locked
NPS RADIUS, problems authenticating Non-Domain Computers with EAP-TLS. RRS feed

  • Question

  • Hi all, I have problems when authenticating Non-Domain computers using NPS and EAP-TLS.

    I'm continuing this thread: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/5f48f4d8-0f6c-44dc-bac1-cff5c78b79ed, which is closed, I used those answers but I have new issues:

    _________________________

    Hi again.

    For the issue 1:

    I created a wireless profile with the following settings:

    WPA2-Enterprise and TKIP.

    Then I edited some settings on this profile:

    1. Security tab -> choose and authentication method -> Microsoft: Smartcard or another certificate (EAP-TLS)

    2. Security tab -> Disable 'Remember my credentials for this connection...'

    For the issue 2:

    It is strange because the Root CA and the Intermediate CA certificates were imported on the certificate store (Enterprise Root Certification Authorities) of my client before the connection test.

    But now it is not prompting with the warning of the Valid certificate issue.

    Now, I want to understand the logic of how NPS authenticates/gives permissions to the clients.

    After clicking on the SSID of the network with RADIUS-WPA2-Enterprise-EAP-TLS, the client is denied access.

    Is this correct? The client tries to connect, the NPS first use the Connection request policy -> Use Windows authentication for all users, and then, if the client acomplish the policy requirements, then the NPS server applies, in order, the policies in Network Policies.

    If my appreciation is correct, I think that the problem is that NPS is trying to find a computer account but it will never going to find it, because it is a non-domain computer.

    This is the log:

    -----------------

    The Network Policy Server denied access to a user

    Please contact ...

    User:
     Security id:                                 NULL SID
     Account name:                           host/<non-domain-computer>
     Domain Account:                         <domain>                                                                      ---- Why attachs my domain?
     Complete account name:             <domain>\host/<non-domain-computer>

    Client Computer:
     Security id:                                  NULL SID
     Account name:                             -
     Complete account name:              -
     OS version:                                 -
     Caller station ID:                         <MAC Address>
     Caller station ID who calls:            <MAC Address>
     
    NAS:
     IPv4 Address NAS:                        <IP>
     IPv6 Address NAS:                         -
     NAS Identifier:                              <AP ID>
     NAS port type:                              Wireless - IEEE 802.11
     NAS port:                                      9
     
    RADIUS client:
     Descriptive client's name:              <name>
     IP client's adress                          <IP>
     
    Details of the authentication:
     Connection request policy name:     Use Windows authentication for all users
     Network policy name:                           -                                                                                                                                         
     Authentication provider:                 Windows
     Authentication Server:                   <NPS Server>
     Authentication type:                      EAP
     EAP type:                                     -
     Session account ID:                       -
     Results of the registry:                  Account information was written to the local registry file.
     Motive code:                                8
     Motive:                                        The user account specified doesn't exist

    -----------------

    I notous another detail: The network policy is not being applied, it seems that it gets stuck when applying the Network Request Policy.

    Wednesday, June 22, 2011 4:24 PM

All replies

  • Hi Luis,

     

    Thanks for posting here.

     

    Which type of certificate that you have generated and manually imported to non-domain joined computer ? Actually you should enroll both user and computer certificates to this non domain joined client computers if you are going to perform user and computer authentication.

    You can also configure 802.1X wireless access settings by modifying local group policy settings on non-domain joined computer with following the introductions:

     

    Checklist: Configure NPS for Secure Wireless Access

    http://technet.microsoft.com/en-us/library/cc771696.aspx

     

    For more information please refer to the article below

     

    Certificates and NPS

    http://technet.microsoft.com/en-us/library/cc772401(WS.10).aspx

     

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, June 23, 2011 8:26 AM
  • Hi!, thanks for your answer; I only want to use computer authentication through the use of certificates.

    This is the process I did for the Non-Domain computers certificates:

    ___________________________________

    I duplicated the Workstation certificate template on the CA with the name 'NonDomainComputers' and version Windows Server 2003 Enterprise, subject Name: given by the requester.

    On the client side, I execute this command: Certreq -New -f Request.inf Radius_%computername%.req

    The .inf file tha I'm using is like this:

    [NewRequest]
    Subject="CN=<Name_of_my_host>"
    KeyLength=2048
    KeySpec=1
    KeyUsage=0xf0
    MachineKeySet=TRUE
    [RequestAttributes]
    CertificateTemplate="NonDomainComputers"

    Note: When I run this command, it tells me that the template wasn't found.

