5760/3850 Series WLC PEAP Authentication with Microsoft NPS Configuration Example

Introduction

This document describes how to configure Protected Extensible Authentication Protocol (PEAP) with Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAP v2) authentication on a Cisco Converged Access Wireless LAN (WLAN) deployment with the Microsoft Network Policy Server (NPS) as the RADIUS server.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics before you attempt the configuration described in this document:

• Basic Microsoft Windows Version 2008 installation
• Cisco Converged Access WLAN controller installation

Ensure that these requirements are met before you attempt this configuration:

• Install the Microsoft Windows Server Version 2008 Operating System (OS) on each of the servers in the test lab.
• Update all of the service packs.
• Install the controllers and Lightweight Access Points (LAPs).
• Configure the latest software updates.

Note: For initial installation and configuration information for the Cisco Converged Access WLAN controllers, refer to the CT5760 Controller and Catalyst 3850 Switch Configuration Example Cisco article.

Components Used

The information in this document is based on these software and hardware versions:

• Cisco 5760 Series WLAN Controller Version 3.3.2 (Next Generation Wiring Closet (NGWC))
• Cisco 3602 Series LAP
• Microsoft Windows XP with Intel PROset Supplicant
• Microsoft Windows Version 2008 Server that runs NPS with Domain Controller Roles
• Cisco Catalyst 3560 Series Switch

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

PEAP uses Transport Level Security (TLS) in order to create an encrypted channel between an authenticating PEAP client, such as a wireless laptop, and a PEAP authenticator, such as the Microsoft NPS or any RADIUS server. PEAP does not specify an authentication method but provides additional security for other Extensible Authentication Protocols (EAPs), such as EAP-MS-CHAP v2, that can operate through the TLS-encrypted channel that is provided by PEAP. The PEAP authentication process consists of two main phases.

PEAP Phase One: TLS-Encrypted Channel

The wireless client associates with the Access Point (AP). An IEEE 802.11-based association provides an open system or shared key authentication before a secure association is created between the client and the AP. After the IEEE 802.11-based association is successfully established between the client and the AP, the TLS session is negotiated with the AP.

After authentication is successfully completed between the wireless client and the NPS, the TLS session is negotiated between the client and the NPS. The key that is derived within this negotiation is used in order to encrypt all subsequent communication.

PEAP Phase Two: EAP-Authenticated Communication

EAP communication, which includes EAP negotiation, occurs inside of the TLS channel that is created by PEAP within the first stage of the PEAP authentication process. The NPS authenticates the wireless client with EAP-MS-CHAP v2. The LAP and the controller only forward messages between the wireless client and the RADIUS server. The WLAN Controller (WLC) and the LAP cannot decrypt the messages because the WLC is not the TLS endpoint.

Here is the RADIUS message sequence for a successful authentication attempt, where the user supplies valid password-based credentials with PEAP-MS-CHAP v2:

1. The NPS sends an identity request message to the client:
   
   

   EAP-Request/Identity

2. The client responds with an identity response message:
   
   

   EAP-Response/Identity

3. The NPS sends an MS-CHAP v2 challenge message:
   
   

   EAP-Request/EAP-Type=EAP MS-CHAP-V2 (Challenge)

4. The client responds with an MS-CHAP v2 challenge and response:
   
   

   EAP-Response/EAP-Type=EAP-MS-CHAP-V2 (Response)

5. The NPS responds with an MS-CHAP v2 success packet when the server successfully authenticates the client:
   
   

   EAP-Request/EAP-Type=EAP-MS-CHAP-V2 (Success)

6. The client responds with an MS-CHAP v2 success packet when the client successfully authenticates the server:
   
   

   EAP-Response/EAP-Type=EAP-MS-CHAP-V2 (Success)

7. The NPS sends an EAP-type-length-value (TLV) that indicates successful authentication.
   
   
8. The client responds with an EAP-TLV status success message.
   
   
9. The server completes authentication and sends an EAP-Success message in plain text. If VLANs are deployed for client isolation, the VLAN attributes are included in this message.

Configure

Use this section in order to configure PEAP with MS-CHAP v2 authentication on a Cisco Converged Access WLC deployment with the Microsoft NPS as the RADIUS server.

