Controllerless Networks

Attempting to enable PEAP Authenication using NPS 2012.

Users are able to access networks successfully when using aruba provided certificate and termination enabled.

However, when attempting to switch the certificate over to 3rd party - digicert on NPS server we are unable to authenticate.

Any suggestions?

 

We are running IAP 225s with 6.3.1.4

 

Successful Attempt Termination Enabled

 

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          8/5/2014 1:53:36 PM

Event ID:      6272

Task Category: Network Policy Server

Level:         Information

Keywords:      Audit Success

User:          N/A

Computer:      server1.ewg.lan

Description:

Network Policy Server granted access to a user.

 

User:

Security ID: Domain\Test

Account Name:test

Account Domain: Domain

Fully Qualified Account Name:Domain\test

 

Client Machine:

Security ID:NULL SID

Account Name:-

Fully Qualified Account Name:-

OS-Version: -

Called Station Identifier:18:64:72:C7:A2:14

Calling Station Identifier:0C:60:76:24:98:4B

 

NAS:

NAS IPv4 Address:192.168.70.25

NAS IPv6 Address: -

NAS Identifier:-

NAS Port-Type:Wireless - IEEE 802.11

NAS Port:0

 

RADIUS Client:

Client Friendly Name: MT 70 VC

Client IP Address: 192.168.70.25

 

Authentication Details:

Connection Request Policy Name: Secure Wireless Connections - 802.1x

Network Policy Name: Secure Wireless Connections - WiFiStudent - Secure

Authentication Provider: Windows

Authentication Server: server1.domain.lan

Authentication Type: MS-CHAPv2

EAP Type:-

Account Session Identifier:-

Logging Results:Accounting information was written to the local log file.

 

Quarantine Information:

Result:Full Access

Session Identifier:-

 

Fail Attempt Termination Disabled

 

Audit Failure8/5/2014 2:02:50 PMMicrosoft Windows security auditing.6273Network Policy Server

 

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          8/5/2014 2:02:50 PM

Event ID:      6273

Task Category: Network Policy Server

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:     Server1.domain.lan

Description:

Network Policy Server denied access to a user.

 

Contact the Network Policy Server administrator for more information.

 

User:

Security ID: Domain\Test

Account Name: test

Fully Qualified Account Name: Domain\test

 

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name:-

OS-Version: -

Called Station Identifier:18:64:72:C7:A2:40

Calling Station Identifier:0C:60:76:24:98:4B

 

NAS:

NAS IPv4 Address:192.168.70.25

NAS IPv6 Address: -

NAS Identifier:192.168.70.36

NAS Port-Type: Wireless - IEEE 802.11

NAS Port:0

 

RADIUS Client:

Client Friendly Name: MT 70 VC

Client IP Address:192.168.70.25

 

Authentication Details:

Connection Request Policy Name: Secure Wireless Connections - 802.1x 

Network Policy Name: Secure Wireless Connections - WiFiStudent - Secure

Authentication Provider: Windows

Authentication Server: Server1.domain.lan

Authentication Type: EAP

EAP Type: - 

Account Session Identifier: -

Logging Results: Accounting information was written to the local log file.

Reason Code: 22

Reason: The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

Are the clients' wireless settings configured using Group Policy?

They are not.

With termination enabled - clients are prompted for the certificate if they do not already have it.

After disabling termination we have tried manually providing access to the new certificate.

 

No luck.

Is the EAP type specified under the wireless settings on the client?   (PEAP/EAP-MSCHAPv2)

 

 

Making Progress - on OSX 10.9

 

Manually setting this now prompts to install the certificate from NPS server.

Selecting Show Certificate shows the root certificate is not trusted:  This root certificate is not trusted

 

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/5/2014 4:28:33 PM
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Server1.ewg.lan
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: Domain\test2
Account Name: test2
Account Domain: Domain
Fully Qualified Account Name: Domain\TEST2

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 18:64:72:C7:A2:14
Calling Station Identifier: 64:76:BA:AC:74:92

NAS:
NAS IPv4 Address: 192.168.70.25
NAS IPv6 Address: -
NAS Identifier: 192.168.70.32
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0

RADIUS Client:
Client Friendly Name: MT 70 VC
Client IP Address: 192.168.70.25

Authentication Details:
Connection Request Policy Name: Secure Wireless Connections - 802.1x
Network Policy Name: Secure Wireless Connections - WiFiStaff - Secure
Authentication Provider: Windows
Authentication Server: Server1.ewg.lan
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

 

We are now also getting this event generated as well.

 

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/5/2014 4:35:11 PM
Event ID: 5061
Task Category: System Integrity
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Server1.ewg.lan
Description:
Cryptographic operation.

Subject:
Security ID: SYSTEM
Account Name: Server1$
Account Domain: Domain
Logon ID: 0x3E7

Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: domain-SERVER-CA-1
Key Type: Machine key.

Cryptographic Operation:
Operation: Decrypt.
Return Code: 0x80090010

Here is a tutorial that show you how to configure instant + windows 2012 server

The extra thing you will find in this tutorial would be that you are usind derived roles in it

 

http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/tutorial-802-1X-with-Server-Derived-user-role-Instant-Windows/m-p/146084

 

Here is the tutorial which show you how to configure the client

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Correctly-configure-EAP-PEAP-Windows-client/td-p/43398

 

Here is a video as well

https://www.youtube.com/watch?v=-SmeubOR9aE

 

Cheers

Carlos 

Are the root and intermediate certs installed on the NPS server?

If he is using a 3rd party certificate he just should install that certificate in the NPS serrver and put it in personal  certificate store.

If it not there  it will not work.

 

Also what kind of certificate do you have?

Did you installed it correctly under the personal certificate store?

 

Cheers

Carlos

We are using a digicert certificate.

I am also attempting using ADCS generated cert and receiving the same security log events.

Both are located under personal certificates.

 

***EDIT***

Will I need to import both the certificate and root certificate on the client or only the certficate?

Where should the root and cert be placed on the NPS server?

 

The client only needs the Root CA (which it likely already has)

The server should have the Root CA already as well.

You'll want to import the intermediate cert into the intermediate store and the cert itself into the personal store.

Make sure the certificates snap in is set to Computer and not User.

Are you trying as well a certificate requested to your CA?

If so be sure you are using the correct template to generate it, like the computer template.

 

Cheers

Carlos

 

In NPS server certificate Snap in Console.

 

I am seeing the server cert listed in the personal certificates

The intermediate certificates has both the secure server ca and the global root listed.

 

Please see attached screenshots.

 

Would I need to link these inside the server cert being provided to the clients in order to allow them access?

Did you ever get a fix for this?

no... left termination enabled and aruba cert

I was having the same issue and it ended up being related to the public certificate not having the private key loaded on the NPS servers.  As soon as the certificate was properly exported with the private key and imported on the NPS servers authentication started working as expected.  You can tell if the certificate has its corresponding private key by looking at it in the MMC and seeing if it has a little key symbol in the upper left hand corner of the icon.