Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

802.1x Authentication with Microsoft NPS

This thread has been viewed 75 times

  • 1.  802.1x Authentication with Microsoft NPS

    Posted Sep 19, 2014 01:16 AM

    Hi,

    In my current environment, i have a 3com wireless controller setup as a Radius client to a Windows 2008 NPS. I have configured the necessary policy in my NPS to allow authentication via MSCHAPv2

    My existing wireless users have no issue logging in via 802.1x by supplying domain user name and password without any certificate requirement.

     

    I've just purchased a Aruba Controller. I have configured the controller as a Radius client to the same NPS. Confgured a SSID to use 802.1x on the Aruba controller.

     

    When i try to connect to the Aruba wireless, the connection is unsuccessful. On the event log in my NPS server, the error is as follows

     

    Authentication Type: EAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 22
    Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

     

    Whereas for users connecting via the 3Com Controller, the event log shows MSCHAPv2 as the Authentication.

     

    Am i missing any configuration on the Aruba to support MSCHAPv2? 

     

     



  • 2.  RE: 802.1x Authentication with Microsoft NPS

    EMPLOYEE
    Posted Sep 19, 2014 05:46 AM

    There should not be a difference.  The EAP type is configured on the clients and the Radius server, not the WLC.  Please make sure that your authentication requests are hitting the same policy on the NPS server and that there are no rules specific to the ip address of the 3com controller.

     



  • 3.  RE: 802.1x Authentication with Microsoft NPS

    Posted Sep 19, 2014 10:49 AM

    Please make sure you have selected PEAP-MSCHAPv2; not MSCHAPv2 as a supported authentication method in your NPS policy.   

     

    nps-eap-mschap.png



  • 4.  RE: 802.1x Authentication with Microsoft NPS

    Posted Sep 19, 2014 11:24 AM

    Oh, my current policy is using MSCHAPv2. With PEAP-MSCHAPv2, i have to install a CA right?

    Authentication



  • 5.  RE: 802.1x Authentication with Microsoft NPS

    EMPLOYEE
    Posted Sep 19, 2014 11:42 AM
    You need a server certificate.

    It can be either private or publicly signed.

    The downside with a privately signed certificate is you need to distribute the CA certificate to all of the devices.


  • 6.  RE: 802.1x Authentication with Microsoft NPS

    Posted Sep 19, 2014 11:46 AM

    Appreciate the reply. There is no other way to work around this? With my current wireless controller, i don't have to install any certs on my clients. My users just need to supply domain user and password

     

     



  • 7.  RE: 802.1x Authentication with Microsoft NPS

    EMPLOYEE
    Posted Sep 19, 2014 11:47 AM

    Can you show us either a config snippet or a screenshot of the 3com authentication configuration?



  • 8.  RE: 802.1x Authentication with Microsoft NPS

    Posted Sep 19, 2014 11:55 AM

    Here's the 802.1x policy on my 3Com controller

    Screen Shot 2014-09-19 at 11.51.35 pm.pngScreen Shot 2014-09-19 at 11.51.50 pm.pngScreen Shot 2014-09-19 at 11.52.46 pm.png



  • 9.  RE: 802.1x Authentication with Microsoft NPS

    EMPLOYEE
    Posted Sep 19, 2014 11:57 AM

    OK, so your controller likely has a certificate built in and your clients are probably configured to not validate the server certificate. 


    You can do a similar setup by using a self-signed certificate in NPS, but this is VERY, VERY insecure and can put your user's credentials in jeopardy. 



  • 10.  RE: 802.1x Authentication with Microsoft NPS

    Posted Sep 19, 2014 12:02 PM

    Hi Tim,

     

    You are right, on the client side, we disable the "validate server certificate" option.

     

    Are you able to share how can i use a self-signed certificate in NPS? I will also feedback to my management about the security risk using self-signed cert and let them decide which option they prefer

     

     



  • 11.  RE: 802.1x Authentication with Microsoft NPS
    Best Answer

    Posted Sep 19, 2014 05:17 PM
      |   view attached

    You have a couple of options.  You can setup a self-signed certificate for NPS or you can terminate EAP on the Aruba controller (similiar to how your current setup is).    I recommend you put the certificate on NPS if you can.   Either way, Tim's comment about validation needs to be addressed.

     

    There are many ways to create a self-signed certificate for Windows.   I sometimes use the makecert.exe utility (attached) or OpenSSL (link below).  If you run the makecert command on the NPS server with the following syntax (Edit as you need to) it will install the certificate with private key into the Computer store on the server.   You'll then need to change your authentications to only include Microsoft Protected EAP with MSCHAP-v2 as your inner authentication method in your NPS policy.

     

    makecert.exe -n "CN=server.domain.com" -len 2048 -sr LocalMachine -ss my -r -pe -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -b 09/19/2014 -e 01/01/2024

     

    -----------------------------------

     

    There is also a procedure available here using openssl:

    http://wifinigel.blogspot.com/2014/03/microsoft-nps-as-radius-server-for-wifi_15.html

     

    -----------------------------------

     

    You can also terminate EAP on the controller in the 802.1X authentication profile associated with that AAA profile.   This will use the certificate on the controller. 

     

     

    aos-dot1x-term-mschap.png

     

    Attachment(s)

    zip
    makecert.zip   17 KB 1 version


  • 12.  RE: 802.1x Authentication with Microsoft NPS

    Posted Sep 24, 2014 01:19 AM

    Hi Chris,

     

    Thank you so much. I've tested with the "termination" method and also with the certificate for PEAP. Both works perfectly. 

     

    For now i will enable both. The termination method to allow my current users to transition to the Aruba controller smoothly. I have also created another SSID that is more seucre. This will allow us to configure my users in batches. We will eventually phase out the old SSID.

     

    Thanks again.

    Kee Wee

     

     



  • 13.  RE: 802.1x Authentication with Microsoft NPS

    Posted Sep 24, 2014 01:23 AM

    Hi Tim,

     

    Thank you so much for the advice. I have setup another SSID with PEAP. Will migrate my users to this new SSID.

     

    Kee Wee