locked
DOT1X TLS1.2 issues RRS feed

  • Question

  • Good morning everyone. I am hoping by sharing this here some of your brilliant minds can help me solve an issue we are facing. I am configuring 802.1x/DOT1X on Server 2016 using Network Policy Server (NPS). I have the NPS constraints, and settings configured properly. Frames should originate from a wired connection and users should be members of the "Domain Users" group.

    On the Authentication Client I am using a Cisco 2960 with the latest commands...

    aaa authentication dot1x default group NPS-group

    aaa group server radius NPS-group
     server name NPS

    radius server NPS
     address ipv4 192.168.1.1 auth-port 1812 acct-port 1813
     key cisco

    I have also enabled authentication open, port-control auto, and pae authenticator on appropriate ports. The server is on a virtual machine using an external switch. When I use a protocol analyzer I can see the "Radius-Request" "Radius-Challenge" on the server side. On the host I see the EAP connection, client hello, TLS1.2 handshake and it drops and requests identity again. I have tested fixes such as creating a DWord reg value Tlssetting that forced TLS 1.0, then 1.1, and 1.2, still no luck. Also, the DC and NPS are on different virtual machines. I even tried creating the reg value which disabled client side cert validation. Anyone have a similar issue?

    In a lab environment using a physical server where the AD/DS and NPS reside together it works with no issues. 

    • Edited by Th0rv4l Tuesday, February 26, 2019 3:37 PM
    Tuesday, February 26, 2019 3:34 PM

All replies