Wireless Access

I setup an NPS on win server 2016, and created radius server in Mobility Controller and associated to one SSID.

When I connect to the SSID use my domain username and password, so far so good. BUT, if I choose "User my windows User Account", it shows  "Cannot connect to the network".

I compared the two situation, when I input username and password, there are logs in NPS, but when I choose "User my windows User Account", there are not.

So I think this is an Aruba configruation problem, not a NPS configruation problem. Does anybody know this? Did I miss something that caused Aruba AP did not send authentication information to NPS when I choose "User my windows User Account".

Thanks a lot for any advise.

Hi Elan,

The Aruba controller acts as the authenticator, relaying information between the NPS server and the client device and is transparent to the controller. The controller doesn't care about what username / password you are using. At the end, the NPS server should send a Radius Accept or Reject message and the controller will allow or deny access. This is of course if you are not doing EAP-termination on controller (which is rarely used)

In my opinion, and based on what you have described, it is most likely a configuration issue on NPS. I suggest you check again your NPS server and if possible take a packet capture from NPS side to compare the request in both cases.

1) Check the username that is being sent. Is it the same username? Same format?

2) On controller, you can debug a particular user

logging level debugging user-debug <mac address of user>

show log all | include <mac address of user

Also

show auth-tracebuf mac <mac address of user>

Hi

Thanks for your replay and I tried, the following is the log when I check "User my Windows user Account ", I didnot found any username/password send in the log???

Apr 21 09:29:22 fpcli: USER:admin@172.30.28.55 COMMAND:<logging level debugging user-debug d8:0f:99:3a:21:2f > -- command executed successfully
Apr 21 09:29:31 authmgr[3899]: <522030> <3899> <INFO> |authmgr| MAC=d8:0f:99:3a:21:2f Station deauthenticated: BSSID=c8:b5:ad:e1:f6:32, ESSID=test
Apr 21 09:29:31 authmgr[3899]: <522035> <4532> <INFO> |authmgr| MAC=d8:0f:99:3a:21:2f Station UP: BSSID=c8:b5:ad:e1:f6:32 ESSID=test VLAN=40 AP-name=c8:b5:ad:c6:1f:62
Apr 21 09:29:31 authmgr[3899]: <522036> <4532> <INFO> |authmgr| MAC=d8:0f:99:3a:21:2f Station DN: BSSID=c8:b5:ad:e1:f6:32 ESSID=test VLAN=40 AP-name=c8:b5:ad:c6:1f:62
Apr 21 09:29:31 authmgr[3899]: <522049> <3899> <INFO> |authmgr| MAC=d8:0f:99:3a:21:2f,IP=N/A User role updated, existing Role=logon/none, new Role=logon/none, reason=Station is L2 deauthenticated
Apr 21 09:29:31 authmgr[3899]: <522050> <3899> <INFO> |authmgr| MAC=d8:0f:99:3a:21:2f,IP=N/A User data downloaded to datapath, new Role=logon/2, bw Contract=0/0, reason=Download driven by user role setting, idle-timeout=300
Apr 21 09:29:31 authmgr[3899]: <522050> <4532> <INFO> |authmgr| MAC=d8:0f:99:3a:21:2f,IP=N/A User data downloaded to datapath, new Role=logon/2, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300
Apr 21 09:29:31 authmgr[3899]: <522077> <4532> <DBUG> |authmgr| MAC=d8:0f:99:3a:21:2f ingress 0x0x1001c (tunnel 28), u_encr 4, m_encr 4, slotport 0x0x210f , type: local, FW mode: 0, AP IP: 0.0.0.0 mdie 0 ft_complete 0
Apr 21 09:29:31 authmgr[3899]: <522127> <3899> <DBUG> |authmgr| {L2} Update role from logon to logon for IP=N/A, MAC=d8:0f:99:3a:21:2f.
Apr 21 09:29:31 authmgr[3899]: <522142> <3899> <DBUG> |authmgr| Setting cached role to NULL for user d8:0f:99:3a:21:2f".
Apr 21 09:29:31 authmgr[3899]: <522158> <3899> <DBUG> |authmgr| Role Derivation for user N/A-d8:0f:99:3a:21:2f- N/A Station is L2 deauthenticated.
Apr 21 09:29:31 authmgr[3899]: <522158> <4532> <DBUG> |authmgr| Role Derivation for user N/A-d8:0f:99:3a:21:2f- N/A Set AAA profile defaults.
Apr 21 09:29:31 authmgr[3899]: <522234> <4532> <DBUG> |authmgr| Setting idle timer for user d8:0f:99:3a:21:2f to 300 seconds (idle timeout: 300 ageout: 0).
Apr 21 09:29:31 authmgr[3899]: <522242> <4532> <DBUG> |authmgr| MAC=d8:0f:99:3a:21:2f Station Created Update MMS: BSSID=c8:b5:ad:e1:f6:32 ESSID=test VLAN=40 AP-name=c8:b5:ad:c6:1f:62
Apr 21 09:29:31 authmgr[3899]: <522244> <4532> <DBUG> |authmgr| MAC=d8:0f:99:3a:21:2f Station Deleted Update MMS
Apr 21 09:29:31 authmgr[3899]: <522246> <4532> <DBUG> |authmgr| Idle timeout should be driven by STM for MAC d8:0f:99:3a:21:2f.
Apr 21 09:29:31 authmgr[3899]: <522254> <4532> <DBUG> |authmgr| VDR - mac d8:0f:99:3a:21:2f rolename logon fwdmode 0 derivation_type Initial Role Contained vp not present.
Apr 21 09:29:31 authmgr[3899]: <522255> <3899> <DBUG> |authmgr| "VDR - set vlan in user for d8:0f:99:3a:21:2f vlan 40 fwdmode 0 derivation_type Current VLAN updated.
Apr 21 09:29:31 authmgr[3899]: <522255> <4532> <DBUG> |authmgr| "VDR - set vlan in user for d8:0f:99:3a:21:2f vlan 40 fwdmode 0 derivation_type Current VLAN updated.
Apr 21 09:29:31 authmgr[3899]: <522255> <4532> <DBUG> |authmgr| "VDR - set vlan in user for d8:0f:99:3a:21:2f vlan 40 fwdmode 0 derivation_type Default VLAN.
Apr 21 09:29:31 authmgr[3899]: <522258> <3899> <DBUG> |authmgr| "VDR - Add to history of user user d8:0f:99:3a:21:2f vlan 0 derivation_type Reset all Auth VLANs index 4.
Apr 21 09:29:31 authmgr[3899]: <522258> <3899> <DBUG> |authmgr| "VDR - Add to history of user user d8:0f:99:3a:21:2f vlan 40 derivation_type Current VLAN updated index 5.
Apr 21 09:29:31 authmgr[3899]: <522258> <4532> <DBUG> |authmgr| "VDR - Add to history of user user d8:0f:99:3a:21:2f vlan 0 derivation_type Reset Role Based VLANs index 3.
Apr 21 09:29:31 authmgr[3899]: <522258> <4532> <DBUG> |authmgr| "VDR - Add to history of user user d8:0f:99:3a:21:2f vlan 0 derivation_type Reset VLANs for Station up index 0.
Apr 21 09:29:31 authmgr[3899]: <522258> <4532> <DBUG> |authmgr| "VDR - Add to history of user user d8:0f:99:3a:21:2f vlan 40 derivation_type Current VLAN updated index 2.
Apr 21 09:29:31 authmgr[3899]: <522258> <4532> <DBUG> |authmgr| "VDR - Add to history of user user d8:0f:99:3a:21:2f vlan 40 derivation_type Default VLAN index 1.
Apr 21 09:29:31 authmgr[3899]: <522260> <3899> <DBUG> |authmgr| "VDR - Cur VLAN updated d8:0f:99:3a:21:2f mob 0 inform 1 remote 0 wired 0 defvlan 40 exportedvlan 0 curvlan 40.
Apr 21 09:29:31 authmgr[3899]: <522264> <4532> <DBUG> |authmgr| "MAC:d8:0f:99:3a:21:2f: Allocating UUID: 0xa7931e1cbe8c27df
Apr 21 09:29:31 authmgr[3899]: <522287> <4532> <DBUG> |authmgr| Auth GSM : MAC_USER publish for mac d8:0f:99:3a:21:2f bssid c8:b5:ad:e1:f6:32 vlan 40 type 1 data-ready 0
Apr 21 09:29:31 authmgr[3899]: <522289> <3899> <DBUG> |authmgr| Auth GSM : MAC_USER mu_delete publish for mac d8:0f:99:3a:21:2f bssid c8:b5:ad:e1:f6:32 vlan 40 type 1 data-ready 0 deauth-reason 50
Apr 21 09:29:31 authmgr[3899]: <522290> <4532> <DBUG> |authmgr| Auth GSM : MAC_USER delete for mac d8:0f:99:3a:21:2f
Apr 21 09:29:31 authmgr[3899]: <522295> <4532> <DBUG> |authmgr| Auth GSM : USER_STA event 0 for user d8:0f:99:3a:21:2f
Apr 21 09:29:31 authmgr[3899]: <522296> <4532> <DBUG> |authmgr| Auth GSM : USER_STA delete event for user d8:0f:99:3a:21:2f age 0 deauth_reason 50
Apr 21 09:29:31 authmgr[3899]: <522301> <3899> <DBUG> |authmgr| Auth GSM : USER publish for uuid 0xa7931e1cbe8c27df mac d8:0f:99:3a:21:2f name role logon devtype wired 0 authtype 0 subtype 0 encrypt-type 2 conn-port 8463 fwd-mode 0
Apr 21 09:29:31 authmgr[3899]: <522301> <4532> <DBUG> |authmgr| Auth GSM : USER publish for uuid 0xa7931e1cbe8c27df mac d8:0f:99:3a:21:2f name role logon devtype wired 0 authtype 0 subtype 0 encrypt-type 2 conn-port 8463 fwd-mode 0
Apr 21 09:29:31 authmgr[3899]: <522301> <4532> <DBUG> |authmgr| Auth GSM : USER publish for uuid 0xa7931e1cbe8c27df mac d8:0f:99:3a:21:2f name role logon devtype wired 0 authtype 0 subtype 0 encrypt-type 2 conn-port 8463 fwd-mode 0
Apr 21 09:29:31 authmgr[3899]: <522303> <4532> <DBUG> |authmgr| Auth GSM : USER delete for mac d8:0f:99:3a:21:2f uuid 0xa7931e1cbe8c27df
Apr 21 09:29:31 authmgr[3899]: <522320> <4532> <DBUG> |authmgr| handle_sta_up_dn (2958): rtts user=d8:0f:99:3a:21:2f enabled=0 initial tput=100000
Apr 21 09:29:31 authmgr[3899]: <524124> <4532> <DBUG> |authmgr| dot1x_supplicant_up(): MAC:d8:0f:99:3a:21:2f, pmkid_present:False, pmkid:N/A
Apr 21 09:29:31 authmgr[3899]: <524141> <4532> <DBUG> |authmgr| clr_pmkcache_ft():1013: MAC:d8:0f:99:3a:21:2f BSS:c8:b5:ad:e1:f6:32
Apr 21 09:29:31 mdns[4115]: <527000> <4115> <DBUG> |mdns| ag_mdns_get_token_list_for_mac 648 AirGroup user doesn't exist: mac=d8:0f:99:3a:21:2f
Apr 21 09:29:31 mdns[4115]: <527000> <4115> <DBUG> |mdns| ag_ssdp_get_token_list_for_mac 348 AirGroup user doesn't exist: mac=d8:0f:99:3a:21:2f
Apr 21 09:29:31 mdns[4115]: <527000> <4115> <DBUG> |mdns| mdns_client_purge 1146 Purge mdns client, mac=d8:0f:99:3a:21:2f, del_client = 1
Apr 21 09:29:31 mdns[4115]: <527004> <4115> <INFO> |mdns| mdns_parse_auth_useridle_message 169 Auth User Idle Timeout: MAC:d8:0f:99:3a:21:2f
