08-08-2018 11:43 AM - edited 07-05-2021 08:57 AM
I am using VWLC and a mixture of 3700/3800/1560 APs. I am using multiples SSIDs with multiple authentication methods. When I added the 1560 I upgraded the VWLC to 8.7.102 and had everything working. Recently I started having occasional connectivity issues with the SSID that authenticates to Microsoft NPS (server 2016) with RADIUS. I use a certificate from a Microsoft Enterprise CA on the NPS. I upgraded to 8.7.106.0 and have since downgraded to 8.3.143.0 which didn't really fix the problem. When any IOS user connects via RADUIS, it spins for a while and eventually says incorrect password. Nothing gets logged into the NPS logs on the Windows server for these events. Android users have no problems. Not quite sure what to look at from here. I did a debug client on the VWLC and while I didn't really see any errors, I am not completely sure what to look for. Any help would be appreciated.
08-09-2018 02:24 AM
So, as Apple clients work, I assume there is no connectivity problem between WLC and NPS.
First of all, the WLC is not involved in the authentication process - it just repacks the EAP authentication messages from 802.1X (Layer-2) in RADIUS (Layer-3).
I'm assuming you are using EAP-TLS or PEAP on you clients, right?
If you don't see anything on the NPS server, then I assume it is a client related isse.
Possibilities:
- Windows client does not try to authenticate, because the own user/client certitficate is expired
- Windows client aborts authentication after the SSL server hello message from NPS is received. Possible reasons for this:
1.) NPS certificate is expired (I guess this is not it, because I assume NPS would stop working)
2.) The clients are configured to verify the server certificate and doesn't trust the CA.
08-09-2018 05:22 AM
08-09-2018 05:46 AM
Make sure that
1.) Make sure the NPS uses a SSL server certificate from your enterprise PKI/CA
2.) Install the Root CA in the trusted certificate store of you end system (Apple / Windows)
2a.) In Windows make sure to use the right store... If the AD machine account is used, the computer store muste be used for the certificates
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide