locked
Problem with NPS - PEAP-TLS RRS feed

  • Question

  • Hello everyone

    I'm having a realy hard time configuring my wireless to work with PEAP-TLS.
    I'm able to make it work with MSCHAPv2, but I don't want mobile devices that are outside my AD domain to connect in my wireless... so as far as I know TLS is the way to go, right?

    Here is the error I get in the event viewer(FG-RD-TESTE and both connection request policy and network policy name are right, TESTE_RADIUS).
    RADIUS Client:
    Client Friendly Name: FG-RD-TESTE
    Client IP Address: 172.19.60.14

    Authentication Details:
    Connection Request Policy Name: TESTE_RADIUS
    Network Policy Name: TESTE_RADIUS
    Authentication Provider: Windows
    Authentication Server: VP-DHCP01.XXX.LOCAL
    Authentication Type: MS-CHAPv2
    EAP Type: -
    Account Session Identifier: 3137366262396334
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 66
    Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.

    One of my problems(I don't know if is realy a problem, but I don't know why it is happening) is that when I try to connect in the Wifi, the authentication comes to the NPS as a Virtual(VPN) type, so in the NAS Port Type, I have to mark Virtual(VPN), otherwise it won't work

    So my conditions are 
    NAS port type : VPN, Wireless, Wireless otherwise
    Windows Group: Domain\Wifi_Group
    Client IPv4 Address: 172.19.60.14

    The 172.19.60.14 is the IP address of the wifi subnet gateway, all requests will arrive in the NPS with this source IP.

    In the authentication methods, I configured "Microsoft: Protected EAP(PEAP)", and inside of it I configured the eap type "Smart Card or other certificate"

    My server certificate has the Server Authentication role, but I don't know how to find out which certificate my client(client is in the domain) is using, so I can verify if it have the Client Authentication set.

    I don't know if there is something wrong, but in the event viewer, the client seems to be using MSCHAPv2, but I need to work via PEAP-TLS.


    Wednesday, June 19, 2019 1:33 PM

Answers

All replies

  • Hi,

    In the authentication methods, I configured "Microsoft: Protected EAP(PEAP)", and inside of it I configured the eap type "Smart Card or other certificate"  

    Did you use smart card on clients? How did you configure authentication method on clients?

    I would suggest you check the certification on the clients.

    Configure Certificate Templates for PEAP and EAP Requirements

    https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-requirements 

    Certificate requirements when you use EAP-TLS or PEAP with EAP-TLShttps://support.microsoft.com/en-sg/help/814394/certificate-requirements-when-you-use-eap-tls-or-peap-with-eap-tls 

    However, why not add NPS policy conditions such as Domain computers to prevent mobile devices that are outside your AD domain to connect in wireless.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, June 20, 2019 8:05 AM
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, June 28, 2019 1:38 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, July 2, 2019 7:09 AM