Wireless Access

Reply
Occasional Contributor II

Problem ViA EAP-TLS Ikev2

Hi,

 

We have some trouble setting up via with EAP-TLS authentication.

Scenario:

  • We have distributed cert to users
  • Setup ViA profiles to look at our NPS server
  • The NPS server is up and we think everything is find but we get Reason code 22: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
  • We are using usertemplate for clientcert and our nps server is using RAS IAS certtemplate. NPS are not a domaincontroller but domainmember

I think have looked everywhere for a solution but now we are ready to give up.

 

My question is if someone have one good solid guide to set up VIA with EAP-TLS verification throw windows NPS?

 

This is the log from client:

Aug 09 10:45:50.801  p3264  t2058  INFO anikeimpl  578  IKE PAcket Received

Aug 09 10:45:51.208  p3264  t2058  TRACE ancert_mgmt  296  Enter CertificateLeafDNTest

Aug 09 10:45:51.208  p3264  t2058  DEBUG ancert_mgmt  301  0 DN pair Configured

Aug 09 10:45:51.208  p3264  t2058  INFO ancert_mgmt  311  DN test staus 0

Aug 09 10:45:51.208  p3264  t2058  TRACE ancert_mgmt  312  Exit CertificateLeafDNTest

Aug 09 10:45:51.209  p3264  t2058  INFO ancert_mgmt  344  Issuer Attribute type 38

Aug 09 10:45:51.209  p3264  t2058  INFO ancert_mgmt  344  Issuer Attribute type 38

Aug 09 10:45:51.209  p3264  t2058  INFO ancert_mgmt  344  Issuer Attribute type 3

Aug 09 10:45:51.209  p3264  t2058  INFO ancert_mgmt  413  Issuer Attribute tierp-ZOOM2K8-CA

Aug 09 10:45:51.213  p3264  t2058  INFO ancert_mgmt  450  Validate cert and its ancestor for basic constraint check

Aug 09 10:45:51.213  p3264  t2058  ERROR ancert_mgmt  749  Query User Token failed reason = 5

Aug 09 10:45:51.213  p3264  t2058  WARNING ancert_mgmt  585   Failed locating a logged on user, err= 5, Continueing..

Aug 09 10:45:51.213  p3264  t2058  INFO ancert_mgmt  622  The size of the chain context is 72.

Aug 09 10:45:51.213  p3264  t2058  INFO ancert_mgmt  623  1 simple chains found.

Aug 09 10:45:51.213  p3264  t2058  INFO ancert_mgmt  624  Error Status code is 1

Aug 09 10:45:51.213  p3264  t2058  INFO ancert_mgmt  628  This certificate or one of the certificates in the certificate chain is not time-valid.

Aug 09 10:45:51.214  p3264  t2058  ERROR anike_mocana_cbh  1510  CHILD_SA [v2 I] failed

Aug 09 10:45:51.214  p3264  t2058  INFO anike_mocana_cbh  1512  , status = -6012

Aug 09 10:45:51.215  p3264  t2058  ERROR anike_mocana_cbh  1390    IKE_SA [v2 I] (id=0xa3b378f3) failed

Aug 09 10:45:51.215  p3264  t2058  ERROR anike_mocana_cbh  1397  sending ike event

Aug 09 10:45:51.215  p3264  t2058  ERROR anike_mocana_cbh  1402   IKE Phase 1 SA Failed status = -6012

Aug 09 10:45:51.215  p3264  t2058  TRACE anikeimpl  302  EAP INFO Deleted EAP Session.

Aug 09 10:45:51.215  p3264  t2058  DEBUG anikeimpl  531 

Re: Problem ViA EAP-TLS Ikev2

Can you show us what the NPS policy looks like?
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Occasional Contributor II

Re: Problem ViA EAP-TLS Ikev2

For information: We have found a solution :).

 

Problem was that ViA client tried to use one expired ca-certificate on the workstation. One line in log from ViA-client said "invalid time" and that was probably this expired certificate.

 

Deleted that certificate on the client and it runs now correct.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: