locked
Linux clients not authenticating via EAP-TLS (802.1X) to a Windows NPS Server RRS feed

  • Question

  • I can't get Linux clients to authenticate via EAP-TLS to a Windows Server 2012 NPS Server.

    I get the following error message when attempting this: http://i.imgur.com/aPnEl8M.png http://i.imgur.com/SnlGMZs.png http://i.imgur.com/QK84EtQ.png

    I have a Network Policy configured called "Certificate Authentication". It's currently at the top of the Network Policy chain and enable. It's the same policy my windows hosts use. Here are it's relevant settings: http://i.imgur.com/yEveSDp.png http://i.imgur.com/C6GPjXl.png

    I imagine it's because it's not hitting a policy: http://i.imgur.com/QK84EtQ.png (Notice the blank EAP Type and the blank NetworkPolicyName) This is opposed to a windows host that works: http://i.imgur.com/c5PjFYc.png 

    At the moment, I have Windows 7 clients successfully using EAP-TLS (with certificates signed by the same CA) to authenticate to this Windows NPS server and thus the network. Windows 7 clients work fine. 

    Is there any obvious thing I'm missing? 

    (Linux host configuration just to confirm there is everything: http://i.imgur.com/PBC178V.png

    Wednesday, March 23, 2016 5:59 AM

Answers

  • Hi,

    According to your screenshot, the reason code of the authentication failure is that the user account doesn't exist.

    Because the computer account of the Linux client doesn't exist in the domain controller.

    I would suggest you to post this question on the Linux support forum to look for the solution for Linux client.

    Best Regards,


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, March 24, 2016 6:44 AM
  • For the linux system, you most likely have to use a user certificate rather than a machine certificate. As Steven stated, there is no computer account in the directory and you are using a RADIUS server that is looking for a matching account.

    Brian

    Friday, March 25, 2016 1:29 AM

All replies

  • Hi,

    According to your screenshot, the reason code of the authentication failure is that the user account doesn't exist.

    Because the computer account of the Linux client doesn't exist in the domain controller.

    I would suggest you to post this question on the Linux support forum to look for the solution for Linux client.

    Best Regards,


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, March 24, 2016 6:44 AM
  • For the linux system, you most likely have to use a user certificate rather than a machine certificate. As Steven stated, there is no computer account in the directory and you are using a RADIUS server that is looking for a matching account.

    Brian

    Friday, March 25, 2016 1:29 AM