locked
802.1 Certificate based W-LAN access for user and device with NPS and Windows CA (EAP-TLS) RRS feed

  • Question

  • Hello Community,

    I have a problem with certificate based W-LAN Access with device AND user certificates from a two tier PKI infrastructure.

    First to the infrastructure:

    • Four Domain Controller Windows Server 2012 R2
    • One of them NPS installed
    • One Cisco WTC W-LAN Controller as RADIUS Client
    • Two Teer PKI (Offline RootCa and Issuing Sub CA Active Directory integrated)
    • Domain Controller with NPS has a Certificate installed from Issueing CA (DomainController Template) that is used for RADIUS
    • Client Computer (Domain Member) has a computer certificate from Issueing CA at the local certificate store in context of the Computer
    • User on Client PC has a user certificate from from Issueing CA at the local certificate store in user conext
    • On all system the certificate chain is without errors/warnings

    Now to the Problem:
    When i configure rules in RADIUS for certificate based authentification, w-lan access works with eap-tls only for the computer account and not for the user. The option "smart cards or certificates" is set as the only option. One Group with computer accounts and one group with user accounts are added as condition.

    The certificate for NPS Server has following as Extended key usage:

    • Serverauthentifizierung (1.3.6.1.5.5.7.3.1)
    • Clientauthentifizierung (1.3.6.1.5.5.7.3.2)

    The Client certificate has the following as Extended key usage:

    • Serverauthentifizierung (1.3.6.1.5.5.7.3.1)
    • Clientauthentifizierung (1.3.6.1.5.5.7.3.2)

    The user account in Active Directory is set to "Control access through NPS Network Policy" in dial-in properties.

    Here are some logs from Client with a failed attempt to connect to the W-LAN with user AND computer account certificate as creteria. Hope some of you guys can help?

    [1172] 10-25 11:32:05:886: PeapReadConnectionData
    [1172] 10-25 11:32:05:886: IsIdentityPrivacyInPeapConnPropValid
    [1172] 10-25 11:32:05:886: PeapReadUserData
    [1172] 10-25 11:32:05:886: No Credentails passed
    [1172] 10-25 11:32:05:886: RasEapGetInfo
    [1172] 10-25 11:32:05:886: EAP-TLS using All-purpose cert
    [1172] 10-25 11:32:05:886:  Self Signed Certificates will not be selected.
    [1172] 10-25 11:32:05:886: EAP-TLS will accept the  All-purpose cert
    [1172] 10-25 11:32:05:886: EapTlsInitialize2: PEAP using All-purpose cert
    [1172] 10-25 11:32:05:886: PEAP will accept the  All-purpose cert
    [1172] 10-25 11:32:05:886: PeapGetIdentity returned the identity as host/ComputerAccount.domain.tld
    [1172] 10-25 11:32:05:886: EAP-TLS using All-purpose cert
    [1172] 10-25 11:32:05:886:  Self Signed Certificates will not be selected.
    [1172] 10-25 11:32:05:886: EAP-TLS will accept the  All-purpose cert
    [1172] 10-25 11:32:05:886: EapTlsInitialize2: PEAP using All-purpose cert
    [1172] 10-25 11:32:05:886: PEAP will accept the  All-purpose cert
    [1172] 10-25 11:32:05:886: PeapReadConnectionData
    [1172] 10-25 11:32:05:886: IsIdentityPrivacyInPeapConnPropValid
    [1172] 10-25 11:32:05:886: PeapReadUserData
    [1172] 10-25 11:32:05:886: No Credentails passed
    [1172] 10-25 11:32:05:886: RasEapGetInfo
    [1172] 10-25 11:32:05:886: EAP-TLS using All-purpose cert
    [1172] 10-25 11:32:05:886:  Self Signed Certificates will not be selected.
    [1172] 10-25 11:32:05:886: EAP-TLS will accept the  All-purpose cert
    [1172] 10-25 11:32:05:886: EapTlsInitialize2: PEAP using All-purpose cert
    [1172] 10-25 11:32:05:886: PEAP will accept the  All-purpose cert
    [1172] 10-25 11:32:05:886: PeapGetIdentity returned the identity as host/ComputerAccount.domain.tld
    [1172] 10-25 11:32:05:886: EAP-TLS using All-purpose cert
    [1172] 10-25 11:32:05:886:  Self Signed Certificates will not be selected.
    [1172] 10-25 11:32:05:886: EAP-TLS will accept the  All-purpose cert
    [1172] 10-25 11:32:05:886: EapTlsInitialize2: PEAP using All-purpose cert
    [1172] 10-25 11:32:05:886: PEAP will accept the  All-purpose cert
    [1172] 10-25 11:32:05:886: EapPeapBegin
    [1172] 10-25 11:32:05:886: EapPeapBegin - flags(0xa0)
    [1172] 10-25 11:32:05:886: PeapReadConnectionData
    [1172] 10-25 11:32:05:886: IsIdentityPrivacyInPeapConnPropValid
    [1172] 10-25 11:32:05:886: PeapReadUserData
    [1172] 10-25 11:32:05:886:
    [1172] 10-25 11:32:05:886: EapTlsBegin(host/ComputerAccount.domain.tld)
    [1172] 10-25 11:32:05:886: SetupMachineChangeNotification
    [1172] 10-25 11:32:05:886: State change to Initial
    [1172] 10-25 11:32:05:886: EapTlsBegin: Detected 8021X authentication
    [1172] 10-25 11:32:05:886: EapTlsBegin: Detected PEAP authentication
    [1172] 10-25 11:32:05:886: MaxTLSMessageLength is now 16384
    [1172] 10-25 11:32:05:886: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
    [1172] 10-25 11:32:05:886: Force IgnoreRevocationOffline on client
    [1172] 10-25 11:32:05:886: CRYPT_E_REVOCATION_OFFLINE will be ignored
    [1172] 10-25 11:32:05:886: The root cert will not be checked for revocation
    [1172] 10-25 11:32:05:886: The cert will be checked for revocation
    [1172] 10-25 11:32:05:886: Unable to read TLS version registry key, return code 2
    [1172] 10-25 11:32:05:886: EapPeapBegin done
    [1172] 10-25 11:32:05:886: EapPeapMakeMessage
    [1172] 10-25 11:32:05:886: EapPeapCMakeMessage, flags(0x80540)
