locked
Clients unable to connect to Wireless - Possible RADIUS/Cert issue RRS feed

  • Question

  • Hi All
    Sorry if this has already been answered or if I am posting in the wrong place - tried searching the forums and Googling for some time but I don't know enough about this area to come up with valid search terms or find anything useful.
    The issue I am having is that clients (including my own laptop) have suddenly stopped being able to connect to the wireless. This was working on Thursday 12th before I left for long weekend. A colleague reports the issue was first noted on Friday 13th (the day after).
    I have just taken over as Network Administrator for a fairly large school. The previous admin did not leave anything in the way of documentation and my attempts to figure things out have reached a dead end - please help if possible!
    From what I can gather, the environment is mostly Server 2003 R2 with a couple of 2008 R2 (notably a 2008 R2 Enterprise which seems to be acting as the main CA). Clients are Windows 7. Cisco AP's and switches are used throughout, with RADIUS 802.1x authentication enabled for both wireless and LAN. 
    The wireless networks are visible with full bars - when clicking on the network and choosing "connect" it says "Connecting to JSR-Testing2" for about 1 sec then goes to "Windows was unable to connect to JSR-Testing2". In the event log errors are raised,
    • Event 36881 - Schannel - "The certificate received from the remote server has either expired or is not yet valid. The SSL connection request has failed. The attached data contains the server certificate."
    • Event 36888 - Schannel - "The following fatal alert was generated: 45. The internal error state is 552."
    The OP in the link below seems to have a similar issue to myself however his solution (untick "Validate Server Certificiate") while a valid workaround, does not seem to be a proper fix as surely the server certificate is *meant* to be validated if all is working? 
    I tested this by going to Control Panel > Network and Internet > Network and Sharing > Manage Wireless Networks > right click on my network "JSR-Testing2" > Properties > Security tab > click "Settings" for network authentication method (MS PEAP) > untick "Validate Server Certificate".
    After doing the above, was immediately able to connect to the wireless network. This leads me to believe it is some sort of certificate issue, either on the server side or on the client side.
    My CA is Server 2008 R2 Enterprise.
    There is a server called JSR-RADIUS which I presume to have something to do with the radius authentication, however as it is Server 2003 which I am unfamiliar with, I can't really see any functions to configure or check. There are two internet shortcuts on the desktop, "ACS Admin" and "Wireless Controller" leading to what seem to be Cisco management pages. Tried looking through these but couldn't see anything obvious and didn't want to break anything.
    Checked certificates on the CA and both servers (using Certificates MMC snapin) which were listed as RADIUS servers in some old notes i found, all seem to have valid certs (expiring end of 2012) although don't take my word for it as am inexperienced in certificates.
    Any help or pointers would be much appreciated as I don't even know where to start troubleshooting this issue!
    Thank you

    • Edited by James987435 Tuesday, January 17, 2012 4:32 AM
    Tuesday, January 17, 2012 4:32 AM

Answers

  • Hi All

    Thanks for all the responses. Turns out I was on the right track but had to request a new certificate manually using the Cisco ACS webpage. After this, turned out somehow the MS-PEAP authentication setting had been turned off, turned this back on again after renewing the cert the proper way, and everything started working again.

    These are the steps I figured out (for future problem havers)

    1. Browse to the certsrv webpage of your CA.
    2. Request a certificate > Advanced > Create and submit a request
    3. Choose the ACS template
    4. under Name, type the FQDN of your RADIUS server
    5. Leave everything else as default, ensuring Create New Key, is selected (should be by default)
    6. Submit request
    7. Install the certificate (you may wish to save it using the checkbox provided, I prefer to do it as per the following:
    8. Once installed, go to Tools > Internet Options (in IE) then the Content tab.
    9. Click on Certificates, select the certificate you just installed
    10. Choose Export > Next > Yes export the private key > Next (pfx selected by default) > create a password > Next > specify filename, then finish.
    11. Open up the Certificates snapin for local computer from MMC.
    12. Right Click on Trusted Root Certification Authorities, choose Import
    13. Browse to the .pfx you just exported and import it, entering the password you created earlier, make sure you tick "Mark as exportable" otherwise the Cisco page will have a sad later.
    14. Delete all other existing unexpired certificates which may exist under the ACS template (you will see why later).
    15. On the RADIUS server which has Cisco ACS installed, go to the ACS Admin page at http://127.0.0.1:2002/
    16. Go to System Configuration
    17. Click ACS Certificate Setup
    18. Click Install ACS Certificate (this will show your certificate information if you have one installed)
    19. If expired or whatever, click Install New Certificate. This will delete your currently installed certificate, you can't go back after clicking yes.
    20. Choose the "read from store" option, this will allow it to detect the cert you previously imported into Trusted Root Certification Authorities. Leave all the other fields blank and click submit. If you have created the cert correctly it will accept and ask you to restart the service.
    21. If things still don't work now, you may have to download a new CA cert and update it using a similar process (except reading from file instead of reading from store) although I don't know if this is necessary (I just did it anyway since)
    22. Make sure all settings are correct (in my case Allow EAP-MSCHAPv2 had become deselected under System Configuration > Global Authentication Setup, I needed to tick this again before things would work.)
    23. Hopefully done! If not, good luck to you

