topic Re: Radius/IOS 11 in Wireless

Radius/IOS 11

Michael Krall — Mon, 05 Jul 2021 15:57:36 GMT

I am using VWLC and a mixture of 3700/3800/1560 APs. I am using multiples SSIDs with multiple authentication methods. When I added the 1560 I upgraded the VWLC to 8.7.102 and had everything working. Recently I started having occasional connectivity issues with the SSID that authenticates to Microsoft NPS (server 2016) with RADIUS. I use a certificate from a Microsoft Enterprise CA on the NPS. I upgraded to 8.7.106.0 and have since downgraded to 8.3.143.0 which didn't really fix the problem. When any IOS user connects via RADUIS, it spins for a while and eventually says incorrect password. Nothing gets logged into the NPS logs on the Windows server for these events. Android users have no problems. Not quite sure what to look at from here. I did a debug client on the VWLC and while I didn't really see any errors, I am not completely sure what to look for. Any help would be appreciated.

Re: Radius/IOS 11

Johannes Luther — Thu, 09 Aug 2018 09:24:04 GMT

So, as Apple clients work, I assume there is no connectivity problem between WLC and NPS.

First of all, the WLC is not involved in the authentication process - it just repacks the EAP authentication messages from 802.1X (Layer-2) in RADIUS (Layer-3).

I'm assuming you are using EAP-TLS or PEAP on you clients, right?

If you don't see anything on the NPS server, then I assume it is a client related isse.

Possibilities:

- Windows client does not try to authenticate, because the own user/client certitficate is expired

- Windows client aborts authentication after the SSL server hello message from NPS is received. Possible reasons for this:

1.) NPS certificate is expired (I guess this is not it, because I assume NPS would stop working)

2.) The clients are configured to verify the server certificate and doesn't trust the CA.

Re: Radius/IOS 11

Michael Krall — Thu, 09 Aug 2018 12:22:23 GMT

I am using PEAP. I didn't try a Windows client while I was working on it yesterday. It is looking like an intermittent issue. While looking at the logs overnight it looks like some Apple I-devices are getting authenticated (although I don't know how many are not since they don't appear in the logs). When connecting from the iphone/ipad, there is an option to trust the certificate that pops up that I can click on and allow it to connect. I wonder if Apple made some changes with the latest update or if something else is going on (I am having some slowdown issues with VMware at the moment). I did find a couple threads elsewhere discussing WiFi issues with IOS 11. Thanks for pointing me at some things to look at.

Re: Radius/IOS 11

Johannes Luther — Thu, 09 Aug 2018 12:46:51 GMT

Make sure that

1.) Make sure the NPS uses a SSL server certificate from your enterprise PKI/CA

2.) Install the Root CA in the trusted certificate store of you end system (Apple / Windows)

2a.) In Windows make sure to use the right store... If the AD machine account is used, the computer store muste be used for the certificates