locked
Cannot Authenticate to NPS RADIUS on XP using Computer Certificate RRS feed

  • Question

  • I have setup a 2 Tier PKI on server 2008 R2 with Stand Alone Offline Root CA (Key length 4096 - SHA1) and Enterprise Issuing CA (Key Length 2048 - SHA1). I have also installed NPS on the Issuing CA server, enrolled a certificate using RAS and IAS Template version 2, and configured a Secure Wireless Connetions  Policy. I have configured policy to use EAP authentication.

    I duplicated Workstation Authentication template and enrolled on test laptops. Windows 7 authenticates to AP with no issue. XP brings up message bubble "Windows was unable to find a certificate to log you on to the network". From what I have read, this is because it is looking for a User certificate, so I created a GPO with a Wireless Network XP policy, and set authentication mode to Computer only. All other settings were left at default. I rebooted, GPO was applied, but wireless just continues to try to authenticated without any error message.

    I then tried to authenticate using a User certifcate, modified the GPO, and enrolled a User certificate, but still the same results.

    I have read through several threads on this issue, but can't seem to find an answer that solves my issue. At this stage, I am thinking it may be due to the Root CA using Key length 4096, but this not something I cannot change without uninstalling and re-intalling my PKI. If there is some documentation that indicates this is the cause, then I guess I will have no choice, but if anyone has any other ideas as to what the cause may be, I will appreciate the feedback.

    • Moved by Aiden_Cao Monday, October 15, 2012 2:48 AM right forum (From:Network Infrastructure Servers)
    Friday, October 12, 2012 1:56 AM

Answers

  • Hello

    I ended up getting support with MS. This issue was resolved by unchecking "Deterministic Network Enhancer" in the Wireless Network Properties. As soon as I unchecked that, the XP Client connected.

    During the troubleshooting stages, I ended up uninstalling my two tier PKI and installing a single Enterprise Root using 2048 Key Length. After finding the cause of the issue, I reinstalled my two tier PKI using 4096 key length for Root CA and 2048 for Issuing CA, and all is still OK.

    Thanks for everyones input in this.

    Cheers

    Glenn

    • Proposed as answer by Ace Fekay [MCT] Monday, November 12, 2012 5:22 AM
    • Marked as answer by Aiden_Cao Monday, November 12, 2012 6:42 AM
    Monday, November 12, 2012 5:03 AM

All replies

  • I also think it's due to the key length. You can adjust that for the cert when you create the template. Here was my implementation using PEAP, 2003 IAS and XP, and a couple of other threads on it:

    802.1x Wireless Implementation
    http://blogs.msmvps.com/acefekay/2012/09/28/802-1x-wireless-implementation/

    Thread: "Event ID 13 - Autoenrollment Error"
    Good discussion on certificate template settings
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/689081ab-b95f-4667-9bef-26ba94d8e980

    Thread: "Windows XP Wireless GPO rollout" 9/9/2012
    Good outline on wireless 802.1x in a post by Lawrence Lv
    http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/63e204e1-5683-44ff-bf38-6b7fd5e18428


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Proposed as answer by James McIllece Friday, October 12, 2012 8:05 PM
    • Unproposed as answer by Glenn Tess Sunday, October 14, 2012 11:13 PM
    Friday, October 12, 2012 2:58 PM
  • Hi Ace

    Thanks for the reply, and the links.

    I changed the user and computer certificate templates to use minimum 1024 key length, re-enrolled, and tried again, but I'm still getting the same results. It just continues trying to authenticate and stops. It's not even showing any logs in Event Viewer on the NPS server. However, if I remove the user from the group that has access to authenticate, I start seeing NPS events for denied access. Are there any other log files I can check?

    Cheers
    Glenn

    Sunday, October 14, 2012 11:18 PM
  • Did you check the NPS logs?

    I went through those hurdles, too, so with yours, I don't know. The steps in my file are the steps that work after resolving initial problems with authentication. The issue could be in the AP settings, where mine were. I used Kiwi IAS log reader to read the IAS logs to help me nail it down. It works for NPS, too, since the logs use an industry standard format. There are other "free trial versions" available.

    Troubleshooting tools to use with IAS
    http://technet.microsoft.com/en-us/library/cc785701(v=ws.10).aspx

    .

    Kiwi IAS/NPS log viewer
    Note - I've never downloaded anything from this site. It appears ok, but if you don't feel comfortable with it, search for a different souce.
    http://www.filehungry.com/product/windows_software/network_&_internet/network_monitors/kiwi_log_viewer__lin_/

    .

