none
EAP-TLS authentication with NPS for Radius Services

    Question

  • I'm trying to use NPS as a radius service in a Windows 2003 domain.  I am trying to authenticate to a HP Procurve 2610 using my AD credentials and want to use EAP-TLS rather than PAP.  At the moment, only PAP seems to work.  How do I configure NPS to accept Radius authentication requests using EAP-TLS from the HP Procurve?  How do I configure the HP Procurve to use EAP TLS to send authentication requests to the NPS.  I am not trying to do 802.1x or NAP at this time.  I'm only trying to manage the switches using AD credentials.  Any thoughts are welcome.
    Thursday, August 05, 2010 1:02 PM

Answers

  • Ok it is work ;)

    We have wrong domain on our switch. It was 3Com 5500G and domain should by same as this on certyficate !!

    I realy don't know why machin auth work, they also was in this same domain.

    Now we are fighting with EAPOL-Logoff on Logoff Windows 7.

     

    Regards

    WindII

     

     

     

    • Marked as answer by Tiger Li Wednesday, August 18, 2010 1:22 AM
    Tuesday, August 17, 2010 3:03 PM

All replies

  • EAP is certificate based. Have you setup a certificate on the RADIUS server, HP Procurve and in the client side? The whole process to put this together isn't exactly a 1,2,3 step method. Take a look at the following links to get a better idea.

    Certificate Requirements for PEAP and EAPApplies To: Windows Server 2008 R2. All certificates that are used for network ... When using PEAP and EAP-TLS, NPS servers display a list of all installed ...
    http://technet.microsoft.com/en-us/library/cc731363.aspx

    EAP-TLS: Manually Configuring Wired Clients
    http://www.itechtalk.com/thread419.html

    Windows 2008 RADIUS Server - NPS/NPAS Checklist & Usage Recommendations, Friday, January 29, 2010
    http://blog.axiomdynamics.com/2010/01/windows-2008-radius-server-npsnpas.html


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    • Proposed as answer by Tiger Li Monday, August 09, 2010 1:32 AM
    Thursday, August 05, 2010 8:06 PM
  • Also with NPS EAP-TLS does not seem to work for user authentication only the computer authentication worked with EAP-TLS when I tested this on Windows Server 2008. Don't know if this is fixed in R2 though.

    Bit to quick there, as you have not started using NPS. But something to note when you start.
    Also keep in mind to configure a shared secret between the switch and NPS (same password must be set on the switch and NPS)

     

    Regards
    Morten

    Friday, August 06, 2010 8:43 AM

  • Also with NPS EAP-TLS does not seem to work for user authentication only the computer authentication worked with EAP-TLS when I tested this on Windows Server 2008. Don't know if this is fixed in R2 though.

    Bit to quick there, as you have not started using NPS. But something to note when you start.
    Also keep in mind to configure a shared secret between the switch and NPS (same password must be set on the switch and NPS)

     

    Regards
    Morten

    Hi

    I also try to run P/EAP-TLS on Windows Server 2008 SP2.  Computer authentication work greate but we don't have idea why user authentication don't work.  Certificate on PC and User are create correct (I think), when I log on to windows domain with smart card also work ok. On IAS EventViewer is't show any log reject, deny (when I switch on computer authentication it is clear access granted).

    Its realy on Windows 2008 EE it is possible to  run only Computer Authentication ???

     

    Regards

    WindII

     

    Monday, August 16, 2010 5:55 PM

  • Also with NPS EAP-TLS does not seem to work for user authentication only the computer authentication worked with EAP-TLS when I tested this on Windows Server 2008. Don't know if this is fixed in R2 though.

    Bit to quick there, as you have not started using NPS. But something to note when you start.
    Also keep in mind to configure a shared secret between the switch and NPS (same password must be set on the switch and NPS)

     

    Regards
    Morten

    Hi

    I also try to run P/EAP-TLS on Windows Server 2008 SP2.  Computer authentication work greate but we don't have idea why user authentication don't work.  Certificate on PC and User are create correct (I think), when I log on to windows domain with smart card also work ok. On IAS EventViewer is't show any log reject, deny (when I switch on computer authentication it is clear access granted).

