none
PEAP-TLS authentication issue with Cisco WLC and NPS

    General discussion

  • 2008 R2 NPS server

    Windows 7 pro client

    2008 AD

    2008 R2 enterprise CA in the domain.

    Having a weird issue with PEAP-TLS.

    I have configured this multiple times before with no issue.

    This time I experience som weird issues.

    WLC gives this message RADIUS server xxx.xxx.xxx.xxx:1812 failed to respond to request (ID 17) for client XX:XX:XX:XX:XX:XX / user 'unknown'

    NPS Logs has no entries.

    Change the configuration to PEAP MSchap v2 and authentication works, but only for user authentication.

    NPS logs for computer authentication tells me that the computer account is denied by default Network policy. which means that my Network policy is not triggered by the computer authetication request.
    I have domain users OR domain computers under conditions.

    When I create another Network policy and use Machine Groups with domain computers as condition, computer authentication works.

    Change back to peap-tls, nothing works. No nps logs and RADIUS server xxx.xxx.xxx.xxx:1812 failed to respond to request (ID 17) for client XX:XX:XX:XX:XX:XX / user 'unknown' is back in WLC logs.

    I'm thinking certificate issue here. But I have tripple verified all certificate settings and enrollment policies.

    NPS server get certificate from a copy of RAS and IAS Server template, Users gets from a duplicate of Users template and computers gets from a duplicate of computers. All settings are from official technet guides and have worked fine several times before.

    I cant wrap my head around why I need to specify a separate network policy with machine groups as condition to get computer authetication to work.

    And why does not Certificate authentication work when all settings are exactly the same as another installation that is working just fine?

    Are there any logs on the NPS server I can check for error messages which can give me some input on what is going wrong?

    • Changed type Tiger Li Wednesday, April 25, 2012 1:35 AM
    Thursday, April 19, 2012 4:02 PM

All replies

  • I assume it's a v2 certificate?

    .

    Have you called or placed a TAC with Cisco support for assistance? Usually with Cisco, your 24/7 Gold goes a long way and they'll take whatever time it takes to help resolve it, even configuring the NPS and other Windows side settings, server and clients.

    http://support.cisco.com

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, April 19, 2012 10:58 PM