Network Diagram

In this example, the Microsoft Windows Version 2008 server performs these roles:

• Domain controller for the wireless.com domain
• Domain Name System (DNS) server
• Certificate Authority (CA) server
• NPS in order to authenticate the wireless users
• Active Directory (AD) in order to maintain the user database

The server connects to the wired network through a Layer 2 (L2) switch, as shown. The WLC and the registered LAP also connect to the network through the L2 switch.

The wireless clients use Wi-Fi Protected Access 2 (WPA2) - PEAP-MS-CHAP v2 authentication in order to connect to the wireless network.

Configurations

The configuration that is described in this section is completed in two steps:

1. Configure the 5760/3850 Series WLC with the CLI or GUI.
   
   
2. Configure the Microsoft Windows Version 2008 server for NPS, Domain Controller, and User Accounts on the AD.

Configure Converged Access WLCs with the CLI

Complete these steps in order to configure the WLAN for the required client VLAN and map it to the Authentication Method List with the CLI:

Note: Ensure that dot1x system auth control is enabled on the WLC, or the dot1X does not work.

1. Enable the AAA new model feature.
   
   
2. Configure the RADIUS server.
   
   
3. Add the server into the Server Group.
   
   
4. Map the Server Group to the Method List.
   
   
5. Map the Method List to the WLAN.

aaa new-model
  !
  !
  aaa group server radius Microsoft_NPS
   server name Microsoft_NPS
  !
aaa authentication dot1x Microsoft_NPS group Microsoft_NPS

aaa authorization network Microsoft_NPS group Microsoft_NPS
  radius server Microsoft_NPS
   address ipv4 10.104.208.96 auth-port 1645 acct-port 1646
   timeout 10
   retransmit 10
 key Cisco123

wlan Microsoft_NPS 8 Microsoft_NPS
   client vlan VLAN0020
   no exclusionlist
   security dot1x authentication-list Microsoft_NPS
   session-timeout 1800
 no shutdown

Configure Converged Access WLCs with the GUI

Complete these steps in order to configure the Converged Access WLCs with the GUI:

1. Enable the dot1x system-auth-control:
   
   
   
   
2. Navigate to Configuration > Security > AAA in order to add the RADIUS server:
   
   
   
   
3. Navigate to RADIUS > Servers, click NEW, and update the IP address of the RADIUS server along with the shared secret. The shared secret should match the shared secret that is configured on the RADIUS server as well.
   
   
   
   After you configure the RADIUS server, the Server tab should appear similar to this:
   
   
   
   
4. Configure a Server Group and select Radius for the Group Type. Then, add the RADIUS server that you created in the previous step:
   
   
   
   The Server Group should appear similar to this after the configuration:
   
   
   
   
5. Select dot1x for the Authentication Method List Type and Group for the Group Type. Then, map the Server Group that you configured in the previous step:
   
   
   
   The Authentication Method List should appear similar to this after the configuration:
   
   
   
   
6. Select Network for the Authorization Method List Type and Group for the Group Type. Then, map the Server Group that you configured in the previous step:
   
   
   
   The Authorization Method List should appear similar to this after the configuration:
   
   
   
   
7. Navigate to Configure > Wireless and click the WLAN tab. Configure a new WLAN to which users can connect and become authenticated through the Microsoft NPS server with EAP authentication:
   
   
   
   The Security L2 tab should appear similar to this after the configuration:
   
   
   
   
8. Map the Method List that you configured in the previous steps. This helps authenticate the client to the correct server.
   
   

Configuration on the Microsoft Windows Version 2008 Server

This section describes a complete configuration of the Microsoft Windows Version 2008 server. The configuration is completed in six steps:

1. Configure the server as a domain controller.
   
   
2. Install and configure the server as a CA server.
   
   
3. Install the NPS.
   
   
4. Install a certificate.
   
   
5. Configure the NPS for PEAP authentication.
   
   
6. Add users to the AD.

Configure the Microsoft Windows 2008 Server as a Domain Controller

Complete these steps in order to configure the Microsoft Windows Version 2008 server as a domain controller:

1. Navigate to Start > Server Manager > Roles > Add Roles.
   
   
   
   
   
   
2. Click Next.
   
   
   
   
3. Check the Active Directory Domain Services check box and click Next.
   
   
   
   
4. Review the Introduction to Active Directory Domain Services and click Next.
   
   
   
   
5. Click Install in order to begin the installation process.
   
   
   
   The installation proceeds and completes.
   
