Sunday, December 22, 2019

Windows NPS and Eduroam Radius Profile For Aruba/Unifi Troubleshoot

We are setting up a new WiFi network at work (a school) that uses an ancient aruba controller (with aruba 105 APs) following the principles of eduroam listed here and the radius server is windows NPS again following the docs here.

Initially I copied the existing config we have got for our current wifi to no avail. The current network still works fine but no one can remember the details (and it is not in keeping with the BYOD route we are going down).

I have consistently been getting an error message of "authentication failed due to user credentials mismatch" (error 16 Event 6273) which most people have suggested through various forums means that the APs shared secret does not match - I have checked this more than once it does! Additionally I have checked the obvious account user/pass out and again it is correct.

In order to try and diagnose the problem further I brought in some of my unifi gear from home and spun up a completely fresh DC/CA/NPS server in a test environment. Same error but this time I have also installed wireshark.

If I "accept users without validating credentials" in the CRP then NPS returns a access-accept response, but the client still is unable to connect to the network (client reports dot1X timeout followed by operation was cancelled/server reports success) - this leads me to think it is something wrong client side?

Then if I switch the CRP to authenticate on this server (client reports explicit eap failure recieved followed by network is not available/Server sends an string of access-request/challenge immediately before access-reject) presumably this means that it is waiting for correct verification from the client?

CRP settings are:

  • Conditions
  1. NAS port Type - Wireless Other or 802.11
  2. Username - .+@schooldomain\.org\.uk$
  • Settings
  1. Authentication Provider - Local Computer
  2. Manipulation attribute rules - Replace "@schooldomain\.org\.uk$" with "@schooldomain.local"
  3. Target - User Name
  4. Override Auth - Disabled

Network Policy settings are:

  • Conditions
  1. NAS Port Type - Wireless
  2. User Groups - SchoolDomain\Eduroam
  • Settings
  1. EAP Config - Configured (PEAP with secured password EAP-MS-CHAPv2)
  2. Ignore Dial-In Properties
  3. Grant Access
  4. Client is supplied an IP
  5. Tunnel Medium 802/Type VLAN/Tunnel-ID 66
  6. Encryption Enabled

So I have been battling with this for several weeks now and banging my head against a wall would be more productive...

Anyone got any pointers?



No comments:

Post a Comment