    Its realy on Windows 2008 EE it is possible to  run only Computer Authentication ???

     

    Regards

    WindII

     


    You would need EE for the CA to create a V2 or V3 cert for user or computer authentication. It doesn't work with a CA on Std Edition Windows. So I am not sure what you are asking. Is your CA on Std edition or EE?
    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Tuesday, August 17, 2010 12:37 AM
  • For the user certificates I used V2 templates with autoenrollment. The computer with it's certificate got authenticated, but when NPS tried to authenticate the user with the certificate it failed. Had to use MS-CHAP V2 for the user authentication to work. 

    These certificates all come from a Windows Server 2008 Enterprise CA. 

    Regards
    Morten

    Tuesday, August 17, 2010 8:18 AM

  • Exactly I have the same problem.

    My stuff:

    1) Windows Server 2008 Enterprise SP2 with CA, AD, NPS(IAS)

    2) 3Com 5500G Switch

    3) Windows 7 Enterpris

    4) Oberthurcs Smart Card

    5) Dell Smart Card Reader

     

    Problem is with authenticate user through certyficate (EAP-TLS), machin authentication work correct, 

    other method (PEAP-MSCHAP) also work correct.

    I think that cert are create correct because logon to AD through cert with Smart Card  work correct.

    On IAS in event viewer i don't have any reject message !!

    Also when i try sniff (by wiredshark) packet on windows server I don't see any packet from switch <> server.

     

    Regards

    WindII

     

    Tuesday, August 17, 2010 8:50 AM
  • I have not seen much information concerning this issue, and I had to give up trying to find a solution for this problem because of time issues. It would be nice to see if any others out there have the same experience regarding using user certificates to authenticate NPS.

    Note I also used the combination W2k8 (not R2) and W7 clients.

    Found this in another tread, here it is stated that this form of double authentication is not supported.
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/1d26e33b-bb38-4afe-bc43-f87fb187ee81

    Regards
    Morten

    Tuesday, August 17, 2010 9:36 AM
  • Ok but anyone know that "double authentication" or "user authentication" work on Windows Server 2008 R2 and Windows 7 ??

     

    Tuesday, August 17, 2010 12:09 PM
  • Ok it is work ;)

    We have wrong domain on our switch. It was 3Com 5500G and domain should by same as this on certyficate !!

    I realy don't know why machin auth work, they also was in this same domain.

    Now we are fighting with EAPOL-Logoff on Logoff Windows 7.

     

    Regards

    WindII

     

     

     

    • Marked as answer by Tiger Li Wednesday, August 18, 2010 1:22 AM
    Tuesday, August 17, 2010 3:03 PM
  • Ok it is work ;)

    We have wrong domain on our switch. It was 3Com 5500G and domain should by same as this on certyficate !!

    I realy don't know why machin auth work, they also was in this same domain.

    Now we are fighting with EAPOL-Logoff on Logoff Windows 7.

     

    Regards

    WindII

    Glad to hear you got it working. However, that doesn't make sense since it's supposedly not supported?

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Tuesday, August 17, 2010 4:01 PM
  • To be precise I am not authorize access to network device like user "gmparsons" want but access Windows 7 to netowrk by 802.1x.

    Protocols EAP-TLS, PEAP-TLS and of course PEAP-MSCHAP work grate with Machine or User authenticatio.

    This is setting from switch:

    radius scheme Test_Radius
     server-type standard
     primary authentication **** key ****
     primary accounting 10.10.20.205 key ****
     key authentication ***
     key accounting ***
     timer realtime-accounting 15
     timer response-timeout 5
     retry 5
    #
    domain CompanyXYZ.de
     scheme radius-scheme Test_Radius local
     scheme login local
     vlan-assignment-mode string
     access-limit enable 30
     idle-cut enable 20 2000

    And name of domain should by identical from Windows AD and CS.

    Next you should set this domain as default !!


     password-control login-attempt 3 exceed lock-time 120
    #
     domain default enable CompanyXYZ.de
    #
     dot1x
     dot1x authentication-method eap
    #

     

     

    Tuesday, August 17, 2010 4:59 PM