This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Radius on 2008 R2 with eap-tls

Question
0

Sign in to vote
0

Hi

I have configured EAP-TLS in windows server 2008.The NPS server is authenticating users successfully, But unable to get ip address.

I used Cisco 1040 Access point.

Here is the log . i get when user is authenticated

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5/10/2012 10:01:13 PM
Event ID:      6276
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      NPS1.lantronix.com
Description:
Network Policy Server quarantined a user.

Contact the Network Policy Server administrator for more information.

User:
   Security ID:           LANTRONIX\USER$
   Account Name:           host/User.lantronix.com
   Account Domain:           LANTRONIX
   Fully Qualified Account Name:   LANTRONIX\USER$

Client Machine:
   Security ID:           NULL SID
   Account Name:           -
   Fully Qualified Account Name:   -
   OS-Version:           -
   Called Station Identifier:       c8f9.f9a7.6960
   Calling Station Identifier:       0014.78ed.8530

NAS:
   NAS IPv4 Address:       10.1.0.76
   NAS IPv6 Address:       -
   NAS Identifier:           msys_cisco
   NAS Port-Type:           Wireless - IEEE 802.11
   NAS Port:           1900

RADIUS Client:
   Client Friendly Name:       cisco_client
   Client IP Address:           10.1.0.76

Authentication Details:
   Proxy Policy Name:       eap_tls
   Network Policy Name:       NAP 802.1X (Wireless) 4 Non NAP-Capable
   Authentication Provider:       Windows
   Authentication Server:       NPS1.lantronix.com
   Authentication Type:       EAP
   EAP Type:           Microsoft: Smart Card or other certificate
   Account Session Identifier:       -

Quarantine Information:
   Result:               Quarantined
   Extended-Result:           -
   Session Identifier:           -
   Help URL:           -
   System Health Validator Result(s):   -

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>6276</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2012-05-11T05:01:13.023Z" />
    <EventRecordID>25094</EventRecordID>
    <Correlation />
    <Execution ProcessID="584" ThreadID="1256" />
    <Channel>Security</Channel>
    <Computer>NPS1.lantronix.com</Computer>
    <Security />
</System>
<EventData>
    <Data Name="SubjectUserSid">S-1-5-21-11613551-1190545814-67446-1129</Data>
    <Data Name="SubjectUserName">host/User.lantronix.com</Data>
    <Data Name="SubjectDomainName">LANTRONIX</Data>
    <Data Name="FullyQualifiedSubjectUserName">LANTRONIX\USER$</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">-</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">c8f9.f9a7.6960</Data>
    <Data Name="CallingStationID">0014.78ed.8530</Data>
    <Data Name="NASIPv4Address">10.1.0.76</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">msys_cisco</Data>
    <Data Name="NASPortType">Wireless - IEEE 802.11 </Data>
    <Data Name="NASPort">1900</Data>
    <Data Name="ClientName">cisco_client</Data>
    <Data Name="ClientIPAddress">10.1.0.76</Data>
    <Data Name="ProxyPolicyName">eap_tls</Data>
    <Data Name="NetworkPolicyName">NAP 802.1X (Wireless) 4 Non NAP-Capable</Data>
    <Data Name="AuthenticationProvider">Windows </Data>
    <Data Name="AuthenticationServer">NPS1.lantronix.com</Data>
    <Data Name="AuthenticationType">EAP</Data>
    <Data Name="EAPType">Microsoft: Smart Card or other certificate</Data>
    <Data Name="AccountSessionIdentifier">-</Data>
    <Data Name="QuarantineState">Quarantined </Data>
    <Data Name="ExtendedQuarantineState">-</Data>
    <Data Name="QuarantineSessionID">-</Data>
    <Data Name="QuarantineHelpURL">-</Data>
    <Data Name="QuarantineSystemHealthResult">-</Data>
</EventData>
</Event>

and i can see Dhcp discover from the client 0014.78ed.8530 in wire shark.

Can any one help me.Where the things are going wrong. I configured dhcp server also in AD

Thanks

Ramu
- Edited by ramuraju Thursday, May 17, 2012 11:09 AM
- Moved by Rick Tan Friday, May 18, 2012 7:53 AM (From:Security)
Thursday, May 17, 2012 11:08 AM

Answers

0

Sign in to vote
Hi Ramu,

Thank you for the post.

Network Policy Name: NAP 802.1X (Wireless) 4 Non NAP-Capable
Result: Quarantined
Your wireless client is evaluated as Non NAP-Capable. So the computer is quarantined with no ip address.

Please check NAP agent status on your client according to article below:
NAP troubleshooting basics
http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/41e753f4-c350-4153-91a3-c1dc7e6f864a
Debugging NAP Errors (part 1)
http://blogs.technet.com/b/nap/archive/2008/02/19/debugging-nap-errors-part-1.aspx

Moreover, disable fast logon group policy “Always wait for the network at computer startup and logon” on your client and reboot your client.
http://support.microsoft.com/kb/305293

If there are more inquiries on this issue, please feel free to let us know.

Regards
Rick Tan

TechNet Community Support
- Marked as answer by Rick Tan Friday, May 25, 2012 7:04 AM
Friday, May 18, 2012 8:11 AM