WLC + NPS + EAP-TLS + Machine certificate = Deauth after EAPOL key exchange sequence

WLC + NPS + EAP-TLS + Machine certificate = Deauth after EAPOL key exchange sequence

Hi!

Since my account is not verified yet I can't share pictures or links (sry...), but please ask if there is anything that is unclear.

I'm a bit lost here trying to set up EAP-TLS. I want my clients to automatically sign on to my corporate network using computer certificate (or user certificate, does not really matter – but I've tried both without any luck). I have the following "players" in my environment:

WLC - Cisco 2500 Wireless Controller

Radius NPS Windows 2012

Windows 10 clients

Local CA (Windows 2016)

So NPS configuration:

Connection Request Policies.

Conditions: NAS Port Type - Wireless - Other OR Wirless - IEEE 802.11

Settings: Authentication Provider - Local Computer

Network Policies.

NAS Port Type - Wirless - IEEE802.11 OR Wirless – Other

Settings:

• Extensible Authentication Protocol Configuration - Configured
• Ignore User Dial-In Properties - True
• Access Permission - Grant Access
• Extensible Authentication Protocol Method - Microsoft: Smart Card or other Certificate
• Authentication Method - EAP
• NAP Enforcement - Allow full netowrk access
• Update Noncompliant Clients - True
• Framed-Protocol - PPP
• Service-Type - Framed

Radius Clients

Cisco WLAN Controller

IP: 10.x.x.x

Device Manufacturer: RADIUS Standard

...

______________

Cisco WLC settings:

RADIUS Authentication Servers:

Server Address (IP address of my NPS server): 172.x.x.x 

WLAN settings:

General:

• SSID: FT-EAP-TLS
• Interface: [reused of the one currently used for laptops which connect via DA

Security: 

Layer 2

• Layer 2 security: WPA+WPA2
• WPA2 Policy [x]
• WPA2 Encryption - AES [x]
• Authentication Key management - 802.1X [x]

AAA Servers: 

Authentication Servers: NPS server.

______________

CA template settings: 

RADIUS NPS Certificate: Duplicate Workstation certificate &  allow PKE

Client certificate: Duplicate Computer certificate & allow PKE

______________

GPO for end user:

Please note that I've published a GPO to configure the WLAN settings. 

_______________

End user experience when trying to access the WLAN:

It keeps spinning until it times out. In the eventviewer from the client I can see:

"Event 6105,netwtw06"

"6105 - deauth after EAPOL key exchange sequence"

_____________________

Is there any settings I need to configure on the APs?

Or do I need to upload the root & intermediate certificate to the WCL?

_______________

Additional information:

When I generate a wlanraport ("netsh wlan show wlanreport" from cmd) I can see:

1. Wireless security started
2. Wireless 802.1x authentication started
3. Wireless 802.1x authentication was restarted
4. User Uses Saved Credentials
5. Wireless 802.1x authentication was restarted
6. User Uses Saved Credentials

And it loops. 

____________

From the WLCs message logs:

*spamApTask7: Sep 02 12:53:20.868: %LWAPP-3-REPLAY_ERR: spam_lrad.c:41295 The system has received replay error on slot 0, WLAN ID 4, count 1 from AP 70:69:5a:xx:xx:xx
*Dot1x_NW_MsgTask_2: Sep 02 12:53:16.525: %DOT1X-3-AAA_AUTH_SEND_FAIL: 1x_aaa.c:849 Unable to send AAA message for client a4:34:d9xx:xx:xx
*Dot1x_NW_MsgTask_2: Sep 02 12:53:16.505: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:450 Authentication Aborted for client a4:34:d9:xx:xx:xx Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*spamApTask0: Sep 02 12:53:09.810: %LWAPP-3-REPLAY_ERR: spam_lrad.c:41295 The system has received replay error on slot 0, WLAN ID 4, count 4 from AP 40:01:7a:xx:xx:xx
*Dot1x_NW_MsgTask_2: Sep 02 12:52:58.499: %DOT1X-3-AAA_AUTH_SEND_FAIL: 1x_aaa.c:849 Unable to send AAA message for client a4:34:d9:xx:xx:xx

___________________

Please help :) This have been my headache for quite some time now!

With best regards,

TB