none
I dont see my certificate with PEAP

    Question

  • Hello,

    I use NPS on windows 2008 with a cisco catalyst 2960s for 802.1x authentication. It's ok, users can connect... But if I capture trafic I cant see my certificate...

     

    If i look a capture with wireshark

    Picture here

     

    I dont see TLS certificate... Normally peap sequence:

     

                        <- EAP-Request/
                        Identity
    EAP-Response/
    Identity (MyID) ->
    <- EAP-Request/ EAP-Type=PEAP (PEAP Start, S bit set) EAP-Response/ EAP-Type=PEAP (TLS client_hello)-> <- EAP-Request/ EAP-Type=PEAP (TLS server_hello, TLS certificate, [TLS server_key_exchange,] [TLS certificate_request,] TLS server_hello_done) EAP-Response/ EAP-Type=PEAP ([TLS certificate,] TLS client_key_exchange, [TLS certificate_verify,] TLS change_cipher_spec, TLS finished) -> <- EAP-Request/ EAP-Type=PEAP (TLS change_cipher_spec, TLS finished)

    Why I cant view my certificate? How to view this certificate?

    Thanks in advance! GN :o)



    Monday, June 06, 2011 8:45 PM

Answers

  • Hi Dynnilak,

    Thank you for your update.

    PEAP fast reconnect enables wireless clients to move between wireless access points on the same network without being reauthenticated each time they associate with a new access point.Both the PEAP client and NPS server use previously cached TLS connection properties (the collection of which is named the TLS handle), the NPS server can quickly determine that the client connection is a reconnect.
    The TLS handle has a default duration of 10 hours. You could decrease the TLS handle expiry time in Registry or disabled PEAP fast reconnect function in NPS server.


    Regards,
    Rick Tan
    Wednesday, June 08, 2011 6:10 AM
    Moderator

All replies

  • Hi John,

    Thank you for your post.

    The authentication method used is PEAP (Protected EAP), which means that all information sent between the client and server is protected by an encrypted tunnel set up between the NPS and the client.

    If you want to view the certificate, please trace NPS log that will save to Windows\tracing directory\ IASSAM.log.
     Trace start, netsh ras set tr * en
     Do 802.1x authentication once
     Trace stop, netsh ras set tr * dis

    If there are more inquiries on this issue, please feel free to let us know.


    Regards,
    Rick Tan
    Tuesday, June 07, 2011 9:58 AM
    Moderator
  • Hi

    Thank you for your answer.

     

     

    I solved my problem, seemingly my certificate was send in the first authentification after the client use a session ID and NPS dont send the certificate.

     

    Windows 7 use a certificate cache? Where he keeps the certificate? How to remove temporary certificate?

     

     

    Thank you for help!

    Tuesday, June 07, 2011 12:02 PM
  • Hi Dynnilak,

    Thank you for your update.

    PEAP fast reconnect enables wireless clients to move between wireless access points on the same network without being reauthenticated each time they associate with a new access point.Both the PEAP client and NPS server use previously cached TLS connection properties (the collection of which is named the TLS handle), the NPS server can quickly determine that the client connection is a reconnect.
    The TLS handle has a default duration of 10 hours. You could decrease the TLS handle expiry time in Registry or disabled PEAP fast reconnect function in NPS server.


    Regards,
    Rick Tan
    Wednesday, June 08, 2011 6:10 AM
    Moderator