    MICROSOFT IAS/NPS
    http://www.sawmill.net/formats/ias.html
    DOWNLOAD SAWMILL
    http://www.sawmill.net/cgi-bin/download.pl

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, October 15, 2012 2:41 AM
  • I had a look through your guide. The only real relevant difference in configuration is the key size length.. you have used 1024 for Root and Issuing, where I have used 4096 for Root and 2048 for Issuing. I also noticed the comment about Cisco only supporting1024 key length, however, the Windows 7 laptop connects without any issue, so I'm thinking if my issue is related to certificate compatibility, it is with something in XP, and not the Cisco hardware. Just a thought.

    In my scenario, since Windows 7 works, I don't think the issue is in the AP settings.

    I will have a look at the troubleshooting tools you have referenced.

    Cheers

    Monday, October 15, 2012 2:59 AM
  • The AP 1231 only supported 1024 at that time. I don't know what the new ones support.

    I assume you installed the Root CA cert on the NPS server.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, October 15, 2012 3:08 AM
  • Yeah Root CA cert installed on NPS.

    I've downloaded and installed this Kiwi log viewer on the NPS server. Do you know where the log files are I need to monitor?

    Monday, October 15, 2012 3:46 AM
  • If you go into the NPS logging properties, you can choose where to store the logs. IIRC, they were in system32\logs folder, but double check your configuration.

    NPS Logging:
    http://technet.microsoft.com/en-us/library/ee663944(v=ws.10).aspx

    IAS logging:
    http://technet.microsoft.com/en-us/library/cc739313(v=ws.10).aspx

    Technet thread: "NPS Log file"
    http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/3a65ee4a-eff4-41f6-b4a9-da116cab9b31/


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Proposed as answer by Aiden_Cao Tuesday, October 16, 2012 3:26 AM
    • Unproposed as answer by Glenn Tess Tuesday, October 16, 2012 4:55 AM
    Monday, October 15, 2012 5:43 PM
  • I used IAS log viewer to view the log file, however it doesn't provide any reason for the failed authentication.

    I uninstalled PKI and re-installed giving the Root CA 2048 Key length, but it still doesn't work using user or computer certificate on XP.

    Just to test I can authenticate at all with a XP machine, I changed the authentication method in NPS to use PEAP, and was able to authenticate with logged on users credentials automatically, however this does not solve my problem.

    I just can't figure out why my XP machines won't authenticate using computer / user certificate. Surely it can't be a compatiblity issue with Cisco and key length, as it works on Windows 7. The AP must be configured right also. Running out of ideas at this stage.

    Tuesday, October 16, 2012 3:47 AM
  • It still has to go through the AP. Tell you what, with our 24/7 Gold contract, I had Cisco assist me with this. They even assisted me on the Windows IAS side, as well as the cert settings in some cases. I assume you have a 24/7 on it?

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, October 16, 2012 6:14 AM
  • Hi Glenn,

    There is a huge difference between XP SP3 and Windows XP SP2 or earlier.

    If you are using XP SP2 or earlier check Cisco documentation for legacy support mode regarding authentication.

    Regards,

    Marko

    Tuesday, October 23, 2012 12:00 AM
  • Hi Marko

    Thanks for the comment.

    We are using XP SP3. I've raised a support request with Cisco to see if they can assist diagnosing some of the logs and packet captures I have taken. Just waiting for them to come back to me.

    Cheers

    Glenn

    Tuesday, October 23, 2012 1:48 AM
  • Hello

    I ended up getting support with MS. This issue was resolved by unchecking "Deterministic Network Enhancer" in the Wireless Network Properties. As soon as I unchecked that, the XP Client connected.

    During the troubleshooting stages, I ended up uninstalling my two tier PKI and installing a single Enterprise Root using 2048 Key Length. After finding the cause of the issue, I reinstalled my two tier PKI using 4096 key length for Root CA and 2048 for Issuing CA, and all is still OK.

    Thanks for everyones input in this.

    Cheers

    Glenn

    • Proposed as answer by Ace Fekay [MCT] Monday, November 12, 2012 5:22 AM
    • Marked as answer by Aiden_Cao Monday, November 12, 2012 6:42 AM
    Monday, November 12, 2012 5:03 AM
  • Thank you for the update and resolution. Interesting resolution. I don't think anyone one of us would have thought that. Glad it's all resolved!

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, November 12, 2012 5:24 AM