locked
NPS on 2008 R2 with Aruba wireless controller RRS feed

  • Question

  • Windows XP SP3 client:

    WPA2/AES for Association- PEAP for Authentication with Secured password(EAP-MSCHAP v2) without auto connecting with windows logon creds

    Aruba:

    SSID-WPA2/AES

    There is no termination on the controller it is a pass-through authenticator.

    I connect to the SSID and it asks for my Windows Creds, so the Aruba is passing it to the NPS. I receive this error when it is validating identity. "An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP)."

    Wednesday, August 17, 2011 3:07 PM

All replies

  • Hi BillyMag,

    Thank you for your post.

    First, please check event log on NPS server for this authentication failed, post logs to us for analysis.
    Then, check 802.1x authenticate wireless deployment guide for these things:
    1. Windows XP clients obtain Trusted Root Certification Authorities (domain joined computer auto get it)
    2. NPS server obtain computer certificate for authentication
    3. Use NPS wizard to configure 802.1x wireless NPS policy and specific PEAP EAP-MSCHAP v2 with server certificate

    If there are more inquiries on this issue, please feel free to let us know.


    Regards,
    Rick Tan
    Thursday, August 18, 2011 5:55 AM
  • Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          8/18/2011 1:25:20 PM
    Event ID:      6273
    Task Category: Network Policy Server
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      Service02.mch.local
    Description:
    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
        Security ID:            NULL SID
        Account Name:            wmaguire
        Account Domain:            MCH
        Fully Qualified Account Name:    MCH\wmaguire

    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        000B8661DA50
        Calling Station Identifier:        0014A5A244F4

    NAS:
        NAS IPv4 Address:        10.10.1.20
        NAS IPv6 Address:        -
        NAS Identifier:            10.10.1.22
        NAS Port-Type:            Wireless - IEEE 802.11
        NAS Port:            1

    RADIUS Client:
        Client Friendly Name:        Aruba3600-B
        Client IP Address:            10.10.1.22

    Authentication Details:
        Connection Request Policy Name:    Secure Aruba Wireless Connections
        Network Policy Name:        -
        Authentication Provider:        Windows
        Authentication Server:        Service02.mch.local
        Authentication Type:        PEAP
        EAP Type:            -
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            23
        Reason:                An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>6273</EventID>
        <Version>1</Version>
        <Level>0</Level>
        <Task>12552</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2011-08-18T17:25:20.929256300Z" />
        <EventRecordID>83829</EventRecordID>
        <Correlation />
        <Execution ProcessID="452" ThreadID="3252" />
        <Channel>Security</Channel>
        <Computer>Service02.mch.local</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-0-0</Data>
        <Data Name="SubjectUserName">wmaguire</Data>
        <Data Name="SubjectDomainName">MCH</Data>
        <Data Name="FullyQualifiedSubjectUserName">MCH\wmaguire</Data>
        <Data Name="SubjectMachineSID">S-1-0-0</Data>
        <Data Name="SubjectMachineName">-</Data>
        <Data Name="FullyQualifiedSubjectMachineName">-</Data>
        <Data Name="MachineInventory">-</Data>
        <Data Name="CalledStationID">000B8661DA50</Data>
        <Data Name="CallingStationID">0014A5A244F4</Data>
        <Data Name="NASIPv4Address">10.10.1.20</Data>
        <Data Name="NASIPv6Address">-</Data>
        <Data Name="NASIdentifier">10.10.1.22</Data>
        <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
        <Data Name="NASPort">1</Data>
        <Data Name="ClientName">Aruba3600-B</Data>
        <Data Name="ClientIPAddress">10.10.1.22</Data>
        <Data Name="ProxyPolicyName">Secure Aruba Wireless Connections</Data>
        <Data Name="NetworkPolicyName">-</Data>
        <Data Name="AuthenticationProvider">Windows</Data>
        <Data Name="AuthenticationServer">Service02.mch.local</Data>
        <Data Name="AuthenticationType">PEAP</Data>
        <Data Name="EAPType">-</Data>
        <Data Name="AccountSessionIdentifier">-</Data>
        <Data Name="ReasonCode">23</Data>
        <Data Name="Reason">An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.</Data>
        <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
      </EventData>
    </Event>


    I was just online with Aruba 3rd level support for 4 hours and they couldn't figure it out.

    The client can terminate on the Aruba controller, with their own Certificate that comes with their software but when we try to terminate on the 2008 server it fails.

    Thursday, August 18, 2011 7:21 PM
  • Hi BillyMag,

    Authentication Details:
         Connection Request Policy Name:    Secure Aruba Wireless Connections
         Network Policy Name:        -
     
    The log shows no network policy conform your wireless authentication and the EAP log files are located at %windir%\System32\Logfiles.
    Please check three things that I prevous posted and I wait for your reply.


    Regards,
    Rick Tan
    Monday, August 22, 2011 6:14 AM
  • Just for your information, the workaroud is to  define "Termination Inner EAP-Type" parameter in the controller.

    Configuration ->AAA profiles-> "profile"-->802.1x Authentication

    Tuesday, February 10, 2015 4:36 PM