Apr 21 09:29:31 stm[2932]: <501000> <DBUG> |AP c8:b5:ad:c6:1f:62@172.30.40.109 stm| Station d8:0f:99:3a:21:2f: Clearing state
Apr 21 09:29:31 stm[2932]: <501037> <NOTI> |AP c8:b5:ad:c6:1f:62@172.30.40.109 stm| Station d8:0f:99:3a:21:2f: no association found trying to disassociate to BSSID c8:b5:ad:e1:f6:32 on AP c8:b5:ad:c6:1f:62
Apr 21 09:29:31 stm[2932]: <501093> <NOTI> |AP c8:b5:ad:c6:1f:62@172.30.40.109 stm| Auth success: d8:0f:99:3a:21:2f: AP 172.30.40.109-c8:b5:ad:e1:f6:32-c8:b5:ad:c6:1f:62
Apr 21 09:29:31 stm[2932]: <501095> <NOTI> |AP c8:b5:ad:c6:1f:62@172.30.40.109 stm| Assoc request @ 09:29:31.496695: d8:0f:99:3a:21:2f (SN 1344): AP 172.30.40.109-c8:b5:ad:e1:f6:32-c8:b5:ad:c6:1f:62
Apr 21 09:29:31 stm[2932]: <501100> <NOTI> |AP c8:b5:ad:c6:1f:62@172.30.40.109 stm| Assoc success @ 09:29:31.497774: d8:0f:99:3a:21:2f: AP 172.30.40.109-c8:b5:ad:e1:f6:32-c8:b5:ad:c6:1f:62
Apr 21 09:29:31 stm[2932]: <501102> <NOTI> |AP c8:b5:ad:c6:1f:62@172.30.40.109 stm| Disassoc from sta: d8:0f:99:3a:21:2f: AP 172.30.40.109-c8:b5:ad:e1:f6:32-c8:b5:ad:c6:1f:62 Reason STA has left and is disassociated
Apr 21 09:29:31 stm[2932]: <501105> <NOTI> |AP c8:b5:ad:c6:1f:62@172.30.40.109 stm| Deauth from sta: d8:0f:99:3a:21:2f: AP 172.30.40.109-c8:b5:ad:e1:f6:32-c8:b5:ad:c6:1f:62 Reason Response to EAP Challenge Failed
Apr 21 09:29:31 stm[3914]: <501000> <4663> <DBUG> |stm| Station d8:0f:99:3a:21:2f: Clearing state
Apr 21 09:29:31 stm[3914]: <501080> <4663> <NOTI> |stm| Deauth to sta: d8:0f:99:3a:21:2f: Ageout AP 172.30.40.109-c8:b5:ad:e1:f6:32-c8:b5:ad:c6:1f:62 Response to EAP Challenge Failed
Apr 21 09:29:31 stm[3914]: <501100> <3914> <NOTI> |stm| Assoc success @ 09:29:31.506446: d8:0f:99:3a:21:2f: AP 172.30.40.109-c8:b5:ad:e1:f6:32-c8:b5:ad:c6:1f:62
Apr 21 09:29:31 stm[3914]: <501106> <4663> <NOTI> |stm| Deauth to sta: d8:0f:99:3a:21:2f: Ageout AP 172.30.40.109-c8:b5:ad:e1:f6:32-c8:b5:ad:c6:1f:62 wifi_deauth_sta
Apr 21 09:29:32 authmgr[3899]: <522035> <4532> <INFO> |authmgr| MAC=d8:0f:99:3a:21:2f Station UP: BSSID=c8:b5:ad:e1:f6:32 ESSID=test VLAN=40 AP-name=c8:b5:ad:c6:1f:62
Apr 21 09:29:32 authmgr[3899]: <522050> <4532> <INFO> |authmgr| MAC=d8:0f:99:3a:21:2f,IP=N/A User data downloaded to datapath, new Role=logon/2, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300
Apr 21 09:29:32 authmgr[3899]: <522077> <4532> <DBUG> |authmgr| MAC=d8:0f:99:3a:21:2f ingress 0x0x1001c (tunnel 28), u_encr 4, m_encr 4, slotport 0x0x210f , type: local, FW mode: 0, AP IP: 0.0.0.0 mdie 0 ft_complete 0
Apr 21 09:29:32 authmgr[3899]: <522158> <4532> <DBUG> |authmgr| Role Derivation for user N/A-d8:0f:99:3a:21:2f- N/A Set AAA profile defaults.
Apr 21 09:29:32 authmgr[3899]: <522242> <4532> <DBUG> |authmgr| MAC=d8:0f:99:3a:21:2f Station Created Update MMS: BSSID=c8:b5:ad:e1:f6:32 ESSID=test VLAN=40 AP-name=c8:b5:ad:c6:1f:62
Apr 21 09:29:32 authmgr[3899]: <522246> <4532> <DBUG> |authmgr| Idle timeout should be driven by STM for MAC d8:0f:99:3a:21:2f.
Apr 21 09:29:32 authmgr[3899]: <522254> <4532> <DBUG> |authmgr| VDR - mac d8:0f:99:3a:21:2f rolename logon fwdmode 0 derivation_type Initial Role Contained vp not present.
Apr 21 09:29:32 authmgr[3899]: <522255> <4532> <DBUG> |authmgr| "VDR - set vlan in user for d8:0f:99:3a:21:2f vlan 40 fwdmode 0 derivation_type Current VLAN updated.
Apr 21 09:29:32 authmgr[3899]: <522255> <4532> <DBUG> |authmgr| "VDR - set vlan in user for d8:0f:99:3a:21:2f vlan 40 fwdmode 0 derivation_type Default VLAN.
Apr 21 09:29:32 authmgr[3899]: <522258> <4532> <DBUG> |authmgr| "VDR - Add to history of user user d8:0f:99:3a:21:2f vlan 0 derivation_type Reset Role Based VLANs index 3.
Apr 21 09:29:32 authmgr[3899]: <522258> <4532> <DBUG> |authmgr| "VDR - Add to history of user user d8:0f:99:3a:21:2f vlan 0 derivation_type Reset VLANs for Station up index 0.
Apr 21 09:29:32 authmgr[3899]: <522258> <4532> <DBUG> |authmgr| "VDR - Add to history of user user d8:0f:99:3a:21:2f vlan 40 derivation_type Current VLAN updated index 2.
Apr 21 09:29:32 authmgr[3899]: <522258> <4532> <DBUG> |authmgr| "VDR - Add to history of user user d8:0f:99:3a:21:2f vlan 40 derivation_type Default VLAN index 1.
Apr 21 09:29:32 authmgr[3899]: <522264> <4532> <DBUG> |authmgr| "MAC:d8:0f:99:3a:21:2f: Allocating UUID: 0xa7931f1cbe8c27e0
Apr 21 09:29:32 authmgr[3899]: <522287> <4532> <DBUG> |authmgr| Auth GSM : MAC_USER publish for mac d8:0f:99:3a:21:2f bssid c8:b5:ad:e1:f6:32 vlan 40 type 1 data-ready 0
Apr 21 09:29:32 authmgr[3899]: <522295> <4532> <DBUG> |authmgr| Auth GSM : USER_STA event 0 for user d8:0f:99:3a:21:2f
Apr 21 09:29:32 authmgr[3899]: <522301> <4532> <DBUG> |authmgr| Auth GSM : USER publish for uuid 0xa7931f1cbe8c27e0 mac d8:0f:99:3a:21:2f name role logon devtype wired 0 authtype 0 subtype 0 encrypt-type 2 conn-port 8463 fwd-mode 0
Apr 21 09:29:32 authmgr[3899]: <522320> <4532> <DBUG> |authmgr| handle_sta_up_dn (2958): rtts user=d8:0f:99:3a:21:2f enabled=0 initial tput=100000
Apr 21 09:29:32 authmgr[3899]: <524124> <4532> <DBUG> |authmgr| dot1x_supplicant_up(): MAC:d8:0f:99:3a:21:2f, pmkid_present:False, pmkid:N/A
Apr 21 09:29:32 authmgr[3899]: <524141> <4532> <DBUG> |authmgr| clr_pmkcache_ft():1013: MAC:d8:0f:99:3a:21:2f BSS:c8:b5:ad:e1:f6:32
Apr 21 09:29:32 stm[2932]: <501093> <NOTI> |AP c8:b5:ad:c6:1f:62@172.30.40.109 stm| Auth success: d8:0f:99:3a:21:2f: AP 172.30.40.109-c8:b5:ad:e1:f6:32-c8:b5:ad:c6:1f:62
Apr 21 09:29:32 stm[2932]: <501095> <NOTI> |AP c8:b5:ad:c6:1f:62@172.30.40.109 stm| Assoc request @ 09:29:32.192665: d8:0f:99:3a:21:2f (SN 2049): AP 172.30.40.109-c8:b5:ad:e1:f6:32-c8:b5:ad:c6:1f:62
Apr 21 09:29:32 stm[2932]: <501100> <NOTI> |AP c8:b5:ad:c6:1f:62@172.30.40.109 stm| Assoc success @ 09:29:32.193718: d8:0f:99:3a:21:2f: AP 172.30.40.109-c8:b5:ad:e1:f6:32-c8:b5:ad:c6:1f:62
Apr 21 09:29:32 stm[3914]: <501100> <3914> <NOTI> |stm| Assoc success @ 09:29:32.196653: d8:0f:99:3a:21:2f: AP 172.30.40.109-c8:b5:ad:e1:f6:32-c8:b5:ad:c6:1f:62
Apr 21 09:29:33 authmgr[3899]: <522030> <3899> <INFO> |authmgr| MAC=d8:0f:99:3a:21:2f Station deauthenticated: BSSID=c8:b5:ad:e1:f6:32, ESSID=test
Apr 21 09:29:33 authmgr[3899]: <522036> <4532> <INFO> |authmgr| MAC=d8:0f:99:3a:21:2f Station DN: BSSID=c8:b5:ad:e1:f6:32 ESSID=test VLAN=40 AP-name=c8:b5:ad:c6:1f:62
Apr 21 09:29:33 authmgr[3899]: <522049> <3899> <INFO> |authmgr| MAC=d8:0f:99:3a:21:2f,IP=N/A User role updated, existing Role=logon/none, new Role=logon/none, reason=Station is L2 deauthenticated
Apr 21 09:29:33 authmgr[3899]: <522050> <3899> <INFO> |authmgr| MAC=d8:0f:99:3a:21:2f,IP=N/A User data downloaded to datapath, new Role=logon/2, bw Contract=0/0, reason=Download driven by user role setting, idle-timeout=300
Apr 21 09:29:33 authmgr[3899]: <522127> <3899> <DBUG> |authmgr| {L2} Update role from logon to logon for IP=N/A, MAC=d8:0f:99:3a:21:2f.
Apr 21 09:29:33 authmgr[3899]: <522142> <3899> <DBUG> |authmgr| Setting cached role to NULL for user d8:0f:99:3a:21:2f".
Apr 21 09:29:33 authmgr[3899]: <522158> <3899> <DBUG> |authmgr| Role Derivation for user N/A-d8:0f:99:3a:21:2f- N/A Station is L2 deauthenticated.
Apr 21 09:29:33 authmgr[3899]: <522234> <4532> <DBUG> |authmgr| Setting idle timer for user d8:0f:99:3a:21:2f to 300 seconds (idle timeout: 300 ageout: 0).
