Configuring WPA enterprise with External radius (NPS on Windows server 2012)

  • 2
  • Question
  • Updated 4 years ago
  • Answered
Hi,

I have followed the Aerohive configuration Guide "Radius Authentication". I was trying Example 1 "Single Site Authentication". But my windows clients can't connect to the SSID. These windows clients are not in a domain but are BYOD clients.

If I use the radius test in Hivemanager I receive "RADIUS server is reachable. Get attributes from RADIUS server: User-Attribute-ID:0=5; " So he can reach the radius server and get back the user-attribute-id 5. For my SSID I have created a User profile with Attribute number 5.

Can someone help me? Can I debug something else?

Regards
Photo of Tom Jansen

Tom Jansen

  • 10 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 2
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
For by the book, RADIUS standards based 802.1X:

You should be returning a Service-Type attribute of Framed along with a Framed-Protocol attribute of PPP.

Are you using VLANs? If so, you should add and set:
1) Tunnel-Type attribute to VLAN
2) Tunnel-Medium-Type attribute to IEEE-802.
3) Tunnel-Private-Group-Id attribute to the desired VLAN ID in string (ASCII / UTF-8 encoded) format.

I would suggest using the Filter-Id attribute to set the user profile attribute as this is the RADIUS standards based way of doing this.

What EAP type are you using and how have you configured it?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Photo of Tom Jansen

Tom Jansen

  • 10 Posts
  • 0 Reply Likes
Hi Nick,

Thanks for the reply.

At the moment i'm configuring it without vlans. (AP is not connected with a trunk port) In the future it must work also with different vlans.

I have added the filter id on the radius server and created a user group with the value of the filter id. But it is still not working.  In attachment you can find some printscreens of the configuration. http://www.hhvm.be/externalradius.docx

Regards
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I would check your server certificate for compliance as below, also check that you've followed Aerohive's Filter-Id instructions methodically, to the letter - it is easy to miss a step towards the end. Do a Google search for eaphost ras tracing if you want additional logs.

Which EAP type have you settled on?
Photo of Tom Jansen

Tom Jansen

  • 10 Posts
  • 0 Reply Likes
I have used EAP MS-Chap2 on the external radius server.
Photo of Jonathan Hurtt

Jonathan Hurtt

  • 98 Posts
  • 48 Reply Likes
I have a feeling this has to do with your Certificate that are you using on your NPS Server. Do you have any issues connecting with non-Windows devices, say an iOS or Android or even a windows device that is part of your domain? 
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Supplicants have got more stringent over time as to what they will accept as far as certificates go. There is a great document here that may help: https://wiki.terena.org/display/H2eduroam/EAP+Server+Certificate+considerations

It does need updating in-so-far as we should all be moving to SHA-256 based certificates though.
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Jonathan,

Thinking aloud, Would it be worth improving the AH self-signed certificates to better meet the certificate property requirements for the gamut of 802.1X supplicants and shift to SHA-2 (SHA-256)? Apple and Twitter have already moved...

http://arstechnica.com/security/2013/11/hoping-to-avert-collision-with-disaster-microsoft-retires-sh...

http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html

https://wiki.mozilla.org/CA:Problematic_Practices#SHA-1_Certificates

Nick
Photo of Tom Jansen

Tom Jansen

  • 10 Posts
  • 0 Reply Likes
If I try to connect with my android phone I receive an authentication error
Photo of Terence Fleming ThinkWireless

Terence Fleming ThinkWireless, Champ

  • 79 Posts
  • 27 Reply Likes

If you monitor the authentication process using the Client Monitor Tool, you may get some useful insights as to which step in the authentication process is failing.


Simplest way to set up Client Monitor is to create a new Open SSID called Test, attach a device to it, pick up that device in Monitor/Wireless Clients, select the check box next to the client, then go Operation/Client Monitor and add the device    (This captures the MAC address of the device in the system, otherwise you could manually add it to the Client Monitor tool)

Filter out the Probe requests, start Client Monitor, disconnect from Test and try to connect to the RADIUS SSID.  You will see every step of the process that the AP sees.