    [1172] 10-25 11:32:05:886: Cloned PPP_EAP_PACKET packet
    [1172] 10-25 11:32:05:886: PEAP:PEAP_STATE_INITIAL
    [1172] 10-25 11:32:05:886: EapTlsCMakeMessage, state(0) flags (0x5460)
    [1172] 10-25 11:32:05:886: EapTlsReset
    [1172] 10-25 11:32:05:886: State change to Initial
    [1172] 10-25 11:32:05:886: EapGetCredentials
    [1172] 10-25 11:32:05:886: Flag is Machine Auth and Store is local Machine
    [1172] 10-25 11:32:05:886: GetCachedCredentials Flags = 0x5460
    [1172] 10-25 11:32:05:886: FindNodeInCachedCredList, flags(0x5460), default cached creds(0), check thread token(0)
    [1172] 10-25 11:32:05:886: pNode->dwCredFlags = 0x49
    [1172] 10-25 11:32:05:886: No Cert Store.  Guest Access requested
    [1172] 10-25 11:32:05:886: No Cert Name.  Guest access requested
    [1172] 10-25 11:32:05:886: Will validate server cert
    [1172] 10-25 11:32:05:886: MakeReplyMessage
    [1172] 10-25 11:32:05:886: SecurityContextFunction
    [1172] 10-25 11:32:05:886: InitializeSecurityContext returned 0x90312
    [1172] 10-25 11:32:05:886: State change to SentHello
    [1172] 10-25 11:32:05:886: BuildPacket
    [1172] 10-25 11:32:05:886: << Sending Response (Code: 2) packet: Id: 4, Length: 109, Type: 13, TLS blob length: 99. Flags: L
    [1172] 10-25 11:32:05:886: EapPeapCMakeMessage done
    [1172] 10-25 11:32:05:886: EapPeapMakeMessage done
    [1172] 10-25 11:32:05:902: EapPeapMakeMessage
    [1172] 10-25 11:32:05:902: EapPeapCMakeMessage, flags(0x80540)
    [1172] 10-25 11:32:05:902: Cloned PPP_EAP_PACKET packet
    [1172] 10-25 11:32:05:902: PEAP:PEAP_STATE_TLS_INPROGRESS
    [1172] 10-25 11:32:05:902: EapTlsCMakeMessage, state(2) flags (0x5400)
    [1172] 10-25 11:32:05:902: MakeReplyMessage
    [1172] 10-25 11:32:05:902: Reallocating input TLS blob buffer
    [1172] 10-25 11:32:05:902: BuildPacket
    [1172] 10-25 11:32:05:902: << Sending Response (Code: 2) packet: Id: 5, Length: 6, Type: 13, TLS blob length: 0. Flags:
    [1172] 10-25 11:32:05:902: EapPeapCMakeMessage done
    [1172] 10-25 11:32:05:902: EapPeapMakeMessage done
    [1172] 10-25 11:32:05:917: EapPeapMakeMessage
    [1172] 10-25 11:32:05:917: EapPeapCMakeMessage, flags(0x80540)
    [1172] 10-25 11:32:05:917: Cloned PPP_EAP_PACKET packet
    [1172] 10-25 11:32:05:917: PEAP:PEAP_STATE_TLS_INPROGRESS
    [1172] 10-25 11:32:05:917: EapTlsCMakeMessage, state(2) flags (0x5410)
    [1172] 10-25 11:32:05:917: MakeReplyMessage
    [1172] 10-25 11:32:05:917: BuildPacket
    [1172] 10-25 11:32:05:917: << Sending Response (Code: 2) packet: Id: 6, Length: 6, Type: 13, TLS blob length: 0. Flags:
    [1172] 10-25 11:32:05:917: EapPeapCMakeMessage done
    [1172] 10-25 11:32:05:917: EapPeapMakeMessage done
    [1172] 10-25 11:32:05:933: EapPeapMakeMessage
    [1172] 10-25 11:32:05:933: EapPeapCMakeMessage, flags(0x80540)
    [1172] 10-25 11:32:05:933: Cloned PPP_EAP_PACKET packet
    [1172] 10-25 11:32:05:933: PEAP:PEAP_STATE_TLS_INPROGRESS
    [1172] 10-25 11:32:05:933: EapTlsCMakeMessage, state(2) flags (0x5410)
    [1172] 10-25 11:32:05:933: MakeReplyMessage
    [1172] 10-25 11:32:05:933: SecurityContextFunction
    [1172] 10-25 11:32:05:933: InitializeSecurityContext returned 0x90312
    [1172] 10-25 11:32:05:933: State change to SentFinished
    [1172] 10-25 11:32:05:933: BuildPacket
    [1172] 10-25 11:32:05:933: << Sending Response (Code: 2) packet: Id: 7, Length: 144, Type: 13, TLS blob length: 134. Flags: L
    [1172] 10-25 11:32:05:933: EapPeapCMakeMessage done
    [1172] 10-25 11:32:05:933: EapPeapMakeMessage done
