Security

Reply
Occasional Contributor I

EAP-TLS working for some not for others. Help!

Hey All

New here.

 

So, let's get into it.

 

We have a:

  • Trusted CA
  • a subordinate CA
  • a Server 2016 NPS server
  • and WPA2 Enterprise security on our wireless.

 

We are using computer certificates to authenticate the PC and allow wifi access. GPO pushing wifi authentication settings (no auto connect)

 

So, to give a quick description of the issue we're seeing. Its only happening to some users, and not to others:

 

On my computer - everything works as expected.  I get a cert, I can connect. I delete the cert, I can no longer connect. Cool.

 

On my colleagues computer with the same GPO, and a requested computer certificate - he is prompted for a certificate and a username.  The simple certificate list does not show his computer certificate at all (It does show user-certificates, not to mention it shouldnt prompt for a username)

 

All I see on the local machine for failures in event log for one of these impacted users is:  6105 - deauth after EAPOL key exchange sequence

I see the same error if I delete my certificate and try to authenticate.

 

When the impacted user tries to authenticate, I see nothing on the NPS logs.

 

At a bit of a loss here and would appreciate any help.

 

Here's some pics of my settings (Network policy and GPO Settings): https://imgur.com/a/5uGZ4yY

 

 

 

 

MVP Expert

Re: EAP-TLS working for some not for others. Help!

Why do you check the Called Station ID ?




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
MVP Guru

Re: EAP-TLS working for some not for others. Help!

Have you verified if the computers with issues did actually receive the computer certificate?

Have you verified that your group policy (which sets computer authentication) is actually applied to those machines? Did you do a 'gpupdate /force' on the problematic systems?

 

It looks to me that either one of these conditions causes the errors.

 

What also may be useful is, to get better understanding, to do a packet capture and see if there is a client cert sent and rejected, or the cert isn't sent at all.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor I

Re: EAP-TLS working for some not for others. Help!

Heya - So as to the Call Station ID question - we're utilizing this to have different authentication types against different SSIDs

Occasional Contributor I

Re: EAP-TLS working for some not for others. Help!

Hey Herman

 

Thanks for the reply, appreciate it -- Certs are definitely enrolled (currently manually enrolled, not auto enrolled) and GPO is 100% applied as per gpresult.

 

It looks like I have this sorted out though.. Seems to be just a small subset of machines having trouble where a wider test has been majorily successful.

 

I'm not sure whats causing it on this subset of machines though -  Again, they definitely have the GPO and the certificate. Any idea what might cause it?

MVP Guru

Re: EAP-TLS working for some not for others. Help!

One more small thing may be the time-sync/time zone. All devices that do something with certificates (client, servers) should be within minutes time-synced.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor I

Re: EAP-TLS working for some not for others. Help!

Hey Herman

 

Timezone/Time-sync are all good. 

 

As mentioned before, the impacted users are prompted for a cert + username (but the certs listed are NOT the machine cert assigned) almost like something is overriding the GPO.

 

(as a contrast, if I remove the GPO, a functioning machine will ask for username and password, but also accept a certificate authentication)

MVP Expert

Re: EAP-TLS working for some not for others. Help!

do you have found the solution ?




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
Occasional Contributor I

Re: EAP-TLS working for some not for others. Help!

Sort of but not really? Seems to be a handful of peoples computers - but not everyone is impacted.

 

If I put that user on a fresh machine with a fresh cert, it works fine, so this case can likely be closed. I'll have to fight with GPO or whatever is impacting these individuals

 

Thanks for the checkin

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: