Wireless Access

last person joined: 9 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Problem ViA EAP-TLS Ikev2

This thread has been viewed 5 times

  • 1.  Problem ViA EAP-TLS Ikev2

    Posted Aug 09, 2017 05:07 AM
      |   view attached

    Hi,

     

    We have some trouble setting up via with EAP-TLS authentication.

    Scenario:

    • We have distributed cert to users
    • Setup ViA profiles to look at our NPS server
    • The NPS server is up and we think everything is find but we get Reason code 22: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
    • We are using usertemplate for clientcert and our nps server is using RAS IAS certtemplate. NPS are not a domaincontroller but domainmember

    I think have looked everywhere for a solution but now we are ready to give up.

     

    My question is if someone have one good solid guide to set up VIA with EAP-TLS verification throw windows NPS?

     

    This is the log from client:

    Aug 09 10:45:50.801  p3264  t2058  INFO anikeimpl  578  IKE PAcket Received

    Aug 09 10:45:51.208  p3264  t2058  TRACE ancert_mgmt  296  Enter CertificateLeafDNTest

    Aug 09 10:45:51.208  p3264  t2058  DEBUG ancert_mgmt  301  0 DN pair Configured

    Aug 09 10:45:51.208  p3264  t2058  INFO ancert_mgmt  311  DN test staus 0

    Aug 09 10:45:51.208  p3264  t2058  TRACE ancert_mgmt  312  Exit CertificateLeafDNTest

    Aug 09 10:45:51.209  p3264  t2058  INFO ancert_mgmt  344  Issuer Attribute type 38

    Aug 09 10:45:51.209  p3264  t2058  INFO ancert_mgmt  344  Issuer Attribute type 38

    Aug 09 10:45:51.209  p3264  t2058  INFO ancert_mgmt  344  Issuer Attribute type 3

    Aug 09 10:45:51.209  p3264  t2058  INFO ancert_mgmt  413  Issuer Attribute tierp-ZOOM2K8-CA

    Aug 09 10:45:51.213  p3264  t2058  INFO ancert_mgmt  450  Validate cert and its ancestor for basic constraint check

    Aug 09 10:45:51.213  p3264  t2058  ERROR ancert_mgmt  749  Query User Token failed reason = 5

    Aug 09 10:45:51.213  p3264  t2058  WARNING ancert_mgmt  585   Failed locating a logged on user, err= 5, Continueing..

    Aug 09 10:45:51.213  p3264  t2058  INFO ancert_mgmt  622  The size of the chain context is 72.

    Aug 09 10:45:51.213  p3264  t2058  INFO ancert_mgmt  623  1 simple chains found.

    Aug 09 10:45:51.213  p3264  t2058  INFO ancert_mgmt  624  Error Status code is 1

    Aug 09 10:45:51.213  p3264  t2058  INFO ancert_mgmt  628  This certificate or one of the certificates in the certificate chain is not time-valid.

    Aug 09 10:45:51.214  p3264  t2058  ERROR anike_mocana_cbh  1510  CHILD_SA [v2 I] failed

    Aug 09 10:45:51.214  p3264  t2058  INFO anike_mocana_cbh  1512  , status = -6012

    Aug 09 10:45:51.215  p3264  t2058  ERROR anike_mocana_cbh  1390    IKE_SA [v2 I] (id=0xa3b378f3) failed

    Aug 09 10:45:51.215  p3264  t2058  ERROR anike_mocana_cbh  1397  sending ike event

    Aug 09 10:45:51.215  p3264  t2058  ERROR anike_mocana_cbh  1402   IKE Phase 1 SA Failed status = -6012

    Aug 09 10:45:51.215  p3264  t2058  TRACE anikeimpl  302  EAP INFO Deleted EAP Session.

    Aug 09 10:45:51.215  p3264  t2058  DEBUG anikeimpl  531 



  • 2.  RE: Problem ViA EAP-TLS Ikev2

    Posted Aug 09, 2017 05:53 AM
    Can you show us what the NPS policy looks like?


  • 3.  RE: Problem ViA EAP-TLS Ikev2
    Best Answer

    Posted Aug 09, 2017 08:11 AM

    For information: We have found a solution :).

     

    Problem was that ViA client tried to use one expired ca-certificate on the workstation. One line in log from ViA-client said "invalid time" and that was probably this expired certificate.

     

    Deleted that certificate on the client and it runs now correct.