Then, look in the Windows event log on the server to see if the error messages there give any clues as to why the authentication failed.

The combination of these two together can usually get you out of trouble.

Photo of Tom Jansen

Tom Jansen

  • 10 Posts
  • 0 Reply Likes
If I use the Client monitor of Aerohive I receive the following:
09/10/2014 08:55:54 AM  303A6410E3E3  4018B1BE3695  AH-be3680    INFO    (148)IEEE802.1X auth is starting (at if=wifi0.2)
09/10/2014 08:55:59 AM  303A6410E3E3  4018B1BE3695  AH-be3680    DETAIL  (149)Send message to RADIUS Server(10.10.123.241): code=1 (Access-Request) identifier=1 length=151,  User-Name=teacher NAS-IP-Address=10.10.121.43 Called-Station-Id=40-18-B1-BE-36-95:PN_Enterprise2 Calling-Station-Id=30-3A-64-10-E3-E3
09/10/2014 08:55:59 AM  303A6410E3E3  4018B1BE3695  AH-be3680    DETAIL  (150)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=1 length=90
09/10/2014 08:55:59 AM  303A6410E3E3  4018B1BE3695  AH-be3680    DETAIL  (151)Send message to RADIUS Server(10.10.123.241): code=1 (Access-Request) identifier=2 length=284,  User-Name=teacher NAS-IP-Address=10.10.121.43 Called-Station-Id=40-18-B1-BE-36-95:PN_Enterprise2 Calling-Station-Id=30-3A-64-10-E3-E3
09/10/2014 08:55:59 AM  303A6410E3E3  4018B1BE3695  AH-be3680    DETAIL  (152)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=2 length=1105
09/10/2014 08:55:59 AM  303A6410E3E3  4018B1BE3695  AH-be3680    DETAIL  (153)Send message to RADIUS Server(10.10.123.241): code=1 (Access-Request) identifier=3 length=196,  User-Name=teacher NAS-IP-Address=10.10.121.43 Called-Station-Id=40-18-B1-BE-36-95:PN_Enterprise2 Calling-Station-Id=30-3A-64-10-E3-E3
09/10/2014 08:55:59 AM  303A6410E3E3  4018B1BE3695  AH-be3680    BASIC   (154)Authentication is terminated (at if=wifi0.2) because it is rejected by RADIUS server
09/10/2014 08:56:00 AM  303A6410E3E3  4018B1BE3695  AH-be3680    BASIC   (156)Sta(at if=wifi0.2) is de-authenticated because of notification of driver

=================================================================

On the server I can't find a log file that give me a decent error message.
"W2K12SERVERLNET","IAS",09/10/2014,08:55:11,1,"teacher","LNET\teacher","40-18-B1-BE-36-95:PN_Enterprise2","30-3A-64-10-E3-E3",,,"AH-be3680","10.10.121.43",0,0,"10.10.121.43","AerohiveAP",,,19,,,2,5,"Secure Wireless Connections",0,"311 1 10.10.123.241 09/09/2014 10:58:22 31",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
"W2K12SERVERLNET","IAS",09/10/2014,08:55:11,11,,"LNET\teacher",,,,,,,,0,"10.10.121.43","AerohiveAP",,,,,,,5,"Secure Wireless Connections",0,"311 1 10.10.123.241 09/09/2014 10:58:22 31",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
"W2K12SERVERLNET","IAS",09/10/2014,08:55:11,1,"teacher","LNET\teacher","40-18-B1-BE-36-95:PN_Enterprise2","30-3A-64-10-E3-E3",,,"AH-be3680","10.10.121.43",0,0,"10.10.121.43","AerohiveAP",,,19,,,2,5,"Secure Wireless Connections",0,"311 1 10.10.123.241 09/09/2014 10:58:22 32",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
"W2K12SERVERLNET","IAS",09/10/2014,08:55:11,11,,"LNET\teacher",,,,,,,,0,"10.10.121.43","AerohiveAP",,,,,,,5,"Secure Wireless Connections",0,"311 1 10.10.123.241 09/09/2014 10:58:22 32",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
"W2K12SERVERLNET","IAS",09/10/2014,08:55:11,1,"teacher","LNET\teacher","40-18-B1-BE-36-95:PN_Enterprise2","30-3A-64-10-E3-E3",,,"AH-be3680","10.10.121.43",0,0,"10.10.121.43","AerohiveAP",,,19,,,2,11,"Secure Wireless Connections",0,"311 1 10.10.123.241 09/09/2014 10:58:22 33",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
"W2K12SERVERLNET","IAS",09/10/2014,08:55:11,3,,"LNET\teacher",,,,,,,,0,"10.10.121.43","AerohiveAP",,,,,,,11,"Secure Wireless Connections",265,"311 1 10.10.123.241 09/09/2014 10:58:22 33",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I suggest you get a log from the Windows supplicant using "netsh ras set tracing * enabled" while an authentication attempt is made, followed by a "netsh ras set tracing *disabled".

I suggest you use something like Wireshark at the RADIUS server to get a capture of the RADIUS traffic while an authentication attempt is made.

The other place to look is the Windows Event Log for the NPS role.

We should be able to piece what is going wrong from those three bits of information.
(Edited)
Photo of Tom Jansen

Tom Jansen

  • 10 Posts
  • 0 Reply Likes
Hi thanks a lot for the effort. I think these log files will give more information about the problem. You can download them at: http://www.hhvm.be/RadiusLogging.rar

I think you are right that there is something wrong with the certificate. In the event viewer I found the following error: The certificate chain was issued by an authority that is not trusted.
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
(Edited)
Photo of Bill W.

Bill W.

  • 222 Posts
  • 35 Reply Likes
I have not looked at your log files, but I'm pretty sure I can tell you what to do to get your non-domain clients to connect.

Since these computers are not on your domain, you will need to do a few things to the wireless configuration on the client to get them to authenticate.  You will need to make 3 changes from the default setup when you create the wireless network configuration on the client.  I'm assuming you are using WPA2-Enterprise.  So go through the steps of manually creating the wireless network profile on your Windows device.  Before you close out of the "Manually connect to a wireless network" wizard, click on the "Change connection settings" button instead of the "Close" button.  From here you will be able to make the 3 changes to allow your non-domain computers to connect.

First, change the 802.1X authentication mode to "User authentication".  By default, this is set to "User or computer authentication".  Since these computers are not on the domain, anytime they try to authenticate with the computer account instead of the user account they will get denied.  Second, disable the certificate check.  In the Protected EAP properties, uncheck the "Verify the server's identity by validating the certificate" check box.  And while you are here, the third thing you need to do is change the EAP MSCHAPv2 properties to not use the Windows logon name and password.  You do this by clicking the "Configure" button next to the "Secured password (EAP-MSCHAP v2)" drop-down box under "Select Authentication Method:".

What will happen now is when the user tries to connect to this network, they will be prompted for their user credentials.  After they enter their user credentials, they will be authenticated and connected.  The default Windows settings for 802.1X settings are for domain joined computers.  So you have to make these changes to allow non-domain computers to connect.  If you used a certificate issued by a trusted root certificate authority that is already in Windows, then the second change would not be needed.  Or you could have the user import your certificate into their trusted root certificate authorities.  But this is a pain for the user.  If you have a domain with PKI setup, this is all taken care of for you on domain joined computers.

I can provide step-by-step instructions if needed.  I have some for XPSP3, Vista/7, and 8/8.1.

Also, with your Android phone, make sure you have your Phase 2 Authentication set to "MSCHAPV2". I believe that by default this is set to "None".