Security

I've setup my Windows 2008R2 domain controller according to this document:

http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/

 

I have a singel AP-93 which I've setup to authenticate with the NPS.

 

The certificates from the CA are distributed to all of my Windows 7 clients.

 

When I try to connect I see the attempt AP. On the client I get an EAP-TLS authentication box where I can enter a username/password. Even if I enter the correct one, I can't connect.

 

On the NPS server I get the following message in the application log:

EventID: 1006

Source: EapHost

Info: Negotiation failed. Requested EAP methods not available

 

I've tried the following EAP types:

Microsoft: Smart Card or other certificate

Microsoft: Protected EAP

Microsoft Secured password (EAP-MSCHAP v2)

 

neither works.

 

In the attachement i've added the log from the NPS.

 

Does anyone know what I'm doing wrong?

 

 

You would have to enable the EAP types in the policy that you are using on the NPS.
You can add those under the Policy -> Settings -> Authentication Methods.

Thank you for your reply. I have however enabled the EAP type.

 

I tried:

Microsoft: Smart Card or other certificate

Microsoft: Protected EAP

Microsoft Secured password (EAP-MSCHAP v2)

 

All three together or separate.

 

same error each time.

I assume that you have not enabled termination on the controller. What do you mean by no controller in the title? From controller's CLI can you run show auth-tracebuf  and notice what you see in the output. 

 

Also ensure that the WLAN setup on the client is using the correct authentication type

 



Regards,

Sathya

Hello Sathya,

 

I have note enable termination on the controller. What I mean by no controller is that it's a single accespoint without a central controller. When I run the show auth-tracebuf command I get a parse error.

 

I've setup the client in the exact same way you've shown in the screenshot.

 

Kind regards,

 

Martijn

Just to clarify, how are you trying to authenticate the users?  You mention EAP-TLS and Certificates being issued to the clients....but then you mention being prompted for username/password.   If you are using EAP-TLS, then only certs are needed, and the client will not be prompted for a username and password.  Make sure the Windows Client is setup to use Smart Card or Other Certificate as its authentication method; not Protected EAP/MS-CHAP v2.

 

Check the Security Log on the NPS server and check the NPS events for this logon attempt, you should see some information about the EAP types tried by the client.  Also, you'll see what Network Policy was matched on the request, make sure it is the desired one.

Hello Clembo,

 

I have setup client authentication. I've figured out that it asks for a username password if on the client in the connection properties, the 802.1x settings is set to user or computer authentication. Then it tries the computer first and asks for a un/pw for the user. I now setup the client for computer authentication only. Now the client just give an unable to connect screen.

 

I've attached the NPS log. I can't make heads or tails of it. perhaps you can.

 

Kind regards,

 

Martijn Pollmann

Sorry , I am not able to see the logs.

I know that you have installed the CA certificate on the client but for once can you try try disabling validate server certificate on the client wireless connections settings and try connecting it. This is not a security best practice but did you try this to eliminate the fact that it might be case of client not authenticating the server certificate. In windows 7 you frequently see the unable to connect error if the client is not able to validate the server certificate.

 



Regards,

Sathya

 

Tried, same result. I have enabled the NPS tracking. In the IASSAM.log I get the following error:

[5320] 08-20 11:32:16:504: Successfully retrieved session (77) for user DOMAINNAME\COMPUTERNAME$.
[5320] 08-20 11:32:16:504: Processing output from EAP: action:2
[5320] 08-20 11:32:16:504: Translating attributes returned by EAPHost.
[5320] 08-20 11:32:16:504: EAP authentication failed.
[5320] 08-20 11:32:16:504: No AUTHENTICATION extensions, continuing
[5320] 08-20 11:32:16:504: No AUTHORIZATION extensions, continuing
[5320] 08-20 11:32:16:504: Inserting outbound EAP-Message of length 4.

Computication-

Please try load the NPS log again.  The attachment you loaded didn't have anything in it.  You can simply cut and paste the details of the NPS Logon event from the security event log.  It shoudl be Event ID 6273 for failed logons (6272 for successful).

I've attached the correct logs.

sorry, still no logs visible.   

Here are the logs. I trien attaching the text file, this failed, so I zipped them.

I looked through the logs.  There is not much to go on, however, I do notice that the log references a Proxy Policy, named Secure Wireless Connections, however I do not see any matching Network Policy listed.  It seems you are not getting by the Connection Request Policy.  

 

Try this:

• Disable your "Secure Wireless Connections" connection request policy that you created (make sure it is the connection request policy, not the network policy), leaving only the default of  "Use windows authetnication for all users"
• Reattempt your connection, this should get you by the connection request policy (there are no limitations to this default policy) and allow you to hit your Network Policies.  If they are setup properly, you should see better results, or at least more information in the Event Log entries.
• If this fixes your issues, check what you had set for Authentication Methods of the connection request policy, that is likely your culprit

 

If you still have issues, a couple of other questions/thoughts:

• Can you supply the Event Log entries (from the Security Event Log on the NPS server) rather than the text based file?
• What are the details of the "Secure Wireless Connections" connection policy?  The Condictions and Settings.
• What are the details of your network policies; it too will be called "Secure Wireless Connections" if you configured NPS per the article you linked to?   The Conditions and Settings.
• Does this same symptom occur for all users/computers?
• Have you tried PEAP/MS-CHAP v2 rather than EAP-TLS?
• Can you confirm that the certificate issued to the NPS server has the "Server Authentication" purpose?

 

There is some sort of corruption on the server where I installed NPS. I just finished installing NPS on a new server, put in the basic configuration and it works.

 

I'll just move the NPS to a different server.

 

Thank you for all your help.

 

Kind regards,

 

Martijn

Have you tray to allow acces on Dial In tab in Active Directory user preferences?

 

 

 

This setting should be "Control access through NPS Network Policy", because that's what I'm using. But I've tried "Allow access", to no result.