Security

Hey All

New here.

So, let's get into it.

We have a:

• Trusted CA
• a subordinate CA
• a Server 2016 NPS server
• and WPA2 Enterprise security on our wireless.

We are using computer certificates to authenticate the PC and allow wifi access. GPO pushing wifi authentication settings (no auto connect)

So, to give a quick description of the issue we're seeing. Its only happening to some users, and not to others:

On my computer - everything works as expected.  I get a cert, I can connect. I delete the cert, I can no longer connect. Cool.

On my colleagues computer with the same GPO, and a requested computer certificate - he is prompted for a certificate and a username.  The simple certificate list does not show his computer certificate at all (It does show user-certificates, not to mention it shouldnt prompt for a username)

All I see on the local machine for failures in event log for one of these impacted users is:  6105 - deauth after EAPOL key exchange sequence

I see the same error if I delete my certificate and try to authenticate.

When the impacted user tries to authenticate, I see nothing on the NPS logs.

At a bit of a loss here and would appreciate any help.

Here's some pics of my settings (Network policy and GPO Settings): https://imgur.com/a/5uGZ4yY

Why do you check the Called Station ID ?

Have you verified if the computers with issues did actually receive the computer certificate?

Have you verified that your group policy (which sets computer authentication) is actually applied to those machines? Did you do a 'gpupdate /force' on the problematic systems?

It looks to me that either one of these conditions causes the errors.

What also may be useful is, to get better understanding, to do a packet capture and see if there is a client cert sent and rejected, or the cert isn't sent at all.

Hey Herman

Thanks for the reply, appreciate it -- Certs are definitely enrolled (currently manually enrolled, not auto enrolled) and GPO is 100% applied as per gpresult.

It looks like I have this sorted out though.. Seems to be just a small subset of machines having trouble where a wider test has been majorily successful.

I'm not sure whats causing it on this subset of machines though -  Again, they definitely have the GPO and the certificate. Any idea what might cause it?

One more small thing may be the time-sync/time zone. All devices that do something with certificates (client, servers) should be within minutes time-synced.

Hey Herman

Timezone/Time-sync are all good. 

As mentioned before, the impacted users are prompted for a cert + username (but the certs listed are NOT the machine cert assigned) almost like something is overriding the GPO.

(as a contrast, if I remove the GPO, a functioning machine will ask for username and password, but also accept a certificate authentication)

do you have found the solution ?

Sort of but not really? Seems to be a handful of peoples computers - but not everyone is impacted.

If I put that user on a fresh machine with a fresh cert, it works fine, so this case can likely be closed. I'll have to fight with GPO or whatever is impacting these individuals

Thanks for the checkin

Heya - So as to the Call Station ID question - we're utilizing this to have different authentication types against different SSIDs