to connect.

 

The w7 computer is a fresh install, on either a Windows native machine, or the bootcamp Partition of a Macbook Pro that was connecting in OSX. When I try to connect on windows, the machine asks for the credentials, and then processes for a few seconds and then reports that "Windows was unable to connect to Faculty (SSID)"

 

I tried running a windows hotfix that is related to cetrification errors in W7 but that did nothing to solve the problem. I feel bad constantly coming to THIS forum for help because a lot of my issues with the radius server endup being problems with my Win2008 configuration, however, Technet is just too slow to respond. So those with experience in WinServer Radius Config, I appreciate any help you could offer

 

I lack an in-depth understanding useful for effective diagnosis of the problem, but this is what I know,

 

-The Wireless Controller is able to succesfully Authenticate fia its Auth Diag

-Apple devices are able to authenticate, and automatically re-authenticate as they re enter network coverage.

-Windows 7 Devices SEE the network

-Windows 7 devices get the AUTH request; they ask for Username, and Password as credentials

-The NPS Event viewer in server 2008 does not show any event associated with a failed authentication.

-If I type a wrong password in intentionally, the NPS server does not log it, its as though the message is blocked well before.

-The win2008 server is functionally using the Microsoft PEAP authentication type, with MS-CHAPv2 and MS-CHAP enabled.

-The wireless is accessible only to those in the "Faculty" user-group, and again, this works on OSX/iOS, but same credentials fail in W7

 

this is the thread in the technet forum, that may have some other usefull information, but I think i covered most of the same ground here already.

http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/83ffd300-0f6c-411a-9231-3a0aa7c40250

 

Thanks in advance for any help you are able to render.

Dave

 

 

If NPS doesn't show an attempt, check the 'validate server certificate' settings on the Win7 machine. To check this, have the Win7 machine not validate the server certificate to see if changes anything and if a log entry appears.

Thanks for the reply!

 

I tried to configure the wireless connection as you suggested, but I didnt have any success. I may have not done so propperly however. Based on what I googled, this is what I did.

 

In my network adapter settings, I manually created a new wireless connection profile, I entered exactly the SSID, the encryption (WPA2 enterprise) EAS, and then I de-selected the start this connection automatically box. The next screen confirms the creation of the profile, and allows you to further configure the network, I hit "Change Network Settings" and under the [security] tab i adjusted the settings of the authentication method, which was set to PEAP. There I UNchecked the "Validate server Certificate box" Closed the window and tried to connect.

 

once I had the newtwork manually added, It would nolonger request authentication. There was a box in the configuration settings that is checked by default that said to use the machine credentials, so I unchecked that, but still no Auth Request.

I then added the machine to the domain, hoping that It would use my AD credentials as that checkbox implied, but to no avail.

 

Furthermore, the NPS event viewer seems to be showing no sign of interaction, or attempts to.

 

Thanks again for your reply!

Any further thoughts?

 

I would wonder if the hardware was unable to utilize the WPA2 spec of encryption, but my macbook is able to connect in OSX, but not in Windows, ruling out (?) any hardware issue, or active directory machine access limits...

 

 

On the commandline of the controller, type "show auth-tracebuf mac <mac address of computer>" while it is trying to authenticate to see what is happening.

 

Are you testing this from a physical Windows 7 installation as well as the boot camp installation?    If only in boot camp, can you see if you can connect to a WPA2-PSK network on the controller?

 

Lastly, when it comes to Windows 7 settings, try the following:

 

New Wireless Profile
Enter the exact SSID name and choose WPA2-Enterprise/AES

Edit the configuraiton settings

On the Security Tab

1. Click Advanced --> Specify Authentication Mode and select User only (for this test).  Clic OK
2. Bac on Security Tab, choose PEAP Settings --> Ensure Secured password (EAP-MSCHAP v2) and Uncheck validate server certificate (just for testing this out)
3. Click Configure (uncheck automatically use my logged in account; to force a logon prompt). Click OK through the prompts. 

 

On the controller check the status of the authentication using the show auth-tracebuf mac [MAC]

 

 

here is the Auth Tracebuf.

Thanks for the help guys.

 

Auth Trace Buffer
-----------------


Aug  6 11:41:46  station-up             *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -     wpa2 aes
Aug  6 11:41:46  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Aug  6 11:41:46  eap-start             ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Aug  6 11:41:46  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Aug  6 11:41:52  eap-id-resp           ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   15    davidadmin
Aug  6 11:41:52  rad-req               ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          10  183
Aug  6 11:41:57  rad-resp              <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  10  90
Aug  6 11:41:57  eap-req               <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          2   6
Aug  6 11:41:57  eap-resp              ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          2   119
Aug  6 11:41:57  rad-req               ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  11  325
Aug  6 11:41:57  rad-resp              <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  11  1188
Aug  6 11:41:57  eap-req               <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          3   1096
Aug  6 11:41:57  eap-resp              ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          3   6
Aug  6 11:41:57  rad-req               ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  12  212
Aug  6 11:41:57  rad-resp              <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  12  1188
Aug  6 11:41:57  eap-req               <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          4   1096
Aug  6 11:41:57  eap-resp              ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          4   6
Aug  6 11:41:57  rad-req               ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  13  212
Aug  6 11:41:57  rad-resp              <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  13  126
Aug  6 11:41:57  eap-req               <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          5   42
Aug  6 11:42:12  eap-resp              ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          5   17
Aug  6 11:42:12  rad-req               ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  14  223
Aug  6 11:42:12  rad-reject            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  14  44
Aug  6 11:42:12  eap-failure           <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          5   4     server rejected
Aug  6 11:42:12  station-down           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Aug  6 11:42:12  station-up             *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -     wpa2 aes
Aug  6 11:42:12  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Aug  6 11:42:12  eap-start             ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Aug  6 11:42:12  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Aug  6 11:42:12  station-down           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -

 

Im going to take a wild guess and say that "server rejected" has something to do with my problem...

