Wireless Access

Hello,

I try to connect my users to our WLAN using radius authentication (NPS on Win2012). I followed some tutorials and some solutions that I found here, but it is still not working :( 

I allways recieve a authentication error in the VC. 

Where can I find further information about this error?

Maybe these lines are useful:

show ap debug radius-statistics

RADIUS Statistics
-----------------
Statistics                    InternalServer  DC02
----------                    --------------  ----
In Service: Management Auth   Not used        Not used
In Service: GerstnerZentrale  Not used        Not used
Accounting Requests           0               0
Raw Requests                  0               0
PAP Requests                  0               0

DC02 is my WindowsServer - why is it not used?

Auth Trace Buffer also shows some lines like these:

Oct 23 08:27:24  rad-req               ->  a4:4e:31:94:ec:64  80:8d:b7:1d:4b:50/t_DC02  51  245   nonasid
Oct 23 08:27:25  rad-resp              <-  a4:4e:31:94:ec:64  80:8d:b7:1d:4b:50/t_DC02  51  -
Oct 23 08:27:25  eap-req               <-  a4:4e:31:94:ec:64  80:8d:b7:1d:4b:50         4   490
Oct 23 08:27:25  eap-resp              ->  a4:4e:31:94:ec:64  80:8d:b7:1d:4b:50         4   17
Oct 23 08:27:25  rad-req               ->  a4:4e:31:94:ec:64  80:8d:b7:1d:4b:50/t_DC02  52  256   nonasid
Oct 23 08:27:26  rad-reject            <-  a4:4e:31:94:ec:64  80:8d:b7:1d:4b:50/t_DC02  52  -
Oct 23 08:27:26  eap-failure           <-  a4:4e:31:94:ec:64  80:8d:b7:1d:4b:50         4   4     server rejected
Oct 23 08:27:26  station-up             *  a4:4e:31:94:ec:64  80:8d:b7:1d:4b:50         -   -     wpa2 aes
Oct 23 08:27:26  eap-id-req            <-  a4:4e:31:94:ec:64  80:8d:b7:1d:4b:50         1   5
Oct 23 08:27:26  eap-start             ->  a4:4e:31:94:ec:64  80:8d:b7:1d:4b:50         -   -

Who is this t_DC02 ?

Thanks, Frantischek

Do you see anything in the NPS portion of the event viewer in the radius server?

No, 

I had some events concerning the wrong secret - but after I fixed this, it's silent.

I also double-checked the auditpolicy with:

C:\Windows\system32>auditpol /get /subcategory:"Netzwerkrichtlinienserver"
Systemüberwachungsrichtlinie
Kategorie/Unterkategorie                  Einstellung
An-/Abmeldung
  Netzwerkrichtlinienserver               Erfolg und Fehler

It's also okay. Sorry for german :) 

Do you have a screenshot of your SSID configuration?

Like this? 

wlan ssid-profile GerstnerZentrale
 enable
 index 0
 termination
 type employee
 essid GerstnerZentrale
 opmode wpa2-aes
 max-authentication-failures 0
 auth-server DC02
 rf-band all
 captive-portal disable
 dtim-period 1
 broadcast-filter arp
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

That looks good.  You should not have to change or edit an audit policy.

On the commandline of the Instant AP, you should use the aaa test server command to test connectivity to your Windows Server 2012:  https://www.arubanetworks.com/techdocs/Instant_423_WebHelp/InstantWebHelp.htm#CLI_commands/aaa_test_server.htm

Heres the result

# aaa test-server DC02 username c.leitner password ****** auth-type PAP
Username or password wrong for radius server DC02, reason code 7

Now I see a new event 6273 with reason code 66 in the log on the server.

It says something like the authentication method was not activated on the server.

That is good.  That means the traffic is getting to the radius server.  PAP is only for Captive Portal, so you would not have that enabled.

Do you have a screenshot of your NPS policies?

Sorry for german language again :)

Here is a all in one screenshot :)

Are you trying to do EAP-PEAP (username and password) or EAP-TLS (Client-Side Certificates)?  If you are not doing client-side certificates, under "constraints" you should remove the "smartcard" entry.

Based on your configuration, the aaa test should work because you have PAP enabled.

I removed the smartcard constraint. 

What else can I try?

You should try using a mobile client like an iphone or android phone to connect first, because they are more forgiving than Windows clients.

I tried it - but I can't connect and i get a authentication error.

In the logs on the NPS I can't see the connection attempt.

Is this a single Instant AP or multiple?  Do you have DRP (Dynamic Radius Proxy) enabled? 

It's a single AP and DRP is now enabled.

DRP is only valuable if you have more than one IAP.  Authentication should work without it.

Please check the logs on the radius server to see why the authentication would be dropped.  There must be something there maybe in the system logs.

OK. I disabled DRP.

When I try to connect with my android phone I have to enter some data. Can you please check if I use valid data:

EAP-method: PEAP

Phase2: MSCHAPV2

CA-Certificate: I downloaded the CA-Certificate from my certificateserver and chose this.

Domain: our AD-domainname

Identity: my samAccountname

Anonymous identity: samAccountname

Password: my password.

Are these inputs correct?

Next strange thing is, that the AP doesn't send MSCHAPV2 requests to the server:

 show ap debug radius-statistics

RADIUS Statistics
-----------------
Statistics                    InternalServer  DC02
----------                    --------------  ----
In Service: Management Auth   Not used        Not used
In Service: GerstnerZentrale  Not used        Not used
Accounting Requests           0               0
Raw Requests                  0               0
PAP Requests                  0               5
CHAP Requests                 0               0
MS-CHAP Requests              0               0
MS-CHAPv2 Requests            0               0

Btw thanks for your support! :)

Hello,

I tried a smaller key and now its working.

Very strange - but I'm happy. :) 

Thanks for your support!

Regards

Frantischek

Wow!  How big was the first key?

It was this one:

MAyQGhczfV@P^9JyFrBiOAFW^tFWk#QNCRvJVhQUpmlEu!gvs!Y5s31^@Pa106Ft

Maybe it contains some special characters that the VC doesn't like?

Let me check.