Security

Reply
Occasional Contributor I
Posts: 9
Registered: ‎08-16-2012

Singel AP, no controller, EAP authentication problem

I've setup my Windows 2008R2 domain controller according to this document:

http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/

 

I have a singel AP-93 which I've setup to authenticate with the NPS.

 

The certificates from the CA are distributed to all of my Windows 7 clients.

 

When I try to connect I see the attempt AP. On the client I get an EAP-TLS authentication box where I can enter a username/password. Even if I enter the correct one, I can't connect.

 

On the NPS server I get the following message in the application log:

EventID: 1006

Source: EapHost

Info: Negotiation failed. Requested EAP methods not available

 

I've tried the following EAP types:

Microsoft: Smart Card or other certificate

Microsoft: Protected EAP

Microsoft Secured password (EAP-MSCHAP v2)

 

neither works.

 

In the attachement i've added the log from the NPS.

 

Does anyone know what I'm doing wrong?

 

 

Retired Employee
Posts: 234
Registered: ‎04-19-2011

Re: Singel AP, no controller, EAP authentication problem

You would have to enable the EAP types in the policy that you are using on the NPS.
You can add those under the Policy -> Settings -> Authentication Methods.
--
HT
Occasional Contributor I
Posts: 9
Registered: ‎08-16-2012

Re: Singel AP, no controller, EAP authentication problem

Thank you for your reply. I have however enabled the EAP type.

 

I tried:

Microsoft: Smart Card or other certificate

Microsoft: Protected EAP

Microsoft Secured password (EAP-MSCHAP v2)

 

All three together or separate.

 

same error each time.

Aruba Employee
Posts: 117
Registered: ‎09-21-2010

Re: Singel AP, no controller, EAP authentication problem

[ Edited ]

I assume that you have not enabled termination on the controller. What do you mean by no controller in the title? From controller's CLI can you run show auth-tracebuf  and notice what you see in the output. 

 

Also ensure that the WLAN setup on the client is using the correct authentication type

 

client auth.png

Regards,

Sathya

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Singel AP, no controller, EAP authentication problem

Just to clarify, how are you trying to authenticate the users?  You mention EAP-TLS and Certificates being issued to the clients....but then you mention being prompted for username/password.   If you are using EAP-TLS, then only certs are needed, and the client will not be prompted for a username and password.  Make sure the Windows Client is setup to use Smart Card or Other Certificate as its authentication method; not Protected EAP/MS-CHAP v2.

 

Check the Security Log on the NPS server and check the NPS events for this logon attempt, you should see some information about the EAP types tried by the client.  Also, you'll see what Network Policy was matched on the request, make sure it is the desired one.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I
Posts: 9
Registered: ‎08-16-2012

Re: Singel AP, no controller, EAP authentication problem

Hello Sathya,

 

I have note enable termination on the controller. What I mean by no controller is that it's a single accespoint without a central controller. When I run the show auth-tracebuf command I get a parse error.

 

I've setup the client in the exact same way you've shown in the screenshot.

 

Kind regards,

 

Martijn

Occasional Contributor I
Posts: 9
Registered: ‎08-16-2012

Re: Singel AP, no controller, EAP authentication problem

Hello Clembo,

 

I have setup client authentication. I've figured out that it asks for a username password if on the client in the connection properties, the 802.1x settings is set to user or computer authentication. Then it tries the computer first and asks for a un/pw for the user. I now setup the client for computer authentication only. Now the client just give an unable to connect screen.

 

I've attached the NPS log. I can't make heads or tails of it. perhaps you can.

 

Kind regards,

 

Martijn Pollmann

Aruba Employee
Posts: 117
Registered: ‎09-21-2010

Re: Singel AP, no controller, EAP authentication problem

Sorry , I am not able to see the logs.

I know that you have installed the CA certificate on the client but for once can you try try disabling validate server certificate on the client wireless connections settings and try connecting it. This is not a security best practice but did you try this to eliminate the fact that it might be case of client not authenticating the server certificate. In windows 7 you frequently see the unable to connect error if the client is not able to validate the server certificate.

 

client auth.png

Regards,

Sathya

 

Occasional Contributor I
Posts: 9
Registered: ‎08-16-2012

Re: Singel AP, no controller, EAP authentication problem

Tried, same result. I have enabled the NPS tracking. In the IASSAM.log I get the following error:

[5320] 08-20 11:32:16:504: Successfully retrieved session (77) for user DOMAINNAME\COMPUTERNAME$.
[5320] 08-20 11:32:16:504: Processing output from EAP: action:2
[5320] 08-20 11:32:16:504: Translating attributes returned by EAPHost.
[5320] 08-20 11:32:16:504: EAP authentication failed.
[5320] 08-20 11:32:16:504: No AUTHENTICATION extensions, continuing
[5320] 08-20 11:32:16:504: No AUTHORIZATION extensions, continuing
[5320] 08-20 11:32:16:504: Inserting outbound EAP-Message of length 4.

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Singel AP, no controller, EAP authentication problem

Computication-

Please try load the NPS log again.  The attachment you loaded didn't have anything in it.  You can simply cut and paste the details of the NPS Logon event from the security event log.  It shoudl be Event ID 6273 for failed logons (6272 for successful).

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: