Configure Windows 2012r2 NPS to authenticate Apple Time Capsule Clients

How do you have the Time Capsule connected and configured? Assuming that the NAT and DHCP are being done by a router elsewhere, the TimeCapsule should be connected by connecting its WAN port to your router or switch. The Time Capsule should be set to BRIDGE mode using Airport Utility.

It is plugged into a switch via its WAN Port. It is set to bridged mode. The NAT and DHCP are off. If I plug a device into the Ethernet ports, I get an IP from my Windows DHCP Server and I can access the Internet and Network Resources. I am using Windows Server 2012 r2 as my Radius Server. It works well for my Cisco WLC and Cisco CLI devices.

What are the setting you are using in the Airport Utility? I presume you have set authentication to WPA2 Enterprise? This should have brought up a pop-up with your radius server settings. Are all the settings correct?

See screenshot for the page I am referring to
Screen-Shot-2015-07-29-at-11.35.28-AM.pd

Yes, I have it set to WPA2 Enterprise. I have the settings correct. For the moment, I have the IP of 192.168.10.254 and a shared secret of SHAREDSECRET (Don't worry once I get it working I will change that.) This is what I see...

From this machine that I am writing this post on, I can ping the Radius Server and from the Radius server I can ping the Time Capsule.

Are the port numbers set correctly in the Airport pop up box?

I believe so. I changed the Shared Secret to 1234 just to make things easier to troubleshoot.  See Below. The NAP / NPS server is 192.168.10.254. It is a Windows Server 2012 r2 AD Physical machine.

I just removed the Radius client from the NPS and re-added it back in. Then I stopped and started the NPS service.

Any possibility that the radius server is blocking the Macs wifi MAC address?

Don't think so because when I look at the event log on the server I don't see the connection requests at all. But I will check again.

Try setting the Time Capsule to a fixed IP address on the same subnet as your server, but out of the range used by your DHCP server, then refer to the TC by its IP address, rather than by name.

OK, attempting now.

Have a look at the documentation starting at pages 45 - 49 of this Apple pdf:

https://manuals.info.apple.com/MANUALS/0/MA930/en_US/Apple_AirPort_Networks_Early2009.pdf

ok looking at that now. I changed the IP on the Time Cap to the same /24 and the ethernet is ok. But the WiFi is just cycling through. It has not errored out nor has it connected. When I look at the logs, I don't see a connection request. Going to read what you just sent. Thanks!

General Radius troubleshooting tips:

http://www.networkworld.com/article/2160056/security/tips-for-troubleshooting-802-1x-connections.html

Thanks. Reading now.

OK. I have read everything. I am getting nowhere. I see a couple of errors (finally!) in the event log indicating that the NAS sent a malformed message. I cannot find any location on the Interweb to show me what to set the client to in NPS. The only way I was able to see these messages was to change to the old legacy ports on the Time Capsule. Any thoughts / ideas? I'm getting pretty desperate. The Time cap is brand new and I dumped the NPS config and started over.

I am just about out of ideas. All I can suggest is changing the default port in the TC from 1812 to UDP port 1645 which is the alternative Radius port.

I did that. That is how I am see the connection attempts that fail. I guess I just can't find what settings in NPS I should have set for the Time Capsule. I don't know if it is a Radius Standard Device, or something special. I don't know if I should check the box for message authenticator or not. Thanks for your help so far.

"strung" hung in there!!! It turned out to be a bad certificate on the AD. I recreated the policy and the client, but this time didn't let the Policy default to the Certificate and instead chose one from the CA and the laptop is now on the network!!! Thank YOU!!! As a note, you don't need any special settings on the client in NPS, but, and this is important, The latest generation of Time Capsule (the one with 3 TB and 802.11ac) was not seen in any event log on the server using the default of port 1812. Once I changed the port, and changed the certificate, I was good to go.

Thank you!

For anyone out there is a similar situation, Here is what ended up being the final solution....

I had a second domain controller that I installed NPS on. (Windows Server 2012 R2). Once I did that, I used the wizard to create an 802.1x RADIUS policy. The Apple Time Capsule was created as a RADIUS standard client with a shared secret. Then I had a "Connection Request Policy" named oddly enough "Apple". The only setting in it is the "NAS Port Type" Where In I chose "Wireless - Or Other Wireless...." Everything else in that policy was left to default. Then The "Network Policy" also oddly enough named "Apple" was created. Very basic. NAS Port Type again Wireless and the Windows Group I chose was WLC (Wireless Lan Controller). The authentication was set to PEAP. I selected a certificate.

NOW HERE IS WHERE IT WAS GOING WRONG>>

For a Cisco WLC you choose only PEAP and the certificate you want to use and uncheck all the other less secure authentication methods. I let the top 2 groups and their subgroups checked and I restarted the NPS Service.  Once I did this, I went to my iPad and attempted to join the Apple network. I was immediately prompted to accept the security certificate and login in with my domain credentials. I am going to create a profile on my main NPS server, that references the Time Capsule specifically and see if it still works. If so, that was the issue all along. I want to thank Mr/Ms Strung who stayed with me the whole time attempting to get this one right!

Regards:

kb9ybk