    [1172] 10-25 11:32:05:949: EapPeapMakeMessage
    [1172] 10-25 11:32:05:949: EapPeapCMakeMessage, flags(0x80540)
    [1172] 10-25 11:32:05:949: Cloned PPP_EAP_PACKET packet
    [1172] 10-25 11:32:05:949: PEAP:PEAP_STATE_TLS_INPROGRESS
    [1172] 10-25 11:32:05:949: EapTlsCMakeMessage, state(3) flags (0x5400)
    [1172] 10-25 11:32:05:949: MakeReplyMessage
    [1172] 10-25 11:32:05:949: SecurityContextFunction
    [1172] 10-25 11:32:05:949: InitializeSecurityContext returned 0x0
    [1172] 10-25 11:32:05:949: AuthenticateServer flags: 0x5400
    [1172] 10-25 11:32:05:949: DwGetEKUUsage
    [1172] 10-25 11:32:05:949: Number of EKUs on the cert are 1
    [1172] 10-25 11:32:05:949: FCheckUsage: All-Purpose: 1
    [1172] 10-25 11:32:05:949: Checking against the NTAuth store to verify the certificate chain.
    [1172] 10-25 11:32:05:949: CertVerifyCertificateChainPolicy succeeded but returned 0x800b0112.Continuing with root hash matching.
    [1172] 10-25 11:32:05:949: Root CA name: NameOfCa Authority
    [1172] 10-25 11:32:05:949: Found Hash
    [1172] 10-25 11:32:05:949: Server name: NameOfCa Authority
    [1172] 10-25 11:32:05:949: Server name specified:
    [1172] 10-25 11:32:05:949: Server name validation is disabled
    [1172] 10-25 11:32:05:949: CreateMPPEKeyAttributes
    [1172] 10-25 11:32:05:949: State change to RecdFinished
    [1172] 10-25 11:32:05:949: BuildPacket
    [1172] 10-25 11:32:05:949: << Sending Response (Code: 2) packet: Id: 8, Length: 6, Type: 13, TLS blob length: 0. Flags:
    [1172] 10-25 11:32:05:949: EapPeapCMakeMessage done
    [1172] 10-25 11:32:05:949: EapPeapMakeMessage done
    [1172] 10-25 11:32:05:949: EapPeapMakeMessage
    [1172] 10-25 11:32:05:949: EapPeapCMakeMessage, flags(0x80540)
    [1172] 10-25 11:32:05:949: Cloned PPP_EAP_PACKET packet
    [1172] 10-25 11:32:05:949: PEAP:PEAP_STATE_TLS_INPROGRESS
    [1172] 10-25 11:32:05:949: EapTlsCMakeMessage, state(4) flags (0x5408)
    [1172] 10-25 11:32:05:949: Negotiation successful
    [1172] 10-25 11:32:05:949: SetCachedCredentials Flags = 0x5408
    [1172] 10-25 11:32:05:949: AddNodeToCachedCredList, pEapTlsCb->fFlags(0x5408).
    [1172] 10-25 11:32:05:949: FindNodeInCachedCredList, flags(0x5408), default cached creds(0), check thread token(0)
    [1172] 10-25 11:32:05:949: pNode->dwCredFlags = 0x49
    [1172] 10-25 11:32:05:949: GetNewCachedCredListNode
    [1172] 10-25 11:32:05:949: Created a new EAPTLS_CACHED_CREDS,  pNode->dwCredFlags = 0x4a
    [1172] 10-25 11:32:05:949: PeapGetTunnelProperties
    [1172] 10-25 11:32:05:949: Successfully negotiated TLS with following parametersdwProtocol = 0x80, Cipher= 0x6610, CipherStrength=0x100, Hash=0x8004
    [1172] 10-25 11:32:05:949: PeapGetTunnelProperties done
    [1172] 10-25 11:32:05:949: GetTLSSessionCookie
    [1172] 10-25 11:32:05:949: IsTLSSessionReconnect
    [1172] 10-25 11:32:05:949: Full Tls authentication performed
    [1172] 10-25 11:32:05:949: PEAP_STATE_FAST_ROAMING_IDENTITY_REQUEST
    [1172] 10-25 11:32:05:949: PeapClientDecryptTunnelData
    [1172] 10-25 11:32:05:949: IsDuplicatePacket
    [1172] 10-25 11:32:05:949: PeapDecryptTunnelData dwSizeofData = 37, pData = 0x3e771a6
    [1172] 10-25 11:32:05:949: Blob length 37
    [1172] 10-25 11:32:05:949: PeapDecryptTunnelData completed with status 0x0
    [1172] 10-25 11:32:05:949:  Buffer length is 5
    [1172] 10-25 11:32:05:949: IsMsEapTlvPacket
    [1172] 10-25 11:32:05:949: IsEapTLVInsidePEAP
    [1172] 10-25 11:32:05:949: PeapEncryptTunnelData
    [1172] 10-25 11:32:05:949: Blob length 69
    [1172] 10-25 11:32:05:949: PeapEncryptTunnelData completed with status 0x0
    [1172] 10-25 11:32:05:949: EapPeapCMakeMessage done
    [1172] 10-25 11:32:05:949: EapPeapMakeMessage done
    [1172] 10-25 11:32:05:949: EapPeapMakeMessage
    [1172] 10-25 11:32:05:949: EapPeapCMakeMessage, flags(0x80540)
    [1172] 10-25 11:32:05:949: Cloned PPP_EAP_PACKET packet
    [1172] 10-25 11:32:05:949: PEAP:PEAP_STATE_IDENTITY_RESPONSE_SENT
    [1172] 10-25 11:32:05:949: PeapClientDecryptTunnelData
    [1172] 10-25 11:32:05:949: IsDuplicatePacket
    [1172] 10-25 11:32:05:949: PeapDecryptTunnelData dwSizeofData = 85, pData = 0x5b288e6
    [1172] 10-25 11:32:05:949: Blob length 85
    [1172] 10-25 11:32:05:949: PeapDecryptTunnelData completed with status 0x0
    [1172] 10-25 11:32:05:949:  Buffer length is 49
    [1172] 10-25 11:32:05:949: IsMsEapTlvPacket
    [1172] 10-25 11:32:05:949: IsEapTLVInsidePEAP
    [1172] 10-25 11:32:05:949: PeapEncryptTunnelData
    [1172] 10-25 11:32:05:949: Blob length 117
    [1172] 10-25 11:32:05:949: PeapEncryptTunnelData completed with status 0x0
    [1172] 10-25 11:32:05:949: EapPeapCMakeMessage done
    [1172] 10-25 11:32:05:949: EapPeapMakeMessage done
    [1172] 10-25 11:32:05:964: EapPeapMakeMessage
    [1172] 10-25 11:32:05:964: EapPeapCMakeMessage, flags(0x80540)
    [1172] 10-25 11:32:05:964: Cloned PPP_EAP_PACKET packet
    [1172] 10-25 11:32:05:964: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
    [1172] 10-25 11:32:05:964: PeapClientDecryptTunnelData
    [1172] 10-25 11:32:05:964: IsDuplicatePacket
    [1172] 10-25 11:32:05:964: PeapDecryptTunnelData dwSizeofData = 37, pData = 0x3e6f816
    [1172] 10-25 11:32:05:964: Blob length 37
    [1172] 10-25 11:32:05:964: PeapDecryptTunnelData completed with status 0x0
    [1172] 10-25 11:32:05:964:  Buffer length is 11
    [1172] 10-25 11:32:05:964: IsEapTLVInsidePEAP
    [1172] 10-25 11:32:05:964: IsEapTLVInsidePEAP returned true
    [1172] 10-25 11:32:05:964: CheckForUnsupportedMandatoryTLV
    [1172] 10-25 11:32:05:964: GetPEAPTLVStatusMessageValue
    [1172] 10-25 11:32:05:964: Found a result TLV 2
    [1172] 10-25 11:32:05:964: PeapSetTypeUserAttributes
    [1172] 10-25 11:32:05:964: Sending PEAP_Failure
    [1172] 10-25 11:32:05:964: CreatePEAPTLVStatusMessage
    [1172] 10-25 11:32:05:964: PeapEncryptTunnelData
    [1172] 10-25 11:32:05:964: Blob length 37
    [1172] 10-25 11:32:05:964: PeapEncryptTunnelData completed with status 0x0
    [1172] 10-25 11:32:05:964: EapPeapCMakeMessage done
    [1172] 10-25 11:32:05:964: EapPeapMakeMessage done
    [1172] 10-25 11:32:06:963: EapPeapMakeMessage
    [1172] 10-25 11:32:06:963: EapPeapCMakeMessage, flags(0x80540)
    [1172] 10-25 11:32:06:963: Cloned PPP_EAP_PACKET packet
    [1172] 10-25 11:32:06:963: PEAP:PEAP_STATE_PEAP_FAIL_SEND
    [1172] 10-25 11:32:06:963: SetTLSFastReconnect
    [1172] 10-25 11:32:06:963: IsTLSSessionReconnect
    [1172] 10-25 11:32:06:963: Full Tls authentication performed
    [1172] 10-25 11:32:06:963: The session is not setup for fast reconnects.  No need to disable.
    [1172] 10-25 11:32:06:963: RasEapAuthAttributeRemove: received NULL attributeArray, returning
    [1172] 10-25 11:32:06:963: FreeCachedCredentials
    [1172] 10-25 11:32:06:963: FindNodeInCachedCredList, flags(0x5408), default cached creds(0), check thread token(0)
    [1172] 10-25 11:32:06:963: pNode->dwCredFlags = 0x4a
    [1172] 10-25 11:32:06:963: RemoveNodeFromCachedCredList.
    [1172] 10-25 11:32:06:963: RasAuthAttributeConcat
    [1172] 10-25 11:32:06:963: EapPeapCMakeMessage done
    [1172] 10-25 11:32:06:963: EapPeapMakeMessage done
    [1172] 10-25 11:32:06:963: EapPeapEnd
    [1172] 10-25 11:32:06:963: EapTlsEnd
    [1172] 10-25 11:32:06:963: EapTlsEnd(host/ComputerAccount.domain.tld)
    [1172] 10-25 11:32:06:963: EapPeapEnd done
    [5260] 10-25 11:32:10:847: EAP-TLS using All-purpose cert
    [5260] 10-25 11:32:10:847:  Self Signed Certificates will not be selected.
    [5260] 10-25 11:32:10:847: EAP-TLS will accept the  All-purpose cert
    [5260] 10-25 11:32:10:847: EapTlsInitialize2: PEAP using All-purpose cert
    [5260] 10-25 11:32:10:847: PEAP will accept the  All-purpose cert
    [5260] 10-25 11:32:10:847: EapTlsInvokeIdentityUI
    [5260] 10-25 11:32:10:847: GetCertInfo flags: 0xa2
    [5260] 10-25 11:32:10:847: GetDefaultClientMachineCert
    [5260] 10-25 11:32:10:847: FCheckTimeValidity
    [5260] 10-25 11:32:10:847: FCheckUsage: All-Purpose: 1
    [5260] 10-25 11:32:10:847: DwGetEKUUsage
    [5260] 10-25 11:32:10:847: Number of EKUs on the cert are 2
    [5260] 10-25 11:32:10:847: Cert do have CDP but do not have AIA OCSP extension
    [5260] 10-25 11:32:10:847: Found Machine Cert based on machinename, client auth, time validity.
    [5260] 10-25 11:32:10:847: GetDefaultClientMachineCert done.
    [5260] 10-25 11:32:10:847: Got the default Machine Cert
    [5260] 10-25 11:32:10:847: Successfully got certificate. Hash follows
    [5260] 11:32:10:847: 83 C5 4B C6 EA CF 5D 36 11 C9 CC 27 F5 AA 89 E5 |..K...]6...'....|
    [5260] 11:32:10:847: 28 C0 5F A4 00 00 00 00 00 00 00 00 00 00 00 00 |(._.............|
    [5260] 10-25 11:32:10:847: EAP-TLS using All-purpose cert
    [5260] 10-25 11:32:10:847:  Self Signed Certificates will not be selected.
    [5260] 10-25 11:32:10:847: EAP-TLS will accept the  All-purpose cert
    [5260] 10-25 11:32:10:847: EapTlsInitialize2: PEAP using All-purpose cert
    [5260] 10-25 11:32:10:847: PEAP will accept the  All-purpose cert
    [5260] 10-25 11:32:10:847: EAP-TLS using All-purpose cert
    [5260] 10-25 11:32:10:847:  Self Signed Certificates will not be selected.
    [5260] 10-25 11:32:10:847: EAP-TLS will accept the  All-purpose cert
    [5260] 10-25 11:32:10:847: EapTlsInitialize2: PEAP using All-purpose cert
    [5260] 10-25 11:32:10:847: PEAP will accept the  All-purpose cert
    [5260] 10-25 11:32:10:847: EapTlsInvokeIdentityUI
    [5260] 10-25 11:32:10:847: GetCertInfo flags: 0xa2
    [5260] 10-25 11:32:10:847: GetDefaultClientMachineCert
    [5260] 10-25 11:32:10:847: FCheckTimeValidity
    [5260] 10-25 11:32:10:847: FCheckUsage: All-Purpose: 1
    [5260] 10-25 11:32:10:847: DwGetEKUUsage
    [5260] 10-25 11:32:10:847: Number of EKUs on the cert are 2
    [5260] 10-25 11:32:10:847: Cert do have CDP but do not have AIA OCSP extension
    [5260] 10-25 11:32:10:847: Found Machine Cert based on machinename, client auth, time validity.
    [5260] 10-25 11:32:10:847: GetDefaultClientMachineCert done.
    [5260] 10-25 11:32:10:847: Got the default Machine Cert
    [5260] 10-25 11:32:10:847: Successfully got certificate. Hash follows
    [5260] 11:32:10:847: 83 C5 4B C6 EA CF 5D 36 11 C9 CC 27 F5 AA 89 E5 |..K...]6...'....|
    [5260] 11:32:10:847: 28 C0 5F A4 00 00 00 00 00 00 00 00 00 00 00 00 |(._.............|
    [5260] 10-25 11:32:10:847: EAP-TLS using All-purpose cert
    [5260] 10-25 11:32:10:847:  Self Signed Certificates will not be selected.
    [5260] 10-25 11:32:10:847: EAP-TLS will accept the  All-purpose cert
