Authenticate a flex connect AP with a Windows NPS

Wendler54030 · ‎03-17-2021

Hi Community,

I want to implement a Flex Connect AP with a local 802.1X Auth. on a Windows NPS. My setup is:

Catalyst 9800-CL
- AP Join Profile with Dot1x Credetials
- Cisco AP (Flex Mode) connected to a Aruba Switch with 802.1X Port Auth via PEAP against a Windows NPS.

The username and password are known by the radius server and the AP is direct connected to the controller to get the configuration profile. But if i connect the AP to the switch i try to authenticate with 802.1x but the process failed:

[*03/14/2021 02:49:05.8885] hostapd:dot1x: RX EAPOL from b0:5a:da:98:26:00
[*03/14/2021 02:49:05.8885] hostapd:EAP: Status notification: started (param=)
[*03/14/2021 02:49:05.8885] hostapd:EAP: EAP-Request Identity
[*03/14/2021 02:49:05.8936] hostapd:dot1x: RX EAPOL from b0:5a:da:98:26:00
[*03/14/2021 02:49:05.8936] hostapd:EAP: Status notification: accept proposed method (param=PEAP)
[*03/14/2021 02:49:05.8938] hostapd:OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:02001002:l)[*03/14/2021 02:49:05.8938] hostapd:OpenSSL: pending error: error:2006D080:lib(32):func(109):reason(128)
[*03/14/2021 02:49:05.8938] hostapd:OpenSSL: pending error: error:0B084002:lib(11):func(132):reason(2)
[*03/14/2021 02:49:05.8938] hostapd:OpenSSL: tls_load_ca_der - Failed load CA in DER format error:02001002:lib(2):func()[*03/14/2021 02:49:05.8939] hostapd:OpenSSL: pending error: error:20074002:lib(32):func(116):reason(2)
[*03/14/2021 02:49:05.8939] hostapd:OpenSSL: pending error: error:0B06F002:lib(11):func(111):reason(2)
[*03/14/2021 02:49:05.8939] hostapd:TLS: Failed to set TLS connection parameters
[*03/14/2021 02:49:05.8939] hostapd:EAP-PEAP: Failed to initialize SSL.
[*03/14/2021 02:49:05.8939] hostapd:dot1x: EAP: Failed to initialize EAP method: vendor 0 method 25 (PEAP)
[*03/14/2021 02:49:05.8970] hostapd:dot1x: RX EAPOL from b0:5a:da:98:26:00
[*03/14/2021 02:49:05.8971] hostapd:EAP: Status notification: completion (param=failure)
[*03/14/2021 02:49:05.8971] hostapd:dot1x: CTRL-EVENT-EAP-FAILURE EAP authentication failed
[*03/14/2021 02:49:10.2901] Waiting for preferred uplink IP configuration
[*03/14/2021 02:49:11.2991] Resetting wired0 and restart DHCP client

The NPS receives the request but shows the error:

The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

I don't want to auth. clients, only the APs with PEAP. Is it possible? What did i miss?

Thanks in advanced!

Markus

Scott Fella · ‎03-17-2021

It is supported, but better go through the guide for any limitations

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/802-1x-support.html#id_79044

-Scott
*** Please rate helpful posts ***

Wendler54030 · ‎03-17-2021

Hi Scott,

Thank you for your tip. I check this guideline and i did everything as it is given there. But, the problem is still there

Edit: I also wonder why the service hostapd is printing out the logs. In my opinion the wpa_supplicant is in duty for dot1x auth....

Any other idea?

Scott Fella · ‎03-17-2021

If you followed the guide, then you probably need to make sure your switch is setup similar to how they require a Cisco switch. This is also assuming it is hitting the right policy in NPS and the policy is defined properly. You might want to create a new policy for this and make it basic as possible to just see if auth passes. Then add one thing at a time.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎03-17-2021

No idea, it’s going to be tough since you have a mixture of vendors.

-Scott
*** Please rate helpful posts ***

MHM Cisco World · ‎03-17-2021

PEAP need Radius CA know by the AP, then you can use password.

Wendler54030 · ‎03-18-2021

Ok, sounds good but how did the AP get the Root CA. I can't upload the cer-file in any UI-Menu.

Wendler54030 · ‎03-18-2021

Time for updates:

I've (possibly) solved the cert issue. By exporting a pfx-file from the NPS and upload it via Configuration > WebAuth > Certificates. Now the cert is set as trustpoint. Then configure LSC Provision via the Configuration > Wireless > Access Points List on the buttom. Enable the status, set trustpoint and add the AP to the privision list. After reboot the bootlog shows no Cert errors.... yeah!

But the error message on NPS is still the same. The switch also works as expected, i've tested it with some other devices (laptops etc.). Bootlog shows:

[*03/14/2021 23:20:09.4616] hostapd:dot1x: RX EAPOL from b0:5a:da:98:26:00
[*03/14/2021 23:20:09.4616] hostapd:EAP: Status notification: started (param=)
[*03/14/2021 23:20:09.4616] hostapd:EAP: EAP-Request Identity
[*03/14/2021 23:20:09.4668] hostapd:dot1x: RX EAPOL from b0:5a:da:98:26:00
[*03/14/2021 23:20:09.4668] hostapd:EAP: Status notification: refuse proposed method (param=PEAP)
[*03/14/2021 23:20:09.4702] hostapd:dot1x: RX EAPOL from b0:5a:da:98:26:00
[*03/14/2021 23:20:09.4703] hostapd:EAP: Status notification: completion (param=failure)
[*03/14/2021 23:20:09.4703] hostapd:dot1x: CTRL-EVENT-EAP-FAILURE EAP authentication failed

I guess it has something to do with the MSCHAPv2 config on my network policy settings....
Bildschirmfoto von 2021-03-18 15-55-31.png

Vass86 · ‎11-30-2022

I am stuck at the same point with same error. Did someone manage to secure LAP with 802.1x NPS ?