    I carry this .req file to the CA -> open certsrv.msc -> right clic CA -> all tasks -> send new request -> select .req file -> save the certificate generated.

    Then I move this certificate to the Non-Domain computer who generated the request.

    On the client I open mmc and then add the certificate snap-in, then on the Personal Store right clic, all tasks -> Import -> and follow the wizard to import the certificate.

    Note: The root CA and subordinate CA certificates were already imported on the client's trusted root CAs.

    ___________________________________

    I will read those articles. Thank you.

    Thursday, June 23, 2011 4:09 PM
  • Hi Luis,

    Have you tried the method in that article ?

    If there is any update on this issue, please feel free to let us know.We are looking forward to your reply

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, June 27, 2011 7:07 AM
  • Hi Tiger:

    Actually I was reading those TechNet articles when deploying EAP-TLS, I was confused with the authentication methods.

    I can't try this method: 'Access Group Policy Extensions for 802.1X Wired and Wireless' (http://technet.microsoft.com/en-us/library/dd759253.aspx) on the non-domain computer. Can't view several policies on the client when opening gpedit.msc. And obviusly can't use a GPO from the domain.

    I don't know if this was the method you wanted me to use (using a GPO for EAP-TLS).

    Monday, June 27, 2011 7:26 PM
  • Hi Luis,

     

    Thanks for update.

     

    Actually I was suggest to take look the introductions in that article which discussed on how to set EAP-TLS for Windows Clients by using group policy to create and modify the options in local wireless connection profile on non-domain joined computer. Sorry for the confusing if that was boring you .

     

    Configure Wireless Clients running Windows 7 and Windows Vista for EAP-TLS Authentication

    http://technet.microsoft.com/en-us/library/dd759246.aspx

     

    It seems you might get some troubles on the certificate part . Have you consider to import or issue the computer certificate to the non–domain member clients for EAP-TLS by using the Web enrollment tool? And make sure username/password is not embedded in that certificate.

     

    Meanwhile, for how to correct the PKI/certificate settings in EAP-TLS deployment, it is recommend you to get further support in the Security Forum so that you can get the most qualified pool of respondents.

     

    http://social.technet.microsoft.com/Forums/en/winserversecurity/threads

     

    Regards,

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, June 28, 2011 3:29 AM
  • Hi Tiger:

    "Actually I was suggest to take look the introductions in that article which discussed on how to set EAP-TLS for Windows Clients by using group policy to create and modify the options in local wireless connection profile on non-domain joined computer. Sorry for the confusing if that was boring you ."

    I can't even create a local policy on a non-domain computer. When I open gpedit.msc, the branch: Computer Settings \ Windows Settings \ Security settings \ Wireless network policies (IEEE 802.11) doesn't appear. When I go to the DC, it appears but the path is slightly different: Computer Settings \ Policies \ Windows Settings \ Security settings \ Wireless network policies (IEEE 802.11).

    Do I need to download Group policy extensions or why am I missing those settings on the local computer?

    "Configure Wireless Clients running Windows 7 and Windows Vista for EAP-TLS Authentication

     

    http://technet.microsoft.com/en-us/library/dd759246.aspx"

     

    Again, I can't apply this article without the policies on the local computer.

     

    "It seems you might get some troubles on the certificate part . Have you consider to import or issue the computer certificate to the non–domain member clients for EAP-TLS by using the Web enrollment tool? And make sure username/password is not embedded in that certificate."

     

    I was told in this thread that it was not possible to issue a certificate computer using Web enrollment tool:

     

    http://social.technet.microsoft.com/Forums/es-ES/winserversecurity/thread/704aa346-16cb-4f36-adf0-786911460608

     

     

    In which exact option of the certificate template could I check if there is a property specifying to embed a username/password to the certificate? I don't see any. Well maybe i'll get a better answer in the Security forums.

    Note: I still believe that my mistake of not being able to authenticate non-domain computers is in how I'm using the combination of Network Connection Request policies and Network Policies. Because, as I specify in the first post, the client never reaches the Network Policy, it gets it's connection denied when it's applying the Network Request policy.

    Tuesday, June 28, 2011 3:02 PM