Problem with Windows 2008r2 NPS and 3rd party certificate
-
2012年5月2日 16:20
We have built a radius server using NPS and a third party certificate for 802.1x wireless client authentication and it works ok with our Windows 7 clients. The common name in the 3rd party certificate matches the FQDN of the NPS server.
Now we are building a secondary radius server. We have imported all the policies from the primary radius server above in addition to the 3rd party certificate into the secondary server. Everything in the secondary server should be identical to the primary (except the server name off course) but Windows 7 clients are failing to connect when using the secondary radius for authentication and I am seeing the following in the event logs:
Event ID: 6273
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: CAMPUS\test_user
Account Name: CAMPUS\test_user
Account Domain: CAMPUS
Fully Qualified Account Name: CAMPUS\test_user
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-0F-7D-18-F9-E3:ltusafe
Calling Station Identifier: 00-23-14-C5-F9-34
NAS:
NAS IPv4 Address: 172.30.20.250
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1168
RADIUS Client:
Client Friendly Name: Test_AP
Client IP Address: 172.30.20.250
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Secure Wireless Connections Campus_Staff
Authentication Provider: Windows
Authentication Server: FQDN of secondary radius server ====> (I have masked the original FQDN)
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.Here is the NPS policy and EAP settings (it is the same on both servers):
I came across this post http://serverfault.com/questions/318851/third-party-wildcard-certificates-for-use-with-microsoft-nps-radius-peap and it seems that the common name in the certificate might be the problem.Is there a way to setup two radius servers using a single certificate?
Thank you.
- 移動 Tiger LiModerator 2012年5月3日 2:32 (From:Network Infrastructure Servers)
すべての返信
-
2012年5月3日 2:32モデレータ
Hi ana804,
Thanks for posting here.If we are going to use PEAP or EAP to work with password-based authentication methods , RADIUS servers need to have a server certificate which be trust by clients in order to establish the trust before they do the password authentication . But I don’t see any reason to full in the FQDN of each individual NSP/RADIUS server name in it .
Deploy a CA and NPS Server Certificate
http://technet.microsoft.com/en-us/library/cc730811(WS.10).aspx
Certificates and NPS
http://technet.microsoft.com/en-us/library/cc772401(WS.10).aspx
Meanwhile, we can set a RADIUS proxy in order to dispatch the incoming requests to NPS servers:
RADIUS Proxy
http://technet.microsoft.com/en-us/library/cc731320.aspx
Regards,
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tnmff@microsoft.com.
Tiger Li
TechNet Community Support
-
2012年5月3日 15:17
Tiger,
The clients are trusting the 3rd party server certificate of the primary radius server. The same certificate was imported into the secondary radius server but authentication is failing there.
The only issue with radius proxy is that it will be a single point of failure and we need to have two radius servers to ensure availability.
Thank you.
Ana804
- 編集済み ana804 2012年5月3日 15:47
-
2012年5月4日 2:56モデレータ
Hi,
Thanks for update.
Since we are using a certificate form third part ,I think we may need to purchase another certificate for the secondary NPS server.
This solution does not scale as well as deploying a private CA on your network. Because you must purchase a certificate for each NPS server, your deployment costs increase with each NPS server you deploy.
PEAP-MS-CHAP v2-based Authenticated Wireless Access Design
http://technet.microsoft.com/en-us/library/dd348500(WS.10).aspxSome NAS/RADIUS clients support to send incoming requests to multi RADIUS servers/proxies ,so it is possible to implement failover and redundancy with NPS proxies:
Load Balancing with NPS Proxy
http://technet.microsoft.com/en-us/library/dd197433(WS.10).aspxRegards,
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li
TechNet Community Support
- 回答としてマーク Tiger LiModerator 2012年5月7日 1:30
- 回答としてマークされていない Tiger LiModerator 2012年5月7日 1:30
- 回答の候補に設定 Tiger LiModerator 2012年5月9日 0:47
- 回答としてマーク Tiger LiModerator 2012年5月9日 9:22
-
2012年5月7日 1:31モデレータ
Hi ,
Please feel free to let us know if the information was helpful to you.
Regards,
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li
TechNet Community Support
-
2012年5月7日 14:39I will let you know when the issue is resolved. Thank you.
-
2012年5月22日 20:10
I just wanted to update this thread in case somebody runs into the same issue.
I installed a new 3rd party cert on the 2nd NPS server today and it worked. Thanks Tiger for helping me to solve this.
- 編集済み ana804 2012年5月22日 20:12
.png)