    [5260] 10-25 11:32:10:847: EapTlsInitialize2: PEAP using All-purpose cert
    [5260] 10-25 11:32:10:847: PEAP will accept the  All-purpose cert
    [5260] 10-25 11:32:14:950: EAP-TLS using All-purpose cert
    [5260] 10-25 11:32:14:950:  Self Signed Certificates will not be selected.
    [5260] 10-25 11:32:14:950: EAP-TLS will accept the  All-purpose cert
    [5260] 10-25 11:32:14:950: EapTlsInitialize2: PEAP using All-purpose cert
    [5260] 10-25 11:32:14:950: PEAP will accept the  All-purpose cert
    [5260] 10-25 11:32:14:950: EapTlsInvokeIdentityUI
    [5260] 10-25 11:32:14:950: GetCertInfo flags: 0xa2
    [5260] 10-25 11:32:14:950: GetDefaultClientMachineCert
    [5260] 10-25 11:32:14:950: FCheckTimeValidity
    [5260] 10-25 11:32:14:950: FCheckUsage: All-Purpose: 1
    [5260] 10-25 11:32:14:950: DwGetEKUUsage
    [5260] 10-25 11:32:14:950: Number of EKUs on the cert are 2
    [5260] 10-25 11:32:14:950: Cert do have CDP but do not have AIA OCSP extension
    [5260] 10-25 11:32:14:950: Found Machine Cert based on machinename, client auth, time validity.
    [5260] 10-25 11:32:14:950: GetDefaultClientMachineCert done.
    [5260] 10-25 11:32:14:950: Got the default Machine Cert
    [5260] 10-25 11:32:14:950: Successfully got certificate. Hash follows
    [5260] 11:32:14:950: 83 C5 4B C6 EA CF 5D 36 11 C9 CC 27 F5 AA 89 E5 |..K...]6...'....|
    [5260] 11:32:14:950: 28 C0 5F A4 00 00 00 00 00 00 00 00 00 00 00 00 |(._.............|
    [5260] 10-25 11:32:14:950: EAP-TLS using All-purpose cert
    [5260] 10-25 11:32:14:950:  Self Signed Certificates will not be selected.
    [5260] 10-25 11:32:14:950: EAP-TLS will accept the  All-purpose cert
    [5260] 10-25 11:32:14:950: EapTlsInitialize2: PEAP using All-purpose cert
    [5260] 10-25 11:32:14:950: PEAP will accept the  All-purpose cert
    [1172] 10-25 11:32:14:950: EAP-TLS using All-purpose cert
    [1172] 10-25 11:32:14:950:  Self Signed Certificates will not be selected.
    [1172] 10-25 11:32:14:950: EAP-TLS will accept the  All-purpose cert
    [1172] 10-25 11:32:14:950: EapTlsInitialize2: PEAP using All-purpose cert
    [1172] 10-25 11:32:14:950: PEAP will accept the  All-purpose cert
    [1172] 10-25 11:32:14:950: EapTlsInvokeIdentityUI
    [1172] 10-25 11:32:14:950: GetCertInfo flags: 0xa2
    [1172] 10-25 11:32:14:950: GetDefaultClientMachineCert
    [1172] 10-25 11:32:14:950: FCheckTimeValidity
    [1172] 10-25 11:32:14:950: FCheckUsage: All-Purpose: 1
    [1172] 10-25 11:32:14:950: DwGetEKUUsage
    [1172] 10-25 11:32:14:950: Number of EKUs on the cert are 2
    [1172] 10-25 11:32:14:950: Cert do have CDP but do not have AIA OCSP extension
    [1172] 10-25 11:32:14:950: Found Machine Cert based on machinename, client auth, time validity.
    [1172] 10-25 11:32:14:950: GetDefaultClientMachineCert done.
    [1172] 10-25 11:32:14:950: Got the default Machine Cert
    [1172] 10-25 11:32:14:950: Successfully got certificate. Hash follows
    [1172] 11:32:14:950: 83 C5 4B C6 EA CF 5D 36 11 C9 CC 27 F5 AA 89 E5 |..K...]6...'....|
    [1172] 11:32:14:950: 28 C0 5F A4 00 00 00 00 00 00 00 00 00 00 00 00 |(._.............|
    [1172] 10-25 11:32:14:950: EAP-TLS using All-purpose cert
    [1172] 10-25 11:32:14:950:  Self Signed Certificates will not be selected.
    [1172] 10-25 11:32:14:950: EAP-TLS will accept the  All-purpose cert
    [1172] 10-25 11:32:14:950: EapTlsInitialize2: PEAP using All-purpose cert
    [1172] 10-25 11:32:14:950: PEAP will accept the  All-purpose cert

