08-28-2014 09:08 AM
We are deploying an instant solution on several schools and the teacher's SSID has 802.1x authentication to a remote radius server.
We've been testing using a domain user and non-domain computers, some of the tests work but most of them don't and checking the radius server logs i found that the reason to refuse the authentication is error code 265 which is "The certificate that the user or client computer provided to NPS as proof of identity chains to an enterprise root certification authority that is not trusted by the NPS server". Nonetheless when we do tests with an android phone it works everytime.
We are not using certificates on the server and the clients are configured not to validate them. I'm sure is not a configuration problem in the radius server because i do a similar test in the management center (where the server is) with my non-domain pc (and APs from another brand) and works everytime.
What can i do to diagnose the cause of this problem since we are not using certificates? I upload the reject event to se if there's anything else there i haven't seen.
09-01-2014 03:25 AM
which radius server are you using?
are you using windows clients? how have you setup their dot1x credentials. you might without wanting to have them setup to send a certificate instead of a username. are they set to EAP (PEAP) and not smartcard or other certificate?
09-04-2014 06:56 AM
Thanks for your reply, yes I'm using windows clients and as far as i can see they're properly setup with the same parameters as my laptop (which is authenticating without problem).
I attach an image of such parameters, sorry it's in spanish but you can see i haven't setup credentials.
Thanks for your help.
09-04-2014 06:58 AM
If you go to "Configure" next to Microsoft: Protected EAP, is it set to MS-CHAPv2?
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
09-05-2014 01:45 AM - edited 09-05-2014 01:47 AM
ok, so your laptop with these settings is working fine, but the domain computers aren't?
i would really have a good look at the settings then, is it possible they use different settings in practice or ....?
and compare the NPS logs, does your succesful attempt and their failed attempt hit the same services?
09-05-2014 06:37 AM
The computers used in the tests aren't in the domain either...but i can't understand why my laptop works everytime and the others just sometimes (the configuration is exactly the same).
I checked the logs and the difference between a succesful attempt and a failed one are these sentences in the access-request event:
<EAP-Friendly-Name data_type="1">Microsoft: Secured password (EAP-MSCHAP v2)</EAP-Friendly-Name>
Also i have noticed that sometimes the authentication-type in the events sometimes is 11 (PEAP) sometimes 5 (EAP) and sometimes 4 (MSCHAP v2), but i haven't seen a link between this and failures because i've seen successful attemps with both 11 and 4. I believe the appearance of type 4 is because i had a network policy like the one in the attached picture.....to test if this affectede something i removed MSCHAP v2 from the EAP method but the problem is still there.
Thanks for your help
09-05-2014 07:49 AM
if the config is really the same and sometimes it works and sometimes not im pretty much out of ideas.
you could do packet captures and try to find an issue from there, but that will be complicated im afraid. it might be worth it just to check if you see something different, perhaps another system involved or ...?
a little Aruba promo: this is the reason I hate NPS and love Aruba ClearPass, with ClearPass the reason why would (most likely) be clear and with NPS you get into a situation where you are stuck and unable to find a cause.
09-05-2014 09:54 AM
Thanks for your help.
I'm a bit puzzled by the fact that the authentication type changes between 11 and 4, and both present succes events during trials and failure just for type 11. (I determined type 5 was present during a test i did so it's not important).
What could be the reason for this?