Configure Windows 2012r2 NPS to authenticate Apple Time Capsule Clients

I have a small home - office network. I have a Cisco Wireless Lan Controller with the latest code and several 36 37xx AP's throughout the building. My main computer is a MacBook Pro and I have an Apple Time Capsule (latest generation) that I would like to use in my office for both Wi-Fi access and Time Machine Backups. I can configure the Time Capsule as WPA2 personal and it works fine. I can connect the MAC to my WPA2 Enterprise networks (although the coverage is spotty due to location, etc) and it works. What I have been unable to do is get the Time Capsule to allow authentication of the MacBook Pro. I can see in the logs that the client computer is authenticated and the calling station ID matches the MAC of the Time Capsule. I am at a loss as to where to go now. I have tried using different SSID's, the same SSID as something on the WLC, etc. Anyone??
Wyant NiswongerPresidentAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

strungCommented:
How do you have the Time Capsule connected and configured? Assuming that the NAT and DHCP are being done by a router elsewhere, the TimeCapsule should be connected by connecting its WAN port to your router or switch. The Time Capsule should be set to BRIDGE mode using Airport Utility.
Wyant NiswongerPresidentAuthor Commented:
It is plugged into a switch via its WAN Port. It is set to bridged mode. The NAT and DHCP are off. If I plug a device into the Ethernet ports, I get an IP from my Windows DHCP Server and I can access the Internet and Network Resources. I am using Windows Server 2012 r2 as my Radius Server. It works well for my Cisco WLC and Cisco CLI devices.
strungCommented:
What are the setting you are using in the Airport Utility? I presume you have set authentication to WPA2 Enterprise? This should have brought up a pop-up with your radius server settings. Are all the settings correct?

See screenshot for the page I am referring to
Screen-Shot-2015-07-29-at-11.35.28-AM.pd
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Wyant NiswongerPresidentAuthor Commented:
Yes, I have it set to WPA2 Enterprise. I have the settings correct. For the moment, I have the IP of 192.168.10.254 and a shared secret of SHAREDSECRET (Don't worry once I get it working I will change that.) This is what I see...

From this machine that I am writing this post on, I can ping the Radius Server and from the Radius server I can ping the Time Capsule.Error Displayed
strungCommented:
Are the port numbers set correctly in the Airport pop up box?
Wyant NiswongerPresidentAuthor Commented:
I believe so. I changed the Shared Secret to 1234 just to make things easier to troubleshoot.  See Below. The NAP / NPS server is 192.168.10.254. It is a Windows Server 2012 r2 AD Physical machine.Screen-Shot-2015-07-29-at-10.56.51-AM.pn
Wyant NiswongerPresidentAuthor Commented:
I just removed the Radius client from the NPS and re-added it back in. Then I stopped and started the NPS service.Screen-Shot-2015-07-29-at-10.59.04-AM.pn
strungCommented:
Any possibility that the radius server is blocking the Macs wifi MAC address?
Wyant NiswongerPresidentAuthor Commented:
Don't think so because when I look at the event log on the server I don't see the connection requests at all. But I will check again.
strungCommented:
Try setting the Time Capsule to a fixed IP address on the same subnet as your server, but out of the range used by your DHCP server, then refer to the TC by its IP address, rather than by name.
Wyant NiswongerPresidentAuthor Commented:
OK, attempting now.
strungCommented:
Have a look at the documentation starting at pages 45 - 49 of this Apple pdf:

https://manuals.info.apple.com/MANUALS/0/MA930/en_US/Apple_AirPort_Networks_Early2009.pdf
Wyant NiswongerPresidentAuthor Commented:
ok looking at that now. I changed the IP on the Time Cap to the same /24 and the ethernet is ok. But the WiFi is just cycling through. It has not errored out nor has it connected. When I look at the logs, I don't see a connection request. Going to read what you just sent. Thanks!
Wyant NiswongerPresidentAuthor Commented:
Thanks. Reading now.
Wyant NiswongerPresidentAuthor Commented:
OK. I have read everything. I am getting nowhere. I see a couple of errors (finally!) in the event log indicating that the NAS sent a malformed message. I cannot find any location on the Interweb to show me what to set the client to in NPS. The only way I was able to see these messages was to change to the old legacy ports on the Time Capsule. Any thoughts / ideas? I'm getting pretty desperate. The Time cap is brand new and I dumped the NPS config and started over.
strungCommented:
I am just about out of ideas. All I can suggest is changing the default port in the TC from 1812 to UDP port 1645 which is the alternative Radius port.
Wyant NiswongerPresidentAuthor Commented:
I did that. That is how I am see the connection attempts that fail. I guess I just can't find what settings in NPS I should have set for the Time Capsule. I don't know if it is a Radius Standard Device, or something special. I don't know if I should check the box for message authenticator or not. Thanks for your help so far.
strungCommented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Wyant NiswongerPresidentAuthor Commented:
"strung" hung in there!!! It turned out to be a bad certificate on the AD. I recreated the policy and the client, but this time didn't let the Policy default to the Certificate and instead chose one from the CA and the laptop is now on the network!!! Thank YOU!!! As a note, you don't need any special settings on the client in NPS, but, and this is important, The latest generation of Time Capsule (the one with 3 TB and 802.11ac) was not seen in any event log on the server using the default of port 1812. Once I changed the port, and changed the certificate, I was good to go.

Thank you!
Wyant NiswongerPresidentAuthor Commented:
For anyone out there is a similar situation, Here is what ended up being the final solution....

I had a second domain controller that I installed NPS on. (Windows Server 2012 R2). Once I did that, I used the wizard to create an 802.1x RADIUS policy. The Apple Time Capsule was created as a RADIUS standard client with a shared secret. Then I had a "Connection Request Policy" named oddly enough "Apple". The only setting in it is the "NAS Port Type" Where In I chose "Wireless - Or Other Wireless...." Everything else in that policy was left to default. Then The "Network Policy" also oddly enough named "Apple" was created. Very basic. NAS Port Type again Wireless and the Windows Group I chose was WLC (Wireless Lan Controller). The authentication was set to PEAP. I selected a certificate.

NOW HERE IS WHERE IT WAS GOING WRONG>>

For a Cisco WLC you choose only PEAP and the certificate you want to use and uncheck all the other less secure authentication methods. I let the top 2 groups and their subgroups checked and I restarted the NPS Service.  Once I did this, I went to my iPad and attempted to join the Apple network. I was immediately prompted to accept the security certificate and login in with my domain credentials. I am going to create a profile on my main NPS server, that references the Time Capsule specifically and see if it still works. If so, that was the issue all along. I want to thank Mr/Ms Strung who stayed with me the whole time attempting to get this one right!

Regards:

kb9ybk
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.