Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
606
Views
5
Helpful
3
Replies

Radius/IOS 11

Michael Krall
Level 1
Level 1

‎08-08-2018 11:43 AM - edited ‎07-05-2021 08:57 AM

I am using VWLC and a mixture of 3700/3800/1560 APs.  I am using multiples SSIDs with multiple authentication methods.  When I added the 1560 I upgraded the VWLC to 8.7.102 and had everything working.  Recently I started having occasional connectivity issues with the SSID that authenticates to Microsoft NPS (server 2016) with RADIUS.  I use a certificate from a Microsoft Enterprise CA on the NPS.  I upgraded to 8.7.106.0 and have since downgraded to 8.3.143.0 which didn't really fix the problem.  When any IOS user connects via RADUIS, it spins for a while and eventually says incorrect password.  Nothing gets logged into the NPS logs on the Windows server for these events.  Android users have no problems.  Not quite sure what to look at from here.  I did a debug client on the VWLC and while I didn't really see any errors, I am not completely sure what to look for.  Any help would be appreciated.

Labels:
0 Helpful
3 Replies 3

Johannes Luther
Level 4
Level 4

‎08-09-2018 02:24 AM

So, as Apple clients work, I assume there is no connectivity problem between WLC and NPS.

First of all, the WLC is not involved in the authentication process - it just repacks the EAP authentication messages from 802.1X (Layer-2) in RADIUS (Layer-3).

I'm assuming you are using EAP-TLS or PEAP on you clients, right?

 

If you don't see anything on the NPS server, then I assume it is a client related isse.

Possibilities:

- Windows client does not try to authenticate, because the own user/client certitficate is expired

- Windows client aborts authentication after the SSL server hello message from NPS is received. Possible reasons for this:

1.) NPS certificate is expired (I guess this is not it, because I assume NPS would stop working)

2.) The clients are configured to verify the server certificate and doesn't trust the CA.

 

 

Michael Krall
Level 1
Level 1
In response to Johannes Luther

‎08-09-2018 05:22 AM

I am using PEAP. I didn't try a Windows client while I was working on it yesterday. It is looking like an intermittent issue. While looking at the logs overnight it looks like some Apple I-devices are getting authenticated (although I don't know how many are not since they don't appear in the logs). When connecting from the iphone/ipad, there is an option to trust the certificate that pops up that I can click on and allow it to connect. I wonder if Apple made some changes with the latest update or if something else is going on (I am having some slowdown issues with VMware at the moment). I did find a couple threads elsewhere discussing WiFi issues with IOS 11. Thanks for pointing me at some things to look at.


0 Helpful

Johannes Luther
Level 4
Level 4
In response to Michael Krall

‎08-09-2018 05:46 AM

Make sure that

1.) Make sure the NPS uses a SSL server certificate from your enterprise PKI/CA

2.) Install the Root CA in the trusted certificate store of you end system (Apple / Windows)

2a.) In Windows make sure to use the right store... If the AD machine account is used, the computer store muste be used for the certificates

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card