     


    --- Thanks & regards, James - JSRACS ------------------------
    • Marked as answer by James987435 Monday, January 23, 2012 5:27 AM
    Monday, January 23, 2012 5:26 AM

All replies

  • Hi,

    I think you've correctly diagnosed the issue. The checkbox on the client is looking for a certificate on the IAS/NPS server. The client must trust this certificate. If everything worked and suddenly stopped working it does sound like a certificate expiration and the error message you noted also indicates this.

    If you are sure the certificate on NPS is not expired, you should check the client side certificates. In the Trusted Root Certificate Authorities you should see the Root CA for the certificate on NPS. In other words, check the certificate chain on the cert on NPS first. If the Root CA and the certificate issuing CA are the same, then the chain will only be one server. A properly configured PKI would not use the same CA for Root and issuing CA, but this happens often.

    Essentially, the client looks at the chain on the NPS certificate and if the Root CA in that chain is one of the client's "trusted" Root CAs. then all is OK. If, however, the Root CA certificate is expired, then it can't trust the Root CA and certificate validation fails. It would also fail if the NPS certificate itself has expired.

    See http://technet.microsoft.com/en-us/library/cc731363.aspx. The chaining requirement is mentioned on the second bullet. Other requirements are also listed.

    I hope this helps,

    -Greg

    Tuesday, January 17, 2012 7:20 AM
  • Hi Greg

     

    Thanks so much for your reply.

     

    I have checked the certificates on my laptop - I found under Trusted Root Certification Authorities a whole lot of certificates, however I will only list the ones I believe to be relevant: (replaced my domain with <mydomain> for security)

    • ISSUED TO---------ISSUED BY---------------EXP DATE---------Intended Purposes-----Certificate Template
    • JSR17-------------------JSR17------------------------14/04/2014---------<All>-------------------------Root Certification Authority
    • JSR17-------------------JSR17------------------------8/04/2014 ----------<All>-------------------------Root Certification Authority
    • JSR17.domain.com---<mydomain>-JSR29-CA---15/01/2012---------Server Authentication----ACS

    As you can see the culprit would appear to be the last entry, as its expiry date matches the exact day wireless connections stopped working. 

    On JSR17, under Trusted Root Certification Authorities, I see another two entries identical to the 3rd one above. I believe ACS in this case stands for Access Control Server (Cisco). I don't know whether this is a standard template or whether it has been created manually, however don't think this matters. On JSR17 in the Certs mmc, there is a folder called ACSCertStore > Certificates which contains the same jsr17.<domain> expiring 15/01/2012, however no option to renew this. I am able to right click and see options to renew certificates in the Personal>Certificates folder, however not in the ACSCertStore folder nor in the Trusted Root Certification Authorities folder. Would you be able to advise on what to do here? 

     

    I read the link you provided, it contains some useful info, but nothing on how to renew the certificate on JSR17. I tried Googling that but no luck, all results seem to deal with renewing user certificates. I went to the certsrv page on my CA, however this only seemed to offer Domain Controller templates.

     

    Thanks again!

     


    --- Thanks & regards, James - JSRACS ------------------------

    • Edited by James987435 Wednesday, January 18, 2012 2:26 AM
    Wednesday, January 18, 2012 2:22 AM
  • Hi James,

     

    Thanks for posting here.

     

    The workaround in the link below will help us to manually renew a certificate on client if we suspect certificate expiring is the root cause:

     

    Renew a certificate with the same key

    http://technet.microsoft.com/en-us/library/cc758448(WS.10).aspx

     

    Thanks.

     

    Tiger Li


    Tiger Li

    TechNet Community Support

    Thursday, January 19, 2012 6:23 AM
  • Hi Tiger Li

     

    Thanks for your reply.

     

    Which certificate are you asking me to renew? In the meantime, I have done a couple of things.

    Previously when viewing the certification path for JSR17, it shows the root as my CA, then underneath is JSR17, showing expired.