    Thanks to everyone how has ideas ;-)

    Regards,
    Frank




    • Edited by Rintintin78 Tuesday, October 25, 2016 7:55 PM
    Tuesday, October 25, 2016 7:53 PM

Answers

  • Hi Rintintin,

    1. What is the detailed network policies configured on NPS server?

    2. When you failed to use user account to connect to the wireless, what is the error log in NPS server?

    3. For user certificate, the Subject Alternative Name (SubjectAltName) extension in the certificate should contain the user principal name (UPN) of the user.

    4. For user authentication with EAP-TLS after a network connection is made and the user logs on, you must use a user certificate on the wireless client computer. So, we need to ensure the computer could contact with the DC after the first network connection is made.

    Related blog for your reference:

    Creating a secure 802.1x wireless infrastructure using Microsoft Windows

    https://blogs.technet.microsoft.com/networking/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows/

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, October 26, 2016 7:53 AM

All replies

  • Hi Rintintin,

    1. What is the detailed network policies configured on NPS server?

    2. When you failed to use user account to connect to the wireless, what is the error log in NPS server?

    3. For user certificate, the Subject Alternative Name (SubjectAltName) extension in the certificate should contain the user principal name (UPN) of the user.

    4. For user authentication with EAP-TLS after a network connection is made and the user logs on, you must use a user certificate on the wireless client computer. So, we need to ensure the computer could contact with the DC after the first network connection is made.

    Related blog for your reference:

    Creating a secure 802.1x wireless infrastructure using Microsoft Windows

    https://blogs.technet.microsoft.com/networking/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows/

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, October 26, 2016 7:53 AM
  • Hello Anne,

    thank you for your response!

    I will collect the informations - I don't have continuous Access to the Systems but i think tomorrow I will have them.

    But I think your Point 3. could be the Problem. I don't have checked the SubjectAltName in the user certificate.

    I will report on friday.

    Best Regards,

    Frank

    Thursday, October 27, 2016 10:58 AM
  • Hi Rintintin,

    Yeah, feel free to feed back if you need additional assistance.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 28, 2016 9:50 AM