   
6. Click Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe) in order to continue the installation and configuration of the AD.
   
   
   
   
7. Click Next in order to run the Active Directory Domain Services Installation Wizard.
   
   
   
   
8. Review the information about Operating System Compatibility and click Next.
   
   
   
   
9. Click the Create a new domain in a new forest radio button and click Next in order to create a new domain.
   
   
   
   
10. Enter the full DNS name for the new domain (wireless.com in this example) and click Next.
    
    
    
    
11. Select the Forest functional level for your domain and click Next.
    
    
    
    
12. Select the Domain functional level for your domain and click Next.
    
    
    
    
13. Check the DNS server check box and click Next.
    
    
    
    
14. Click Yes when the Active Directory Domain Services Installation Wizard pop-up window appears in order to create a new zone in the DNS for the domain.
    
    
    
    
15. Select the folders that you want the AD to use for files and click Next.
    
    
    
    
16. Enter the Administrator Password and click Next.
    
    
    
    
17. Review your selections and click Next.
    
    
    
    The installation proceeds.
    
    
18. Click Finish in order to close the wizard.
    
    
    
    
19. Restart the server in order for the changes to take effect.
    
    

Install and Configure the Microsoft Windows Version 2008 Server as a CA Server

PEAP with EAP-MS-CHAP v2 validates the RADIUS server based upon the certificate that is present on the server. Additionally, the server certificate must be issued by a public CA that is trusted by the client computer. That is, the public CA certificate already exists in the Trusted Root Certification Authority folder on the client computer certificate store. 

Complete these steps in order to configure the Microsoft Windows Version 2008 server as a CA server that issues the certificate to the NPS:

1. Navigate to Start > Server Manager > Roles > Add Roles.
   
   
   
   
   
   
2. Click Next.
   
   
   
   
3. Check the Active Directory Certificate Services check box and click Next.
   
   
   
   
4. Review the Introduction to Active Directory Certificate Services and click Next.
   
   
   
   
5. Check the Certificate Authority check box and click Next.
   
   
   
   
6. Click the Enterprise radio button and click Next.
   
   
   
   
7. Click the Root CA radio button and click Next.
   
   
   
   
8. Click the Create a new private key radio buttonand click Next.
   
   
   
   
9. Click Next in the Configuring Cryptography for CA window.
   
   
   
   
10. Click Next in order to accept the Common name for this CA default name.
    
    
    
    
11. Select the length of time for which the CA certificate is valid and click Next.
    
    
    
    
12. Click Next in order to accept the Certificate database location default location.
    
    
    
    
13. Review the configuration and click Install in order to begin the Active Directory Certificate Services.
    
    
    
    
14. After the installation is completed, click Close.

Install the NPS on the Microsoft Windows Version 2008 Server

Note: With the setup that is described in this section, the NPS is used as a RADIUS server in order to authenticate the wireless clients with PEAP authentication. 

Complete these steps in order to install and configure the NPS on the Microsoft Windows Version 2008 server:

1. Navigate to Start > Server Manager > Roles > Add Roles.
   
   
   
   
   
   
2. Click Next.
   
   
   
   
3. Check the Network Policy and Access Services check box and click Next.
   
   
   
   
4. Review the Introduction to Network Policy and Access Services and click Next.
   
   
   
   
5. Check the Network Policy Server check boxand click Next.
   
   
   
   
6. Review the confirmation and click Install.
   
   
   
   After the installation is complete, a screen similar to this should appear:
   
   
   
   
7. Click Close.

Install a Certificate

Complete these steps in order to install the computer certificate for the NPS:

1. Click Start, enter the Microsoft Management Console (MMC), and press Enter.
   
   
2. Navigate to File > Add/Remove Snap-in.
   
   
3. Choose Certificates and click Add.
   
   
   
   
4. Click the Computer account radio button and click Next.
   
   
   
   
5. Click the Local Computer radio buttonand click Finish.
   
   
   
   
6. Click OK in order to return to the MMC.
   
   
   
   
7. Expand the Certificates (Local Computer) and Personal folders, and click Certificates.
   
   
   
   
8. Right-click the white space in the CA certificate, and choose All Tasks > Request New Certificate.
   
   
   
   
9. Click Next.
   
   
   
   
10. Click the Domain Controller check box, and click Enroll.
    
    

    Note: If the client authentication fails due to an EAP certificate error, then ensure that all of the check boxes are checked on this Certificate Enrollment page before you click Enroll. This creates approximately three certificates.

