Controllerless Networks

Hello,

I tried to change the security configuration of my wlan from Termination:Enabled to Termination: Disabled.
Before doing that, I was able to connect with windows computers, the authentication was made by mschapv2 (cf security logs).

With the Termination: Disabled, the authentication isn't working, and I can't figure out why.

The error message is: 
Reason code 23
An error occured during the Network Policy Server use of the Extensible Authentication Protocol (EAP), Check EAP log files for EAP errors.

Here are the logs:

------------ IASSAM ------------

[1980] 04-11 16:13:42:796: NT-SAM Names handler received request with user identity admin.
[1980] 04-11 16:13:42:796: Prepending default domain.
[1980] 04-11 16:13:42:796: NameMapper::prependDefaultDomain
[1980] 04-11 16:13:42:796: SAM-Account-Name is "DC\admin".
[1980] 04-11 16:13:42:796: Successfully created new RAP Based EAP session for user DC\admin.
[1980] 04-11 16:13:42:796: No AUTHENTICATION extensions, continuing
[1980] 04-11 16:13:42:796: NT-SAM Authentication handler received request for DC\admin.
[1980] 04-11 16:13:42:796: Validating windows user account DC\admin
[1980] 04-11 16:13:42:796: Sending LDAP search to WIN-35M4P8MNI43.dc.lab.
[1980] 04-11 16:13:42:796: LDAP ERROR in ldap_search_ext_sW. Code = 81
[1980] 04-11 16:13:42:796: Extended error string: (null)
[1980] 04-11 16:13:42:796: Retrying LDAP search.
[1980] 04-11 16:13:42:812: Opening LDAP connection to WIN-35M4P8MNI43.dc.lab.
[1980] 04-11 16:13:42:812: The registry value DisableLdapEncryption does not exist. Using default 0
[1980] 04-11 16:13:42:812: Trying to set LDAP encryption = 1
[1980] 04-11 16:13:42:812: Setting localServerName.User to WIN-35M4P8MNI43$
[1980] 04-11 16:13:42:858: LDAP connect succeeded.
[1980] 04-11 16:13:42:858: Sending LDAP search to WIN-35M4P8MNI43.dc.lab.
[1980] 04-11 16:13:42:858: Successfully validated windows account DC\admin.
[1980] 04-11 16:13:42:858: Allowed EAP type: 25
[1980] 04-11 16:13:42:858: Succesfully created EAP Host session with session id 5
[1980] 04-11 16:13:42:858: Processing output from EAP: action:1
[1980] 04-11 16:13:42:858: Inserting outbound EAP-Message of length 6.
[1980] 04-11 16:13:42:858: Issuing Access-Challenge.
[1980] 04-11 16:13:42:858: No AUTHORIZATION extensions, continuing
[2340] 04-11 16:13:42:858: Successfully retrieved session (5) for user DC\admin.
[2340] 04-11 16:13:42:858: No AUTHENTICATION extensions, continuing
[2340] 04-11 16:13:42:858: Processing output from EAP: action:1
[2340] 04-11 16:13:42:858: Inserting outbound EAP-Message of length 1096.
[2340] 04-11 16:13:42:858: Issuing Access-Challenge.
[2340] 04-11 16:13:42:858: No AUTHORIZATION extensions, continuing
[1980] 04-11 16:13:42:890: Successfully retrieved session (5) for user DC\admin.
[1980] 04-11 16:13:42:890: No AUTHENTICATION extensions, continuing
[1980] 04-11 16:13:42:890: Processing output from EAP: action:1
[1980] 04-11 16:13:42:890: Inserting outbound EAP-Message of length 383.
[1980] 04-11 16:13:42:890: Issuing Access-Challenge.
[1980] 04-11 16:13:42:890: No AUTHORIZATION extensions, continuing
[2340] 04-11 16:13:42:905: Successfully retrieved session (5) for user DC\admin.
[2340] 04-11 16:13:42:905: No AUTHENTICATION extensions, continuing
[2340] 04-11 16:13:42:905: Processing output from EAP: action:2
[2340] 04-11 16:13:42:905: Translating attributes returned by EAPHost.
[2340] 04-11 16:13:42:905: EAP authentication failed.
[2340] 04-11 16:13:42:905: No AUTHORIZATION extensions, continuing
[2340] 04-11 16:13:42:905: Inserting outbound EAP-Message of length 4.

