locked
IKEv2 with EAP TLS and "-VerifyServerIdentity" RRS feed

  • Question

  • Hello!

     

    I've upgraded our VPN infrastructure to use IKEv2 with EAP TLS (Smart Card authentication) for our users. It works fine, except for one annoying thing.

    When a user tries to connect, he/she have to click on a message that states (approximately, all my client machines are non-English) “Can’t verify the server identity. The certificate is OK. You can connect, if you trust it.” And there is an option to view the certificates’ thumbprint (which is actually the NPS servers’ certificate) and a connect and cancel button. If I press connect, the VPN establishes within a second, and works absolutely fine.

    I’ve tried it with EAP TLS user certificate (issued to the user from the Root Domain CA) login / authentication method with the same result. (But this is not an option for other reasons)

    We have one CA in the domain, all client who have to connect are domain members, and the smart card certificate is issued by the domain root CA. The server certificates are also issued by the same CA, and are also domain members.

    The clients’ have the domain root CA’s certificate in the Trusted Root Certificates store, because they are domain joined. So I don’t understand why the client “can’t verify the servers’ identity”.

    Do I have to add the NAP server’s certificate to a specific certificate store on the clients? Or how can I ensure that they can verify it?

    I have tried to create the connection with New-EapConfiguration variable without the “-VerifyServerIdentity” parameter, and this message disappeared. But if I understand it right, this is not the intended method. This is a security hole right now. Am I right?

    The issue is with this variant:

    $A = New-EapConfiguration -Tls -VerifyServerIdentity

    There is no annoying question with this one:

    $A = New-EapConfiguration -Tls

    And the rest of the connection creation is like this:

    Add-VpnConnection -Name $vname1 -ServerAddress $vip -AllUserConnection -AuthenticationMethod Eap -DnsSuffix $dnss -EncryptionLevel Maximum -IdleDisconnectSeconds 0 -TunnelType Ikev2 -EapConfigXmlStream $A.EapConfigXmlStream -PassThru

    Any ideas how to solve this issue is appreciated.

     

    Attila

     

    Wednesday, October 19, 2016 10:44 PM

Answers

  • Dear Anne,

    Thank you for your answer,

    Unfortunately, if I add my NPS/RADIUS servers’ FQDN as in its certificates’ “Subject Alternative Name” or add the NetBIOS name (as it mentioned on the article you linked) as in the certificates’ “Subject” “CN” field or even add booth separated with a semicolon (;) without spaces between the names does not have any effect on this situation.

    However, I also checked in the list below this field (Trusted Root Certification Authorities) my Domain Root CA and if the above filed contains booth the names of the NPS server it works.

    Now I have to deploy this connection to a fairly huge amount of users. I use a GPO to run a PowerShell script on logon, to create this connection. It works fine, the connection is created on the test machines, but with which variable or method should I use to set these two settings? I really don’t want to sit in front of nearly a hundred notebook to type and click these settings. (If this is not the right thread for this, please advise one to post my question)

    Thank you again for the help,

    Attila
    Thursday, October 20, 2016 7:33 PM

All replies

  • Hi la_bala_hun,

    Please add the FQDN of your RADIUS server in the list of "Connect to these servers":

    You may check the following article for the detailed usage of this setting:

    https://technet.microsoft.com/en-us/library/hh945104(v=ws.11).aspx

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 20, 2016 9:08 AM
  • Dear Anne,

    Thank you for your answer,

    Unfortunately, if I add my NPS/RADIUS servers’ FQDN as in its certificates’ “Subject Alternative Name” or add the NetBIOS name (as it mentioned on the article you linked) as in the certificates’ “Subject” “CN” field or even add booth separated with a semicolon (;) without spaces between the names does not have any effect on this situation.

    However, I also checked in the list below this field (Trusted Root Certification Authorities) my Domain Root CA and if the above filed contains booth the names of the NPS server it works.

    Now I have to deploy this connection to a fairly huge amount of users. I use a GPO to run a PowerShell script on logon, to create this connection. It works fine, the connection is created on the test machines, but with which variable or method should I use to set these two settings? I really don’t want to sit in front of nearly a hundred notebook to type and click these settings. (If this is not the right thread for this, please advise one to post my question)

    Thank you again for the help,

    Attila
    Thursday, October 20, 2016 7:33 PM
  • Hi la_bela_hun,

    >However, I also checked in the list below this field (Trusted Root Certification Authorities) my Domain Root CA and if the above filed contains booth the names of the NPS server it works.

    Theoretically, the issue is due to clients unable to trust the NPS server used for authentication, the suggestions provide by me above and the solution used by yourself is used to trust the NPS server.

    As for the method how to deploy the settings for multiple computers, it may refer to a script. Pity for unable to provide help about how to deploy this for multiple machines easily.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 1, 2016 8:49 AM