    
    
    
    
11. Click Finish once the certificate is installed.
    
    
    
    The NPS certificate is now installed.
    
    
12. Ensure that Client Authentication, Server Authentication appears in the Intended Purposes column for the certificate.
    
    

Configure the Network Policy Server Service for PEAP-MS-CHAP v2 Authentication

Complete these steps in order to configure the NPS for authentication:

1. Navigate to Start > Administrative Tools > Network Policy Server.
   
   
2. Right-click NPS (Local)and choose Register server in Active Directory.
   
   
   
   
3. Click OK.
   
   
   
   
4. Click OK.
   
   
   
   
5. Add the WLC as an Authentication, Authorization, and Accounting (AAA) client on the NPS.
   
   
6. Expand RADIUS Clients and Servers. Right-click RADIUS Clients and choose New RADIUS Client:
   
   
   
   
7. Enter a name (WLC in this example), the management IP address of the WLC (10.105.135.178 in this example), and a shared secret.
   
   

   Note: The same shared secret is used in order to configure the WLC.

   
   
   
   
8. Click OK in order to return to the previous screen.
   
   
   
   
9. Create a new Network Policy for the wireless users. Expand Policies, right-click Network Policies,and choose New:
   
   
   
   
10. Enter a policy name for this rule (PEAP in this example) and click Next.
    
    
    
    
11. In order to configure this policy to allow only wireless domain users, add these three conditions and click Next:
    
    

    Condition	Value
    Windows Groups	WIRELESS\Domain Users
    NAS Port Type	Wireless - IEEE 802.11
    Authentication Type	EAP

    
    
    
    
12. Click the Access granted radio button in order to grant connection attempts that match this policy and click Next.
    
    
    
    
13. Disable all of the Less secure authentication methods:
    
    
    
    
14. Click Add, select the Microsoft: Protected EAP (PEAP)EAP Type, and click OK in order to enable PEAP.
    
    
    
    
15. Select Microsoft: Protected EAP (PEAP) and click Edit. Ensure that the previously-created domain controller certificate is selected in the Certificate issued drop-down list and click Ok.
    
    
    
    
16. Click Next.
    
    
    
    
17. Click Next.
    
    
    
    
18. Click Next.
    
    
    
    
19. Click Finish.
    
    
    
    

    Note: Dependent upon your needs, you might need to configure Connection Request Policies on the NPS in order to allow the PEAP profile or the policy.

Add Users to the Active Directory

Note: In this example, the user database is maintained on the AD. 

Complete these steps in order to add users to the AD database:

1. Navigate to Start > Administrative Tools > Active Directory Users and Computers.
   
   
2. In the Active Directory Users and Computers console tree, expand the domain, right-click Users and New, and choose User.
   
   
3. In the New Object - User dialog box, enter the name of the wireless user. This example uses Client1 in the First Name field and Client1 in the User logon name field. Click Next.
   
   
   
   
4. In the New Object - User dialog box, enter a password of your choice in the Password and Confirm password fields. Uncheck the User must change password at next logon check box and click Next.
   
   
   
   
5. In the New Object - User dialog box, click Finish.
   
   
   
   
6. Repeat Steps 2 through 4 in order to create additional user accounts.

Verify

Complete these steps in order to verify your configuration:

1. Search for the Service Set Identification (SSID) on the client machine.
   
   
   
   
2. Ensure that the client is connected successfully:
   
   

Troubleshoot

Note: Cisco recommends that you use traces in order to troubleshoot wireless issues. Traces are saved in the circular buffer and are not processor intensive.

Enable these traces in order to obtain the L2 auth logs:

• set trace group-wireless-secure level debug
• set trace group-wireless-secure filter mac 0017.7C2F.B69A

Enable these traces in order to obtain the dot1X AAA events:

• set trace wcm-dot1x aaa level debug
• set trace wcm-dot1x aaa filter mac 0017.7C2F.B69A

Enable these traces in order to receive the DHCP events:

• set trace dhcp events level debug
• set trace dhcp events filter mac 0017.7C2F.B69A

Enable these traces in order to disable the traces and clear the buffer:

• set trace control sys-filtered-traces clear
• set trace wcm-dot1x aaa level default
• set trace wcm-dot1x aaa filter none
• set trace group-wireless-secure level default
• set trace group-wireless-secure filter none

Enter the show trace sys-filtered-traces command in order to view the traces:

[04/23/14 21:27:51.963 IST 1 8151] 0017.7c2f.b69a Adding mobile on LWAPP AP
 1caa.076f.9e10 (0) 
[04/23/14 21:27:51.963 IST 2 8151] 0017.7c2f.b69a Local Policy:  Created MSCB
 Just AccessVLAN = 0 and SessionTimeout  is 0 and apfMsTimeout is 0 

[04/23/14 21:27:51.963 IST 8 8151] 0017.7c2f.b69a Local Policy:Setting local
 bridging VLAN  name VLAN0020 and VLAN ID  20

[04/23/14 21:27:51.963 IST 9 8151] 0017.7c2f.b69a Applying WLAN ACL policies
 to client
[04/23/14 21:27:51.963 IST a 8151] 0017.7c2f.b69a No Interface ACL used for
 Wireless client in WCM(NGWC)
[04/23/14 21:27:51.963 IST b 8151] 0017.7c2f.b69a Applying site-specific IPv6
 override for station  0017.7c2f.b69a  - vapId 8, site 'test',
 interface 'VLAN0020'
[04/23/14 21:27:51.963 IST c 8151] 0017.7c2f.b69a Applying local bridging
 Interface Policy for station  0017.7c2f.b69a  - vlan 20,
 interface 'VLAN0020'
[04/23/14 21:27:51.963 IST d 8151] 0017.7c2f.b69a
 **** Inside applyLocalProfilingPolicyAction **** 

04/23/14 21:27:51.963 IST f 8151] 0017.7c2f.b69a     Local Profiling Values :
 isValidVlan = 0, vlan = 0, isVlanRecdInDelete = 0, isValidSessionTimeout = 0,
 sessionTimeout=0, isSessionTORecdInDelete = 0  ProtocolMap = 0 ,
 applyPolicyAtRun= 0 
[04/23/14 21:27:51.963 IST 10 8151] 0017.7c2f.b69a          ipv4ACL = [],
 ipv6ACL = [], inQoS = [unknown], outQoS = [unknown]
[04/23/14 21:27:51.963 IST 11 8151] 0017.7c2f.b69a STA - rates (4):
 130 132 139 150 0 0 0 0 0 0 0 0 0 0 0 0
[04/23/14 21:27:51.963 IST 12 8151] 0017.7c2f.b69a STA - rates (12):
 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
[04/23/14 21:27:51.963 IST 13 8151] 0017.7c2f.b69a Processing RSN IE type 48,
 length 20 for mobile  0017.7c2f.b69a 
[04/23/14 21:27:51.963 IST 14 8151] 0017.7c2f.b69a Received RSN IE with 0 
 PMKIDsfrom mobile  0017.7c2f.b69a 


[04/23/14 21:27:51.964 IST 1b 8151] 0017.7c2f.b69a Change state to AUTHCHECK
 (2) last state START (0)

[04/23/14 21:27:51.964 IST 1c 8151] 0017.7c2f.b69a Change state to 8021X_REQD
 (3) last state AUTHCHECK (2)


[04/23/14 21:27:51.964 IST 25 8151] 0017.7c2f.b69a apfProcessAssocReq
 (apf_80211.c:6272) Changing state for mobile  0017.7c2f.b69a  on AP
 1caa.076f.9e10  from Associated to Associated

[04/23/14 21:27:51.971 IST 26 8151] 0017.7c2f.b69a 1XA: Initiating
 authentication
[04/23/14 21:27:51.971 IST 27 8151] 0017.7c2f.b69a 1XA: Setting reauth
 timeout to 1800 seconds
[04/23/14 21:27:51.971 IST 28 8151] 0017.7c2f.b69a 1XK: Set Link Secure: 0

[04/23/14 21:27:51.971 IST 29 8151] 0017.7c2f.b69a 1XA: Allocated uid 40
[04/23/14 21:27:51.971 IST 2a 8151] 0017.7c2f.b69a 1XA: Calling Auth Mgr
 to authenticate client 4975000000003e uid 40
[04/23/14 21:27:51.971 IST 2b 8151] 0017.7c2f.b69a 1XA: Session Start from
 wireless client 

