802.1x Enforcement using EAP-TLS method RRS feed

  • Question

  • I am testing the 802.1x Enforcement functionality using EAP-TLS method.

    My Test environment is as given as below


    NPS server, Subordinate Root CA   ----> Windows Server 2008 

    Domain Controller                              ----> Windows 2003

    Root CA                                           ----> Windows 2003

    Authenticator                                      ---->   802.1x Switch

    Client                                                 ----> Windows Vista


    Problem status is that, in EAP-TLS method NPS server is sending Finish message, and then response of EAP and then after EAP-Failure. (802.1x Switch is receiving Radius-Reject message from NPS server)

    I need help on following


    1) Could any body suggest me any tutorial or step by step guide for 802.1 enforcement using EAP-TLS method.


    2) Windows VISTA client is using the certificate at the time of registration that certificate is published by Enterprise root CA of Active directory, Could any one teach me what is the importance of certificate (issued by Standalone CA on NPS server to VISTA client) in EAP-TLS method.


    3) The radius-Reject message received by 802.1x switch is having the following setting in VSA code,

    length = 6  type = 54  value = 1


    The RFC 2548 does not contain this type VSA code setting, could any one teach me what is the meaning of this code, I can not understand the reason for failure of certificate because of this Data. Kindly help me in this regard,


    Thanks to read my question


    Brijesh Shukla

    Thursday, July 12, 2007 1:15 AM


All replies


    NAP will not work with 'plain' EAP-TLS - you must use PEAP-TLS - the outer method must be PEAP, currently.

    There is a guide located at:

    http://www.microsoft.com/nap, titled: Step By Step Guide: Demonstrate 802.1X NAP Enforcement in a Test Lab


    Please take a look at that, then post back if you have further questions...




    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, July 16, 2007 5:04 PM
  • I am also facing the similar issue as referred in this thread, In my setup, i want to use:

    1. Windows 2012 as Radius server for EAP-TLS clients

    2. I want to use my own certificates, root, server and client

    3. I know that i've to configure NPS for :

    • Radius client, this is a 802.1X capable Cisco switch
    • I've to add an CRP, connection request policy
    • I've to add a NP, network policy
    • I've to somehow provide my certificates to Windows Server 2012 R2, but dont know where and how. I tried adding them by MMC, but there are some issues of Windows, which says, some TRUST error in woreshark logs, when i connect a supplicant(which sends Client certificates to Windows Server 2012 via Cisco switch).



    Monday, October 10, 2016 5:13 PM