You should not put a certifcate on the AP if you want to use the certficate on your RADIUS Server.
You may try to flip the EAP offload to the other setting and retest. I think in some earlier versions of Instant the setting worked opposite to what you would expect.
Also make sure that you don't have the Internal server as primary or backup authentication server for your SSID.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Apr 03, 2023 04:31 AM
From: EnhancedDeflate
Subject: Installing Windows NPS as Radius authentication
Dear @ariyap,
thank you for your input, it is highly appreciated.
Your summary is what I expected, too: no certificate message should be shown, as negotiation happens between the client and NPS/RADIUS, so auto-connect should be working as it does with APs from another vendor (as the machine certificate is already in place) – but even with EAP offload set to 'disable' I see this AP 's certificate, it's not transparent and I don't get why! 🤨 (latest FW installed).
Does it mean that I'll have to manually add the certificate on the AP nonetheless, maybe?
I can't look into Aruba Central today unfortunately, but tomorow I can grab additional screenshots.
BR
Original Message:
Sent: Mar 30, 2023 08:05 PM
From: ariyap
Subject: Installing Windows NPS as Radius authentication
if you configure the WLAN for dot1x auth (Security Level = Enterprise) then the client that connects to that SSID shoud not get prompted for a certificate by the Instant AP. The certificate checks are between the RADIUS server and the Client.
The only case when IAP will present a certificate for RADIUS auth, is if it is configured for EAP offload
see if this is enable, if you dont need it disable it.
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Mar 30, 2023 05:00 AM
From: EnhancedDeflate
Subject: Installing Windows NPS as Radius authentication
Hey everyone,
I'm sorry to kinda hi-jack this topic but since I ran into the exact same problem and no (working) solution was provided other than ariyap's proposal I wanted to pick this up again.
For a test I'm conducting I'm using a working and productive NPS installation (runs with FortiAP devices) and wanted to test RADIUS integration with a single aruba AP-505 device. It is fully up-to-date and runs a virtual controller that is successfully registered in Aruba Central.
When moving the slider in the Security tab to "Open" it will work, obviusly not prompting for anything, but when moving it to "Enterprise" and pointing it to the RADIUS server it does no longer work. And just to be clear: of course the Primary server is listed and set up, as mentioned it's in use but the thing I stumbled over is that when trying to access the newly created network it will show me a certificate warning and the certificate provided is not the one set up in RADIUS, instead I see a local certificate held on the AP-505 device.
Now certainly something is messed up here, but I am not the expert who knows what to expect: authentication is certificate based and certificate is installed locally (works with a current profile running FortiAP).
Why am I presented with a local AP certificate? Is that even "normal"? Do I have to modify the local AP (when test is done it will be 20+ further devices) maually?
Sorry for the questions but either I didn't find the proper documentation or it is not documented in much detail at all; also support didn't provide me with a solution so far.
Any help is much appreciated!
BR
Original Message:
Sent: Oct 06, 2022 10:15 PM
From: ariyap
Subject: Installing Windows NPS as Radius authentication
in Aruba Central, you need to define the authentication server
and then choose your new auth server in your WLAN configuration
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
Original Message:
Sent: Oct 06, 2022 08:30 AM
From: Darrell Wiggett
Subject: Installing Windows NPS as Radius authentication
Thanks for your reply Ariya , I figured NPS for Radius Auth should work . Do you have a link to any documentation on configuring this in Aruba central
Regards
Darrell Wiggett
Network Analyst
Kentucky Employers' Mutual Insurance (KEMI)
250 West Main Street, Suite 900, Lexington, KY 40507-1724
[o] 859-389-1319 [e] dwiggett@kemi.com
Original Message:
Sent: 10/5/2022 6:08:00 PM
From: ariyap
Subject: RE: Installing Windows NPS as Radius authentication
Instant APs support any RADIUS server for authentication. So as an example you can use NPS or more robust feature rich ClearPass.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
Original Message:
Sent: Oct 05, 2022 08:37 AM
From: Darrell Wiggett
Subject: Installing Windows NPS as Radius authentication
Hi Ariya,
Thanks for your reply
""Are you asking how to set up NPS itself or how to point APs managed by Central to use NPS as a RADIUS server?""
I'm collecting info procedures on both . This is a new install so I need to set up both I think , I have 12 AP's (5 VC's) in aruba central . Business has asked for a SSID that authenticates with our company Active Directory , with what I've read on airheads and aruba community , it seems this is supported by Aruba . What do you think
Regards
Darrell Wiggett
Network Analyst
Kentucky Employers' Mutual Insurance (KEMI)
250 West Main Street, Suite 900, Lexington, KY 40507-1724
[o] 859-389-1319 [e] dwiggett@kemi.com
Original Message:
Sent: 10/5/2022 12:46:00 AM
From: ariyap
Subject: RE: Installing Windows NPS as Radius authentication
check this out
https://aventistech.com/2020/03/20/setup-nps-with-peap-for-aruba-wifi/
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
Original Message:
Sent: Oct 04, 2022 08:34 PM
From: Brian Dempsey
Subject: Installing Windows NPS as Radius authentication
Are you asking how to set up NPS itself or how to point APs managed by Central to use NPS as a RADIUS server?
------------------------------
ACNSA | ACEA | ACCP | ACMP
Original Message:
Sent: Oct 04, 2022 11:36 AM
From: Darrell Wiggett
Subject: Installing Windows NPS as Radius authentication
Hi Everyone,
Does anyone out there have a link or a document on how to set up Windows Network Policy Server as a Radius Server in Aruba Central for AP's
Thanks