Yes...  That looks like it..

Does this mean that the Aruba controller and the setup configuration is NOT the problem? The problem lies in the configuration of the Radius Server? I am sorry for being so dense, but I want to make sure that I am interpreting this result propperly so i know where to focus my efforts.

 

Thank you guys a ton. This forum has been of critical assistance and I really really appreciate it.

It means that the Radius server is rejecting the connection, and the log on the Radius server has the answer about why.  You will get your direction from the logs on the Radius server.

 

Hi, Im having the exact same issue here.Did you solve this and does anyone have anymore additional information?

Thanks.

If you are having the exact same issue as in the thread, you need to figure out why the radius server is rejecting your client.

 

Either way, you should open a case so that they can get to thebottom of it.

 

Hello,

 

I had the same issue with a Windows 7 computer in workgroup attempting to connect to an SSID with WPA2-Enterprise with AES and 802.1X authentication.

 

The computer try to connect with local user or with computer account.

 

You need to manually create a wireless profile for this SSID and then on the security tab:

1) Edit MS PEAP Parameters, unchek the box 'Validate Sever Certificate' and click the Configure button above Secured Password (EAP-MSCHAP v2) to uncheck the box 'Automatically use my Windows username and password'.

2) Click Advanced Parameters button, check the box Specify authentication mode to User Authentication.

 

Mar 28 17:07:22  station-up             *  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0                   -    -     wpa2 aes
Mar 28 17:07:22  eap-id-req            <-  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0                   1    5
Mar 28 17:07:22  eap-start             ->  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0                   -    -
Mar 28 17:07:22  eap-id-req            <-  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0                   1    5
Mar 28 17:07:22  eap-id-resp           ->  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0                   1    14    wifi-user
Mar 28 17:07:22  rad-req               ->  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0                   39   232
Mar 28 17:07:22  eap-id-resp           ->  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0                   1    14    wifi-user
Mar 28 17:07:22  rad-resp              <-  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0/rz-dc-2           39   90
Mar 28 17:07:22  eap-req               <-  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0                   2    6
Mar 28 17:07:22  eap-resp              ->  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0                   2    117
Mar 28 17:07:22  rad-req               ->  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0/rz-dc-2           40   373
Mar 28 17:07:22  rad-resp              <-  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0/rz-dc-2           40   1188
Mar 28 17:07:22  eap-req               <-  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0                   3    1096
Mar 28 17:07:22  eap-resp              ->  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0                   3    6
Mar 28 17:07:22  rad-req               ->  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0/rz-dc-2           41   262
Mar 28 17:07:22  rad-resp              <-  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0/rz-dc-2           41   1188
Mar 28 17:07:22  eap-req               <-  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0                   4    1096
Mar 28 17:07:22  eap-resp              ->  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0                   4    6
Mar 28 17:07:22  rad-req               ->  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0/rz-dc-2           42   262
Mar 28 17:07:22  rad-resp              <-  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0/rz-dc-2           42   1188
Mar 28 17:07:22  eap-req               <-  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0                   5    1096
Mar 28 17:07:22  eap-resp              ->  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0                   5    6
Mar 28 17:07:22  rad-req               ->  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0/rz-dc-2           43   262
Mar 28 17:07:22  rad-resp              <-  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0/rz-dc-2           43   1188
Mar 28 17:07:22  eap-req               <-  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0                   6    1096
Mar 28 17:07:22  eap-resp              ->  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0                   6    6
Mar 28 17:07:22  rad-req               ->  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0/rz-dc-2           44   262
Mar 28 17:07:22  rad-resp              <-  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0/rz-dc-2           44   985
Mar 28 17:07:22  eap-req               <-  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0                   7    895
Mar 28 17:07:22  eap-resp              ->  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0                   7    343
Mar 28 17:07:22  rad-req               ->  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0/rz-dc-2           45   601
Mar 28 17:07:22  rad-resp              <-  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0/rz-dc-2           45   153
Mar 28 17:07:22  eap-req               <-  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0                   8    69
Mar 28 17:07:22  station-down           *  e0:9d:31:3b:62:bc  34:fc:b9:ea:77:f0  

I'm having a similar issue.

Following setup:

 

Win 7 SP1 Clients

Win 2012 Server with NPS configured with EAP-TLS and EAP-PEAP MSCHAPv2 for testing.

 

I receive a successful if I use the AAA test from the controller. On the Win 7 client I'm not able to get a connection running (I already checked and unchecked all the possible options like Cert-validation)

 

If I turn on Termination on the controller, EAP-PEAP will work.

 

The NPS is only logging the success from the AAA test server.

 

The aruba log shows "Deauth from STA .... unspecified failure" and the Client is logging an meaningless EAP failure.

 

 

Any ideas? The NPS Server has a certificate and the clients has a device certificate, too. The goal is EAP-TLS and everything is allowed on the NPS.

 

 

 

 

 

Excelent

Great Job

Thanks