locked
802.1x cannot BB 9360 in Server 2008 R2 RRS feed

  • Question

  • i go

    I got a server 2008 R2 SP1 with NAP wireles 802.1x installed with an access point. Latops, iPad's, smarthphones are conecting without problem but BB 9360.

    The error in IAS Log to this BB is

    The message received was unexpected or badly formatted

    We did some test with a Server 2008 R2 without Service pack and is working fine for all devices, the problem is only with the SP1.

    Exist a hotfix to solve this issue?

    • Edited by huatzipiri Tuesday, July 10, 2012 3:29 PM
    Tuesday, July 10, 2012 3:03 PM

Answers

  • Hi,

    I found this article: http://pcloadletter.co.uk/2011/07/11/cisco-wifi-active-directory-auth/

    I've pasted the pertinent section below. Please check the list of trusted root CAs and see if it is excessively long.

    The Final PKI Hurdle

    Each time I tried to authenticate I got an Schannel Event Log error on the NPS server of “The message received was unexpected or badly formatted.” which exactly matched the symptoms described in Microsoft KB933430, although that was only intended for Windows Server 2003. This was confusing, but according to that article:

    When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.

    I had been working on this issue sporadically and I had only got as far as getting the Enterprise CA online before going on holiday. Only later did I make the connection and remember the updated Trusted Root CA pack that I had loaded on in desperation. Consulting the Certificates MMC snap-in I discovered that the server had 304 trusted root CAs instead of nine! Windows Server 2008 and 2008 R2 do have a more generous storage allowance for sending CA certificates in the PEAP handshake but clearly 304 certificates was too much. Using another server as a reference machine I manually deleted all the superfluous CA certificates and I could finally authenticate via wifi!

    -Greg

    Tuesday, July 10, 2012 9:05 PM

All replies

  • Hi,

    I found this article: http://pcloadletter.co.uk/2011/07/11/cisco-wifi-active-directory-auth/

    I've pasted the pertinent section below. Please check the list of trusted root CAs and see if it is excessively long.

    The Final PKI Hurdle

    Each time I tried to authenticate I got an Schannel Event Log error on the NPS server of “The message received was unexpected or badly formatted.” which exactly matched the symptoms described in Microsoft KB933430, although that was only intended for Windows Server 2003. This was confusing, but according to that article:

    When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.

    I had been working on this issue sporadically and I had only got as far as getting the Enterprise CA online before going on holiday. Only later did I make the connection and remember the updated Trusted Root CA pack that I had loaded on in desperation. Consulting the Certificates MMC snap-in I discovered that the server had 304 trusted root CAs instead of nine! Windows Server 2008 and 2008 R2 do have a more generous storage allowance for sending CA certificates in the PEAP handshake but clearly 304 certificates was too much. Using another server as a reference machine I manually deleted all the superfluous CA certificates and I could finally authenticate via wifi!

    -Greg

    Tuesday, July 10, 2012 9:05 PM
  • Hello,

    Here is the same issue.

    The BB9360 tells : "fail to connect to the network"

    i found this kb on website's rim :


    I hope it will help




    • Edited by Jay93 Wednesday, March 6, 2013 11:02 AM
    Wednesday, March 6, 2013 11:00 AM