[04/23/14 21:27:51.971 IST 2c 8151] 0017.7c2f.b69a Session Manager Call Client
 4975000000003e, uid 40, capwap id 7ae8c000000013,Flag 0, Audit-Session ID
 0a6987b25357e2ff00000028, method list Microsoft_NPS, policy name (null) 

[04/23/14 21:27:51.971 IST 2d 22] ACCESS-CORE-SM-CLIENT-SPI-NOTF:
 [0017.7c2f.b69a, Ca3] Session start request from Client[1] for 0017.7c2f.b69a
 (method: Dot1X, method list: Microsoft_NPS, aaa id: 0x00000028),  policy 
[04/23/14 21:27:51.971 IST 2e 22] ACCESS-CORE-SM-CLIENT-SPI-NOTF:
 [0017.7c2f.b69a, Ca3]  - client iif_id: 4975000000003E, session ID:
 0a6987b25357e2ff00000028 for 0017.7c2f.b69a


[04/23/14 21:27:51.972 IST 43 284] ACCESS-METHOD-DOT1X-DEB:
 [0017.7c2f.b69a, Ca3] Posting !EAP_RESTART on Client 0x22000025
[04/23/14 21:27:51.972 IST 44 284] ACCESS-METHOD-DOT1X-DEB:
 [0017.7c2f.b69a, Ca3] 0x22000025:enter connecting state
[04/23/14 21:27:51.972 IST 45 284] ACCESS-METHOD-DOT1X-DEB:
 [0017.7c2f.b69a, Ca3] 0x22000025: restart connecting
[04/23/14 21:27:51.972 IST 46 284] ACCESS-METHOD-DOT1X-DEB:
 [0017.7c2f.b69a, Ca3] Posting RX_REQ on Client 0x22000025
[04/23/14 21:27:51.972 IST 47 284] ACCESS-METHOD-DOT1X-DEB:
 [0017.7c2f.b69a, Ca3] 0x22000025: authenticating state entered
[04/23/14 21:27:51.972 IST 48 284] ACCESS-METHOD-DOT1X-DEB:
 [0017.7c2f.b69a, Ca3] 0x22000025:connecting authenticating action
[04/23/14 21:27:51.972 IST 49 291] ACCESS-METHOD-DOT1X-DEB:
 [0017.7c2f.b69a, Ca3] Posting AUTH_START for 0x22000025
[04/23/14 21:27:51.972 IST 4a 291] ACCESS-METHOD-DOT1X-DEB:
 [0017.7c2f.b69a, Ca3] 0x22000025:entering request state
[04/23/14 21:27:51.972 IST 4b 291] ACCESS-METHOD-DOT1X-NOTF:
 [0017.7c2f.b69a, Ca3] Sending EAPOL packet
[04/23/14 21:27:51.972 IST 4c 291] ACCESS-METHOD-DOT1X-INFO:
 [0017.7c2f.b69a, Ca3] Platform changed src mac  of EAPOL packet
[04/23/14 21:27:51.972 IST 4d 291] ACCESS-METHOD-DOT1X-NOTF:
 [0017.7c2f.b69a, Ca3] Sending out EAPOL packet
[04/23/14 21:27:51.972 IST 4e 291] ACCESS-METHOD-DOT1X-INFO:
 [0017.7c2f.b69a, Ca3] EAPOL packet sent to client 0x22000025


[04/23/14 21:27:52.112 IST 7d 211] Parsed CLID MAC Address = 0:23:124:47:182:154
[04/23/14 21:27:52.112 IST 7e 211] AAA SRV(00000000): process authen req
[04/23/14 21:27:52.112 IST 7f 211] AAA SRV(00000000): Authen method=SERVER_GROUP
 Microsoft_NPS
[04/23/14 21:27:52.112 IST 80 211] AAA SRV(00000000): Selecting SG = DIAMETER
[04/23/14 21:27:52.113 IST 81 186] ACCESS-METHOD-DOT1X-INFO:
 [0017.7c2f.b69a, Ca3] Queuing an EAPOL pkt on Authenticator Q
[04/23/14 21:27:52.113 IST 82 291] ACCESS-METHOD-DOT1X-DEB:
 [0017.7c2f.b69a, Ca3] Posting EAPOL_EAP for 0x22000025
[04/23/14 21:27:52.278 IST 83 220] AAA SRV(00000000): protocol reply
 GET_CHALLENGE_RESPONSE for Authentication
[04/23/14 21:27:52.278 IST 84 220] AAA SRV(00000000): Return Authentication
 status=GET_CHALLENGE_RESPONSE
[04/23/14 21:27:52.278 IST 85 291] ACCESS-METHOD-DOT1X-DEB:[0017.7c2f.b69a,Ca3]
 Posting EAP_REQ for 0x22000025