------------ IASSAM ------------

[1980] 04-11 16:13:42:858: EapPeapEnd
[1980] 04-11 16:13:42:858: EapTlsEnd
[1980] 04-11 16:13:42:858: EapTlsEnd(dc\admin)
[1980] 04-11 16:13:42:858: EapPeapEnd done
[1980] 04-11 16:13:42:858: EapPeapBegin
[1980] 04-11 16:13:42:858: EapPeapBegin - flags(0x2)
[1980] 04-11 16:13:42:858: PeapReadUserData
[1980] 04-11 16:13:42:858:
[1980] 04-11 16:13:42:858: EapTlsBegin(DC\admin)
[1980] 04-11 16:13:42:858: SetupMachineChangeNotification
[1980] 04-11 16:13:42:858: State change to Initial
[1980] 04-11 16:13:42:858: EapTlsBegin: Detected PEAP authentication
[1980] 04-11 16:13:42:858: MaxTLSMessageLength is now 16384
[1980] 04-11 16:13:42:858: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[1980] 04-11 16:13:42:858: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[1980] 04-11 16:13:42:858: The root cert will not be checked for revocation
[1980] 04-11 16:13:42:858: The cert will be checked for revocation
[1980] 04-11 16:13:42:858: EapPeapBegin done
[1980] 04-11 16:13:42:858: EapPeapMakeMessage
[1980] 04-11 16:13:42:858: EapPeapSMakeMessage, flags(0x405)
[1980] 04-11 16:13:42:858: EapPeapSMakeMessage, user prop flags(0x1)
[1980] 04-11 16:13:42:858: PEAP:PEAP_STATE_INITIAL
[1980] 04-11 16:13:42:858: EapTlsSMakeMessage, state(0)
[1980] 04-11 16:13:42:858: EapTlsReset
[1980] 04-11 16:13:42:858: State change to Initial
[1980] 04-11 16:13:42:858: EapGetCredentials
[1980] 04-11 16:13:42:858: Flag is Server and Store is local Machine
[1980] 04-11 16:13:42:858: GetCachedCredentials Flags = 0x40e1
[1980] 04-11 16:13:42:858: FindNodeInCachedCredList, flags(0x40e1), default cached creds(0), check thread token(1)
[1980] 04-11 16:13:42:858: pNode->dwCredFlags = 0x12
[1980] 04-11 16:13:42:858: GetCachedCredentials: Using Cached Credentials
[1980] 04-11 16:13:42:858: GetCachedCredentials: Hash of the cert in the cache is
2B 3C 4B FD E9 11 18 49 74 60 4F 97 1E 1C A1 2A |+,K....ItpO....*|
6D BE 13 B6 00 00 00 00 00 00 00 00 00 00 00 00 |m...............|
[1980] 04-11 16:13:42:858: BuildPacket
[1980] 04-11 16:13:42:858: << Sending Request (Code: 1) packet: Id: 2, Length: 6, Type: 13, TLS blob length: 0. Flags: S
[1980] 04-11 16:13:42:858: State change to SentStart
[1980] 04-11 16:13:42:858: EapPeapSMakeMessage done
[1980] 04-11 16:13:42:858: EapPeapMakeMessage done
[2340] 04-11 16:13:42:858: EapPeapMakeMessage
[2340] 04-11 16:13:42:858: EapPeapSMakeMessage, flags(0x405)
[2340] 04-11 16:13:42:858: EapPeapSMakeMessage, user prop flags(0x1)
[2340] 04-11 16:13:42:858: Cloned PPP_EAP_PACKET packet
[2340] 04-11 16:13:42:858: PEAP:PEAP_STATE_TLS_INPROGRESS
[2340] 04-11 16:13:42:858: EapTlsSMakeMessage, state(1)
[2340] 04-11 16:13:42:858: MakeReplyMessage
[2340] 04-11 16:13:42:858: Reallocating input TLS blob buffer
[2340] 04-11 16:13:42:858: SecurityContextFunction
[2340] 04-11 16:13:42:858: AcceptSecurityContext returned 0x90312
[2340] 04-11 16:13:42:858: State change to SentHello
[2340] 04-11 16:13:42:858: BuildPacket
[2340] 04-11 16:13:42:858: << Sending Request (Code: 1) packet: Id: 3, Length: 1096, Type: 13, TLS blob length: 1463. Flags: LM
[2340] 04-11 16:13:42:858: EapPeapSMakeMessage done
[2340] 04-11 16:13:42:858: EapPeapMakeMessage done
[1980] 04-11 16:13:42:890: EapPeapMakeMessage
[1980] 04-11 16:13:42:890: EapPeapSMakeMessage, flags(0x605)
[1980] 04-11 16:13:42:890: EapPeapSMakeMessage, user prop flags(0x1)
[1980] 04-11 16:13:42:890: Cloned PPP_EAP_PACKET packet
[1980] 04-11 16:13:42:890: PEAP:PEAP_STATE_TLS_INPROGRESS
[1980] 04-11 16:13:42:890: EapTlsSMakeMessage, state(2)
[1980] 04-11 16:13:42:890: BuildPacket
[1980] 04-11 16:13:42:890: << Sending Request (Code: 1) packet: Id: 4, Length: 383, Type: 13, TLS blob length: 0. Flags:
[1980] 04-11 16:13:42:890: EapPeapSMakeMessage done
[1980] 04-11 16:13:42:890: EapPeapMakeMessage done
[2340] 04-11 16:13:42:905: EapPeapMakeMessage
[2340] 04-11 16:13:42:905: EapPeapSMakeMessage, flags(0x605)
[2340] 04-11 16:13:42:905: EapPeapSMakeMessage, user prop flags(0x1)
[2340] 04-11 16:13:42:905: Cloned PPP_EAP_PACKET packet
[2340] 04-11 16:13:42:905: PEAP:PEAP_STATE_TLS_INPROGRESS
[2340] 04-11 16:13:42:905: EapTlsSMakeMessage, state(2)
[2340] 04-11 16:13:42:905: MakeReplyMessage
[2340] 04-11 16:13:42:905: Reallocating input TLS blob buffer
[2340] 04-11 16:13:42:905: SecurityContextFunction
[2340] 04-11 16:13:42:905: AcceptSecurityContext returned 0x80090330
[2340] 04-11 16:13:42:905: State change to SentFinished. Error: 0x80090330
[2340] 04-11 16:13:42:905: Negotiation unsuccessful
[2340] 04-11 16:13:42:905: BuildPacket
[2340] 04-11 16:13:42:905: << Sending Failure (Code: 4) packet: Id: 5, Length: 4, Type: 0, TLS blob length: 0. Flags:
[2340] 04-11 16:13:42:905: AuthResultCode = (-2146893008), bCode = (4)
[2340] 04-11 16:13:42:905: EapPeapSMakeMessage done
[2340] 04-11 16:13:42:905: EapPeapMakeMessage done