Apr 21 09:29:33 authmgr[3899]: <522244> <4532> <DBUG> |authmgr| MAC=d8:0f:99:3a:21:2f Station Deleted Update MMS
Apr 21 09:29:33 authmgr[3899]: <522255> <3899> <DBUG> |authmgr| "VDR - set vlan in user for d8:0f:99:3a:21:2f vlan 40 fwdmode 0 derivation_type Current VLAN updated.
Apr 21 09:29:33 authmgr[3899]: <522258> <3899> <DBUG> |authmgr| "VDR - Add to history of user user d8:0f:99:3a:21:2f vlan 0 derivation_type Reset all Auth VLANs index 4.
Apr 21 09:29:33 authmgr[3899]: <522258> <3899> <DBUG> |authmgr| "VDR - Add to history of user user d8:0f:99:3a:21:2f vlan 40 derivation_type Current VLAN updated index 5.
Apr 21 09:29:33 authmgr[3899]: <522260> <3899> <DBUG> |authmgr| "VDR - Cur VLAN updated d8:0f:99:3a:21:2f mob 0 inform 1 remote 0 wired 0 defvlan 40 exportedvlan 0 curvlan 40.
Apr 21 09:29:33 authmgr[3899]: <522289> <3899> <DBUG> |authmgr| Auth GSM : MAC_USER mu_delete publish for mac d8:0f:99:3a:21:2f bssid c8:b5:ad:e1:f6:32 vlan 40 type 1 data-ready 0 deauth-reason 50
Apr 21 09:29:33 authmgr[3899]: <522290> <4532> <DBUG> |authmgr| Auth GSM : MAC_USER delete for mac d8:0f:99:3a:21:2f
Apr 21 09:29:33 authmgr[3899]: <522296> <4532> <DBUG> |authmgr| Auth GSM : USER_STA delete event for user d8:0f:99:3a:21:2f age 0 deauth_reason 50
Apr 21 09:29:33 authmgr[3899]: <522301> <3899> <DBUG> |authmgr| Auth GSM : USER publish for uuid 0xa7931f1cbe8c27e0 mac d8:0f:99:3a:21:2f name role logon devtype wired 0 authtype 0 subtype 0 encrypt-type 2 conn-port 8463 fwd-mode 0
Apr 21 09:29:33 authmgr[3899]: <522301> <4532> <DBUG> |authmgr| Auth GSM : USER publish for uuid 0xa7931f1cbe8c27e0 mac d8:0f:99:3a:21:2f name role logon devtype wired 0 authtype 0 subtype 0 encrypt-type 2 conn-port 8463 fwd-mode 0
Apr 21 09:29:33 authmgr[3899]: <522303> <4532> <DBUG> |authmgr| Auth GSM : USER delete for mac d8:0f:99:3a:21:2f uuid 0xa7931f1cbe8c27e0
Apr 21 09:29:33 mdns[4115]: <527000> <4115> <DBUG> |mdns| ag_mdns_get_token_list_for_mac 648 AirGroup user doesn't exist: mac=d8:0f:99:3a:21:2f
Apr 21 09:29:33 mdns[4115]: <527000> <4115> <DBUG> |mdns| ag_ssdp_get_token_list_for_mac 348 AirGroup user doesn't exist: mac=d8:0f:99:3a:21:2f
Apr 21 09:29:33 mdns[4115]: <527000> <4115> <DBUG> |mdns| mdns_client_purge 1146 Purge mdns client, mac=d8:0f:99:3a:21:2f, del_client = 1
Apr 21 09:29:33 mdns[4115]: <527004> <4115> <INFO> |mdns| mdns_parse_auth_useridle_message 169 Auth User Idle Timeout: MAC:d8:0f:99:3a:21:2f
Apr 21 09:29:33 stm[2932]: <501000> <DBUG> |AP c8:b5:ad:c6:1f:62@172.30.40.109 stm| Station d8:0f:99:3a:21:2f: Clearing state
Apr 21 09:29:33 stm[2932]: <501037> <NOTI> |AP c8:b5:ad:c6:1f:62@172.30.40.109 stm| Station d8:0f:99:3a:21:2f: no association found trying to disassociate to BSSID c8:b5:ad:e1:f6:32 on AP c8:b5:ad:c6:1f:62
Apr 21 09:29:33 stm[2932]: <501102> <NOTI> |AP c8:b5:ad:c6:1f:62@172.30.40.109 stm| Disassoc from sta: d8:0f:99:3a:21:2f: AP 172.30.40.109-c8:b5:ad:e1:f6:32-c8:b5:ad:c6:1f:62 Reason STA has left and is disassociated
Apr 21 09:29:33 stm[2932]: <501105> <NOTI> |AP c8:b5:ad:c6:1f:62@172.30.40.109 stm| Deauth from sta: d8:0f:99:3a:21:2f: AP 172.30.40.109-c8:b5:ad:e1:f6:32-c8:b5:ad:c6:1f:62 Reason Response to EAP Challenge Failed
Apr 21 09:29:33 stm[3914]: <501000> <4663> <DBUG> |stm| Station d8:0f:99:3a:21:2f: Clearing state
Apr 21 09:29:33 stm[3914]: <501080> <4663> <NOTI> |stm| Deauth to sta: d8:0f:99:3a:21:2f: Ageout AP 172.30.40.109-c8:b5:ad:e1:f6:32-c8:b5:ad:c6:1f:62 Response to EAP Challenge Failed
Apr 21 09:29:33 stm[3914]: <501106> <4663> <NOTI> |stm| Deauth to sta: d8:0f:99:3a:21:2f: Ageout AP 172.30.40.109-c8:b5:ad:e1:f6:32-c8:b5:ad:c6:1f:62 wifi_deauth_sta

Did you try the command:

show auth-tracebuf & show auth-tracebuf mac <mac address of the device> ?

Also, i mentioned on my previous post, did you check whether you have the Certificates from CA in place?

Thanks shpat!

I tried show auth-tracebuf mac <mac address of the device>.

The log for I input username & password manually:

Apr 21 16:56:31 station-up * d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32 - - dynamic wep
Apr 21 16:56:31 station-term-start * d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32 40 -
Apr 21 16:56:31 eap-term-start -> d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32/dot1x-radius - -
Apr 21 16:56:31 station-term-start * d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32 40 -
Apr 21 16:56:31 client-finish -> d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32/dot1x-radius - -
Apr 21 16:56:31 server-finish <- d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32/dot1x-radius - 61
Apr 21 16:56:31 server-finish-ack -> d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32/dot1x-radius - -
Apr 21 16:56:31 inner-eap-id-req <- d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32/dot1x-radius - 35
Apr 21 16:56:31 inner-eap-id-resp -> d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32/dot1x-radius - - zhiyang.cao
Apr 21 16:56:31 eap-mschap-chlg <- d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32/dot1x-radius - 67
Apr 21 16:56:31 eap-mschap-response -> d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32/dot1x-radius 6 49
Apr 21 16:56:31 mschap-request -> d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32/dot1x-radius 6 - zhiyang.cao
Apr 21 16:56:31 mschap-response <- d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32/172.30.0.34 - - zhiyang.cao
Apr 21 16:56:31 eap-mschap-success <- d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32/dot1x-radius - 83
Apr 21 16:56:31 eap-mschap-success-ack-> d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32/dot1x-radius - -
Apr 21 16:56:31 eap-tlv-rslt-success <- d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32/dot1x-radius - 43
Apr 21 16:56:31 eap-tlv-rslt-success -> d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32 - 2
Apr 21 16:56:31 eap-success <- d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32/dot1x-radius - 4
Apr 21 16:56:31 wep-mkey <- d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32 - 57
Apr 21 16:56:31 wep-ukey <- d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32 - 57
Apr 21 16:56:37 station-down * d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32 - -

