locked
Windows NPS and Eduroam Radius Profile For Aruba/Unifi Troubleshoot RRS feed

  • Question

  • We are setting up a new WiFi network at work (a school) that uses an ancient aruba controller (with aruba 105 APs) following the principles of eduroam listed here and the radius server is windows NPS again following the docs here.

    Initially I copied the existing config we have got for our current wifi to no avail. The current network still works fine but no one can remember the details (and it is not in keeping with the BYOD route we are going down).

    I have consistently been getting an error message of "authentication failed due to user credentials mismatch" (error 16 Event 6273) which most people have suggested through various forums means that the APs shared secret does not match - I have checked this more than once it does! Additionally I have checked the obvious account user/pass out and again it is correct.

    In order to try and diagnose the problem further I brought in some of my unifi gear from home and spun up a completely fresh DC/CA/NPS server in a test environment. Same error but this time I have also installed wireshark.

    If I "accept users without validating credentials" in the CRP then NPS returns a access-accept response, but the client still is unable to connect to the network (client reports dot1X timeout followed by operation was cancelled/server reports success) - this leads me to think it is something wrong client side?

    Then if I switch the CRP to authenticate on this server (client reports explicit eap failure recieved followed by network is not available/Server sends an string of access-request/challenge immediately before access-reject) presumably this means that it is waiting for correct verification from the client?

    CRP settings are:

    • Conditions

    1. NAS port Type - Wireless Other or 802.11

    2. Username - .+@schooldomain\.org\.uk$

    • Settings

    1. Authentication Provider - Local Computer

    2. Manipulation attribute rules - Replace "@schooldomain\.org\.uk$" with "@schooldomain.local"

    3. Target - User Name

    4. Override Auth - Disabled

    Network Policy settings are:

    • Conditions

    1. NAS Port Type - Wireless

    2. User Groups - SchoolDomain\Eduroam

    • Settings

    1. EAP Config - Configured (PEAP with secured password EAP-MS-CHAPv2)

    2. Ignore Dial-In Properties

    3. Grant Access

    4. Client is supplied an IP

    5. Tunnel Medium 802/Type VLAN/Tunnel-ID 66

    6. Encryption Enabled

    So I have been battling with this for several weeks now and banging my head against a wall would be more productive...

    Anyone got any pointers?

    Friday, December 27, 2019 6:41 PM

All replies

  • Hi,

    >>I have consistently been getting an error message of "authentication failed due to user credentials mismatch" (error 16 Event 6273)

    Please take a look at the similar thread in forum:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/76644dcc-911d-451e-b7f1-39269db43ac7/nps-event-6273-reason-code-16

    Hope this can help you, if you have anything unclear, please let me know.

    Have a nice day!

    Ellen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 30, 2019 8:09 AM
  • https://social.technet.microsoft.com/Forums/windowsserver/en-US/76644dcc-911d-451e-b7f1-39269db43ac7/nps-event-6273-reason-code-16

    Hi,

    I've now tried everything on that list...with no success.

    Highlights are:

    • One of them suggested changing the shared secret to upper only/lower only/lower only and numbers/upper only and numbers. Obviously to no success.
    • However, one of them suggested that I reimport the server certificate, which I have done and now whenever I change the certificate it actually asks me to trust the certificate, hopefully this is a step forward.

    I'm starting to wonder what MS have even done with NPS and why even include this in their server line, as out of the box it clearly has major issues when freeradius just worked inside of 15 minutes?

    Saturday, January 4, 2020 11:58 AM
  • Hello allw,

    Are you prepared to share "trace data" of your problem?

    You mentioned "wireshark" in your first post, and that might be an easy entry point into tracing and analysing captured data. The next step would then probably be to use Event Tracing for Windows (ETW) to trace the NPS behaviour.

    The trace data probably would not contain any "high grade" sensitive information (e.g. passwords), but DNS names, user names and similar may well be present.

    Gary

    Saturday, January 4, 2020 2:08 PM
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Ellen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, January 7, 2020 9:53 AM