Do you have a valid server certificate for your NPS server?  Is it referenced in the remote access policy on NPS that serves clients?  Has it ever worked?

Well, I reproduced the error on a lab in which all services are installed in the same server (DC,AD,CA,..).

It worked before when the Termination was Enabled (I was thus receiving the IAP certificate instead of the DC certificate).

All of your devices must trust the IAP's certificate, if you have termination enabled for it to work smoothly.  If you did not upload an alternate certificate to the IAP for all your devices to trust, you will have issues.  Your choices are:

1-  Make sure your NPS server has a valid server certificate and ensure all your devices trust that.  Ideally it would be generated by an enterprise CA that all your domain clients trust (best option).  Make sure your NPS server remote access policy references that certificate.

2-  Upload a certificate that all of your clients trust to IAP.

Instructions on how to configure NPS is here:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113

I followed your paper.

Just to be sure,
As in my lab I have the NPS and the CA in the same server, I thus use the root certificate in the NPS configuration.
I have also added this certificate to some client that haven't joined the domain.

Am I right ?

There are two certificates:

One is the Root CA certificate.  The other is the server certificate that needs to be assigned to the radius server.  The second certificate is the one that you want in the Remote access policy, NOT the CA one...

I agree that, but as the radius server is in the same physical server, I'm not able to produce an other certificate for it.
Even in the document I could not find this.

Please search the document for the section:  "Request
Certificates 
(optional)".  That details the procedure to request that certificate.

I followed your tutorial and I have done that (even if I don't really get why). I still have the error.

It is not my tuorial... I just link to it  ;)

Next, you need to ensure that in your remote access policy the correct certificate is used.   Can you see the server certificate in your remote access policy?

Ok, now we are there:

I disabled the Radius "Termination"

The IOS stuff are working well (the certificate is prompted, user have to accepte it).
But it's not working for windows user.

So I guess this is due to certificate mismatch ?

The thing is, in your documentation they only say: "Click 
through
 the 
Enrollment
 screens 
choosing 
the
 settings 
you
 desire 
for 
your 


certificate."

I saw in the internet that I have to request a "computer certificate" for the NPS server.
But, my NPS server is running on my domain controller and when I open the mmc for certificate right click on "Personal" i'm only able to request a certificate for:
- Directory Email Replication
- Domain Controller
- Domain Controller Authentication

The certificate used by my NPS thus comes from a "Domain Controller Authentication" template.

Do you think that the error comes from there ? (why does the IOS stuff work if so ?)

Thanks :)

Try domain controller.

And it's working !

Many thanks, great job :)

In the Domain "Controller Authentication" template the Subject field was empty. I guess it comes from that.

Awesome!