    I have managed to create a new certificate for JSR17 by going to the certsrv webpage and making an advanced request. I then added this to Trusted Root Certification Authorities using the Default Domain Policy (this seems to be how it was done before, as the JSR17 expired certificate was listed in the Group Policy settings.

     

    However, I noticed that the old certificate, when opened, has the words "You have a private key that corresponds to this certificate". This is whether I view the JSR17 cert on the CA, on JSR17 itself, or on my client laptop.

    However, the cert I just renewed or requested does not have these words. Do you think this matters? 

     

    In any case, the wireless issue is still occuring. Frustratingly, it seems to only happen on some laptops. More than 20 of them seem to be OK for some reason - another batch of 10 aren't though, and my own and another testing one I have also aren't. The Schannel 36881 event is still generated. I found a link regarding this event from Microsoft, which seems to describe the issue (http://support.microsoft.com/kb/839514). Their advice " You must restart the server before the server uses the new certificate." indeed fixed the certification path showing the expired certificate, and now when I view the JSR17 cert it shows as valid in the Certification Path, however this did not seem to resolve the issue.

     

    I would appreciate some step by step instructions on exactly how to renew this certificate using the same "private key" that seems to correspond with the old one no matter where I view it from, as everywhere I've found on the net seems to have only rather vague instructions, assuming a lot of knowledge or experience which I don't have..

     

    Thanks again to everyone who has responded, much appreciated.

     

     


    --- Thanks & regards, James - JSRACS ------------------------
    Thursday, January 19, 2012 6:42 AM
  • Is there a specific place I could look on working vs non-working laptops to help determine the cause? I've had a look but couldn't see anything different, and without knowing exactly where I could spend hours with no result, so a specific location or thing to look for would help immensely.
    --- Thanks & regards, James - JSRACS ------------------------
    Thursday, January 19, 2012 7:43 AM
  • Hi James,

    See http://technet.microsoft.com/en-us/library/dd379539(WS.10).aspx. On your root CA, you should verify that you have enabled the certificate for autoenrollment and Group Policy has "renew expired certificates."

    If you don't use autoenrollment, you'll need to manually enroll all the clients on your network each time the certificate expires, and I don't think that is ideal.

    I hope this helps,

    -Greg

    Thursday, January 19, 2012 8:20 AM
  • Hi Greg

     

    I checked group policy and renew expired certificates is enabled. I checked a working vs non-working laptop, and the only difference that I can see is the working ones do not have "Validate Server Certificate" checked. 


    On my own laptop which is not working, I made sure "Validate Server Certificate" was checked, then underneath I also checked "Connect to these servers:" and then put in the CA name which was ticked in the list directly below that, "Trusted Root Certification Authorities". When trying to connect to the wireless network after that, a different thing happened: a message box popped up saying "The connection attempt could not be completed." "The credentials provided by the server could not be validated.......Details: Radius Server: JSR17.<mydomain> Root CA: jsracs-JSRS29-CA"

    Then in the details area: "The server JSR17  is not configured as a valid NPS server to connect to for this profile."

     

    How do I check if the certificate is enabled for autoenrollment on the CA?

     

    Thanks


    --- Thanks & regards, James - JSRACS ------------------------
    Friday, January 20, 2012 3:08 AM
  • Hi Tiger/Greg

     

    I copied the expired certificate which has been signed with the private key into the Personal store. After doing this, I was able to right click it and see various renewal options. However, when I selected "Renew this certificate with the same key" an error message appeared saying "You do not have permission to request a certificate based on the selected certificate template."

     

    Does this mean I must make changes to the certificate template on the CA? Should I add the actual computer object (JSR17) to the permissions on the certificate template? (not sure if this is compliant with best practice as I am new to the area).

     

    Thanks,


    --- Thanks & regards, James - JSRACS ------------------------
    • Edited by James987435 Friday, January 20, 2012 3:28 AM "certificate" changed to "certificate template"
    Friday, January 20, 2012 3:27 AM
  • I added Enrollment and Autoenrollment permissions to the template on the CA for both the Domain Contollers group (JSR17 is also a DC) and the actual computer object (JSR17).

    Restarted both servers.

    However when I try to renew the certificate on JSR17 by right clicking and saying "Renew with same key" I get the "don't have permissions for this template" error again. This happens with with "Renew with new key".

    I thought of requesting a new certificate with the same key but there are only three types available, none of which seem to be the one I'm after.

    Edit: I requested a new cert and put it in the ACSCertStore. This seems to have made things worse as now no clients are connecting, even the ones without "Validate Server Certificate" checked.