The log for I choose "Use my Windows user account":

Apr 21 16:56:56 station-up * d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32 - - dynamic wep
Apr 21 16:56:56 station-term-start * d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32 40 -
Apr 21 16:56:56 station-tls-alert * d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32/dot1x-radius 48 2 failure
Apr 21 16:56:56 station-term-end * d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32/dot1x-radius 1 - failure
Apr 21 16:56:56 eap-failure <- d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32/dot1x-radius - 4
Apr 21 16:56:56 station-down * d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32 - -
Apr 21 16:56:58 station-up * d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32 - - dynamic wep
Apr 21 16:56:58 station-term-start * d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32 40 -
Apr 21 16:57:00 station-tls-alert * d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32/dot1x-radius 48 2 failure
Apr 21 16:57:00 station-term-end * d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32/dot1x-radius 1 - failure
Apr 21 16:57:00 eap-failure <- d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32/dot1x-radius - 4
Apr 21 16:57:00 station-down * d8:0f:99:3a:21:2f c8:b5:ad:e1:f6:32 - -

I did not request Certificate on NPS yet because I did not understand, is a Certificate necessary for "Use my Windows user account"? Is it a must to use AD CS? 

Hope for your replay. 

Greate Thanks!

Hi,

This is a configuration of NPS in a working environment at one of our customers.

Windows Server 2016.

Policy Settings:

Authentication Method Settings:

Press EAP (PEAP) and then go to Edit... These are my settings, for the certificate:

Here you have to call a valid certificate between the NPS and the RootCA.

This article can be helpfull:

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-requirements

Before, i didn't had this and i had a similar issue like yours. After i placed the certificate in the NPS and selected here the correct Certificate, it solved the issue.

Hi shpat,

Your NPS configuration is risky as it allows less secure methods (highlighted below) that are not protected by a TLS tunnel..

Greetings Ayman,

Thanks very much for the information. While i was taking Print Screens for the POST on the forum, i noticed that, and i asked the end customer to change them.

Hi Elan,

Can you share screenshots from the wireless client configuration settings? Do you have validate server certificate turned on? Are you using user or computer authentication? You have the proper authentication method configured (EAP-PEAP)?

Also, the certificate on your NPS server is issued by which CA? Does the machine have the certificate of this CA in its

trusted store?

Based on your logs, the client is not trusting the certificate..

Apr 21 16:57:00 station-tls-alert * d8:0f:99:3a:21:2f

Thanks Ayman.

Here is my configruation.

I setup an AD CS in the NPS, (we hava another CS in domain, but due to some reason I don't know, the server was shutdown), is this matter? Do I need to push a policy to trust the RADIUS CA?

Hi Elan,

Can you share the configuration that you have on the wireless network side?

Do you have validate certificate checked?

Did you specify connect to these servers?

Did you select the trusted Root CA?

Its certificate must be installed on the PC (can be pushed from GPO or manually installed)

What is your authentication mode?

Hi Ayman.

Thank you very much for your replay.

I tried to connect to the test SSID using username&password to give you a screenshot.

And, When I try to connect to the test SSID, I noticed that the cert is from aruba but not from my CA. Did I miss something in my controller?

I suspect you have EAP-Termination configured on your controller in your 802.1x-authentication profile for this SSID.

If you do, please disable EAP-termination on the controller (uncheck the box if it is already checked)

Thank.

Because of the jet lag, I cannot test now and will give you some feedback tomorrow.

About the CA, I have a couple of questions, can you please help?

1. I setup NPS as another Enterprise Root CA (name RADIUS CA), am I correct?
2. I request a certfication from RADIUS CA on NPS(itself), am I correct?
3. I need to publish a GPO to force everyone to request a certfication from RADIUS CA, am I correct?

Thanks again! Have a good day.

Hi Ayman,

It works, perfectly.

Thanks very much for your kind help.

Hi Elan,

Great that it works now...

You have to remove EAP-Termination from the WLC configuration on L2-Authentication profile.

Thanks shpat.

Because of the jet lag, I will test tomorrow and give feedback.

Have a nice day!!!

Thanks shpat.

it works well. 

Thanks very much for your kind help.

Very Good.

Glad we could help

Have you checked if you imported the Certificate correctly?

You need to have a certificate from CA if trying to access with Domain Credentials. 
I had similar case, showing the exact same error, after i importet the correct Certificates in the NPS and WLC, issue was solved.