Here is the rest of the EAP output:

[04/23/14 21:27:54.690 IST 12b 211] AAA SRV(00000000): process authen req
[04/23/14 21:27:54.690 IST 12c 211] AAA SRV(00000000): Authen
 method=SERVER_GROUP Microsoft_NPS
[04/23/14 21:27:54.690 IST 12d 211] AAA SRV(00000000): Selecting SG =
 DIAMETER
[04/23/14 21:27:54.694 IST 12e 220] AAA SRV(00000000): protocol reply PASS
 for Authentication
[04/23/14 21:27:54.694 IST 12f 220] AAA SRV(00000000): Return Authentication
 status=PASS
[04/23/14 21:27:54.694 IST 130 189] ACCESS-METHOD-DOT1X-INFO:
 [0017.7c2f.b69a, Ca3] Received an EAP Success


[04/23/14 21:27:54.695 IST 186 8151] 0017.7c2f.b69a Starting key exchange with
 mobile - data forwarding is disabled
[04/23/14 21:27:54.695 IST 187 8151] 0017.7c2f.b69a 1XA: Sending EAPOL message
 to mobile, WLAN=8 AP WLAN=8
[04/23/14 21:27:54.706 IST 188 8151] 0017.7c2f.b69a 1XA: Received 802.11 EAPOL
 message (len 121) from mobile
[04/23/14 21:27:54.706 IST 189 8151] 0017.7c2f.b69a 1XA: Received EAPOL-Key
 from mobile
[04/23/14 21:27:54.706 IST 18a 8151] 0017.7c2f.b69a 1XK: Received EAPOL-key in
 PTK_START state (msg 2) from mobile
[04/23/14 21:27:54.706 IST 18b 8151] 0017.7c2f.b69a 1XK: Stopping retransmission
 timer
[04/23/14 21:27:54.706 IST 18c 8151] 0017.7c2f.b69a 1XA: Sending EAPOL message
 to mobile, WLAN=8 AP WLAN=8
[04/23/14 21:27:54.717 IST 18d 8151] 0017.7c2f.b69a 1XA: Received 802.11 EAPOL
 message (len 99) from mobile
[04/23/14 21:27:54.717 IST 18e 8151] 0017.7c2f.b69a 1XA: Received EAPOL-Key
 from mobile
[04/23/14 21:27:54.717 IST 18f 8151] 0017.7c2f.b69a 1XK: Received EAPOL-key in
 PTKINITNEGOTIATING state (msg 4) from mobile
[04/23/14 21:27:54.717 IST 190 8151] 0017.7c2f.b69a 1XK: Set Link Secure: 1

[04/23/14 21:27:54.717 IST 191 8151] 0017.7c2f.b69a 1XK: Key exchange complete
 - updating PEM
[04/23/14 21:27:54.717 IST 192 8151] 0017.7c2f.b69a apfMs1xStateInc
[04/23/14 21:27:54.717 IST 193 8151] 0017.7c2f.b69a Change state to
 L2AUTHCOMPLETE (4) last state 8021X_REQD (3)


[04/23/14 21:27:58.277 IST 1df 269] DHCPD: Sending notification of DISCOVER:
[04/23/14 21:27:58.277 IST 1e0 269] DHCPD: Sending notification of DISCOVER:
[04/23/14 21:28:05.279 IST 1e1 269] DHCPD: Adding binding to hash tree
[04/23/14 21:28:05.279 IST 1e2 269] DHCPD: DHCPOFFER notify setup address
20.20.20.5 mask 255.255.255.0


[04/23/14 21:28:05.306 IST 1f4 8151] 0017.7c2f.b69a Change state to RUN (20)
 last state DHCP_REQD (7)