Security

Reply
Occasional Contributor II
Posts: 18
Registered: ‎08-28-2014

Reason code 265 and i'm not using certificates

Hi

 

We are deploying an instant solution on several schools and the teacher's SSID has 802.1x authentication to a remote radius server.

 

We've been testing using a domain user and non-domain computers, some of the tests work but most of them don't and checking the radius server logs i found that the reason to refuse the authentication is error code 265 which is "The certificate that the user or client computer provided to NPS as proof of identity chains to an enterprise root certification authority that is not trusted by the NPS server". Nonetheless when we do tests with an android phone it works everytime.

 

We are not using certificates on the server and the clients are configured not to validate them. I'm sure is not a configuration problem in the radius server because i do a similar test in the management center (where the server is) with my non-domain pc (and APs from another brand) and works everytime.

 

What can i do to diagnose the cause of this problem since we are not using certificates? I upload the reject event to se if there's anything else there i haven't seen.

 

Thanks.

Occasional Contributor II
Posts: 18
Registered: ‎08-28-2014

Re: Reason code 265 and i'm not using certificates

Anybody has any idea about what could be happening?

 

Thanks for your help.

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: Reason code 265 and i'm not using certificates

which radius server are you using?

 

are you using windows clients? how have you setup their dot1x credentials. you might without wanting to have them setup to send a certificate instead of a username. are they set to EAP (PEAP) and not smartcard or other certificate?

 

 

Occasional Contributor II
Posts: 18
Registered: ‎08-28-2014

Re: Reason code 265 and i'm not using certificates

Hi

 

Thanks for your reply, yes I'm using windows clients and as far as i can see they're properly setup with the same parameters as my laptop (which is authenticating without problem).

 

I attach an image of such parameters, sorry it's in spanish but you can see i haven't setup credentials.

 

Thanks for your help.

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Reason code 265 and i'm not using certificates

If you go to "Configure" next to Microsoft: Protected EAP, is it set to MS-CHAPv2?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 18
Registered: ‎08-28-2014

Re: Reason code 265 and i'm not using certificates

[ Edited ]

Hi cappalli

 

Yes it's set to MS-CHAPv2 as you can see here

 

chap.png

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: Reason code 265 and i'm not using certificates

[ Edited ]

ok, so your laptop with these settings is working fine, but the domain computers aren't?

 

i would really have a good look at the settings then, is it possible they use different settings in practice or ....?

 

and compare the NPS logs, does your succesful attempt and their failed attempt hit the same services?

Occasional Contributor II
Posts: 18
Registered: ‎08-28-2014

Re: Reason code 265 and i'm not using certificates

The computers used in the tests aren't in the domain either...but i can't understand why my laptop works everytime and the others just sometimes (the configuration is exactly the same).

 

I checked the logs and the difference between a succesful attempt and a failed one are these sentences in the access-request event:

 

<EAP-Friendly-Name data_type="1">Microsoft: Secured password (EAP-MSCHAP v2)</EAP-Friendly-Name>
<MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State>

 

Also i have noticed that sometimes the authentication-type in the events sometimes is 11 (PEAP) sometimes 5 (EAP) and sometimes 4 (MSCHAP v2), but i haven't seen a link between this and failures because i've seen successful attemps with both 11 and 4. I believe the appearance of type 4 is because i had a network policy like the one in the attached picture.....to test if this affectede something i removed MSCHAP v2 from the EAP method but the problem is still there.

 

Thanks for your help

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: Reason code 265 and i'm not using certificates

if the config is really the same and sometimes it works and sometimes not im pretty much out of ideas.

 

you could do packet captures and try to find an issue from there, but that will be complicated im afraid. it might be worth it just to check if you see something different, perhaps another system involved or ...?

 

a little Aruba promo: this is the reason I hate NPS and love Aruba ClearPass, with ClearPass the reason why would (most likely) be clear and with NPS you get into a situation where you are stuck and unable to find a cause.

Occasional Contributor II
Posts: 18
Registered: ‎08-28-2014

Re: Reason code 265 and i'm not using certificates

Thanks for your help.

 

I'm a bit puzzled by the fact that the authentication type changes between 11 and 4, and both present succes events during trials and failure just for type 11. (I determined type 5 was present during a test i did so it's not important).

 

What could be the reason for this?

Search Airheads
Showing results for 
Search instead for 
Did you mean: