Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

EAP-TLS Auth Failure

This thread has been viewed 8 times

  • 1.  EAP-TLS Auth Failure

    MVP
    Posted Feb 02, 2015 11:51 AM

    Hi Community,

     

    We have an Aruba 7030 controller running 6.4.2.3 and are attempting to do EAP-TLS authentication to a Windows NPS server. The NPS server has been configured with a connection profile and network policy.

     

    On the Aruba controller we have WPA2/AES configured with AAA profile that has dot1x profile assigned. Termination is NOT enabled. 

     

    ran some logging on the controller to watch the authentication and I see the requests and rejects coming back from NPS. The error we receive in NPS is "The client could not be authenticated becaues the Extensible Authentication Protocol (EAP) Type cannot be processed by the server". We have an internal CA and the certificate is installed on the computer. We verified the Root CA is trusted. 

     

    Not sure where else to look now. Any ideas why this is coming through?

     

    show_logs.png

     

    controlpath-pcap.png



  • 2.  RE: EAP-TLS Auth Failure

    EMPLOYEE
    Posted Feb 02, 2015 11:53 AM
    Do you see anything in the NPS event viewer? 


    Thanks, 
    Tim


  • 3.  RE: EAP-TLS Auth Failure

    MVP
    Posted Feb 02, 2015 11:57 AM

    Yes, it is showing and the info in the request shows EAP but no EAP-Type and the error is "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

     

    We configured the client device with WPA2/AES and security is Microsoft smart card or other certificate. 

     

    device_config.png

     

    We added the server in "connect to these servers" and checked the certificate in the list.



  • 4.  RE: EAP-TLS Auth Failure

    EMPLOYEE
    Posted Feb 02, 2015 12:00 PM
    Just for testing, can you uncheck validation? 


    Thanks, 
    Tim


  • 5.  RE: EAP-TLS Auth Failure

    MVP
    Posted Feb 02, 2015 12:03 PM

    Unchecking validate server certificate, the connection continued to spin and after a while it just failed.



  • 6.  RE: EAP-TLS Auth Failure

    MVP
    Posted Feb 02, 2015 12:48 PM

    We have opened a case with Aruba TAC and I will post changes that resolved the issue.



  • 7.  RE: EAP-TLS Auth Failure

    EMPLOYEE
    Posted Feb 02, 2015 02:43 PM

    Is the clock on both client and server correct?



  • 8.  RE: EAP-TLS Auth Failure

    MVP
    Posted Feb 02, 2015 03:36 PM

    Clocks are the same, no deviation.



  • 9.  RE: EAP-TLS Auth Failure

    EMPLOYEE
    Posted Feb 02, 2015 04:29 PM

    Mharing,

     

    Did the CA issue the Radius Server Certificate and the Client Certificate?

     

    If not, is the CA that issued the certificate listed as one of the trusted CAs on the NPS server?

     



  • 10.  RE: EAP-TLS Auth Failure

    Posted Feb 03, 2015 04:29 AM

    just a wild guess but is this is a new NPS server? does it actually have the certificate to use for Radius? so not the CA, but the one you select in one of the NPS profile settings.



  • 11.  RE: EAP-TLS Auth Failure
    Best Answer

    MVP
    Posted Feb 04, 2015 09:29 AM

    Customer was able to resolve this, here is what happened:

     

    Customer was using the factory (default) computer certificate from Windows server, which must have been missing some information or was just not intended for use by machines. Customer created a new computer certificate, and pushed it out to the machines and authentication works successfully.


    Just an FYI in case anybody runs into the same issue. I'm not super well versed in Windows Server Administration, so this will be something I keep in mind when doing more EAP-TLS deployments.

     

    Thanks everyone for the help and input!