     

    Really in over my head now, is there a specialist RADIUS/Cisco ACS/802.1x forum I could be posting in? 

    Thanks again for all the responses. 


    --- Thanks & regards, James - JSRACS ------------------------
    Friday, January 20, 2012 5:49 AM
  • Hi James,

    The "don't have permission" message is fairly simple. Going off memory, on the template there is a permissions setting (security tab I think) that allows you to add or remove groups and users. You just need to make sure that JSR17 or the user that is logged into that machine has permission for this cert. This is why you don't see the certificate available to request.

    See http://technet.microsoft.com/en-us/library/cc736358(WS.10).aspx where it says "To enable auto-enrollment, a user or computer must belong to domain groups that are granted Read, Enroll, and Autoenroll permissions."

    You should not have to move the certificate. The cert should remain in the Certificates (Local Computer)\Personal\Certificates container.

    Keep in mind that you have three permissons that pertain to how you acquire the certificate. There is Read, Enroll, and Autoenroll. You should enable all of these for authenticated users.

    -Greg

    Friday, January 20, 2012 6:35 AM
  • Hi Greg

     

    Thanks for your response. I may have made things a bit complicated by doing multiple replies. Basically

    - I have added Read, Enroll and Autoenroll permissions on all of Authenticated Users, Domain Controllers, and also JSR17 computer object. This did not resolve the "don't have permission" message even after rebooting both servers.

    - with regards to moving the certificate, it was not in Personal\Certificates to begin with, it was in Trusted Root CA's. The reason I copied it to Personal was because it doesn't seem to be possible to Renew any certificates in the Trusted Root CA's container. Once I copied it to Personal, I was able to right click and choose "renew" but this is when I got the "don't have permission" error.

    - I looked further through group policy and found that the authentication server for 802.1x is set to my CA (JSR29) and the certificate for that does not expire till 2015.

     

    Thanks


    --- Thanks & regards, James - JSRACS ------------------------
    Friday, January 20, 2012 6:48 AM
  • Hi James,

    I am a little confused. I am pretty sure that JSR17 is your NPS server, right?

    There are two certificates here to deal with. The first is on NPS and will have a server authentication EKU (enhanced key usage). This certificate  is in the Personal\Certificates container and chains to a Root CA.

    There should be a second certificate in the Trusted Root Certification Authorities container for your Root CA. This certificate must also not be expired and should be present on all your client computer and also on NPS.

    Looking back at your post on Wednesday, I think you might have said that the first certificate (with server authentication) was located in the Trusted Root Certification Authorities store. This is not a correct configuration. I think you were looking on the NPS then and not a client computer.

    You did say, however, that the date things stopped working was the date this certificate expired. That most likely means that all you need to do is enroll this certificate again (the one with the ACS template). It should be deposited in the Personal\Certificates container and everything should work fine.

    Please let me know if you've tried this already.

    If you are having trouble finding the ACS template, we can create a new template. Let me know.

    -Greg


    P.S. Autoenrollment is for the Root cert. All your clients do not need the server authentication cert. That is only needed on NPS. Clients will look at the cert and judge whether or not it is trusted if the checkbox is enabled to validate this cert.
    Friday, January 20, 2012 7:11 AM
  • Hi Greg

     

    I'm not sure sorry. JSR17 is listed as being the RADIUS server in some old notes I found. How to tell if it's the NPS server?

    On all computers, there is a certificate in Trusted Root CAs for JSR17 with Server Authentication (I can't see EKU anywhere, maybe I'm missing something). This certificate does indeed chain to the Root CA. Since it's expired, when viewing the chain, there is a red cross on it. It expired on the 15/01/2012. It is using the ACS template. The issue I've been having is I can't renew this certificate.

    I have access to the ACS template. 

    You say I have to enroll this certificate again and deposit it in the Personal\Certificates container on JSR17. Could you tell me how to do this? Everything I've tried so far with regards to renewing/enrolling it again has failed (see above). Even after changing permissions on the template.

     

    I have just found a shortcut to Cisco ACS manager. I was looking through the Cisco ACS webpage (local on JSR17) and found a place to view "Failed authentication attempts". As expected, my username and PC name were in there. The error message given was "EAP-TLS or PEAP authentication failed during SSL handshake". I googled this error and found this page: "http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml"

    Thanks!


    --- Thanks & regards, James - JSRACS ------------------------
    • Edited by James987435 Friday, January 20, 2012 7:22 AM
    Friday, January 20, 2012 7:21 AM
  • Hi James,

    There are three likely possibilities for the type of server role running on JSR17. It could be a Cisco RADIUS server running Cisco Access Control Server (ACS). It could be a recent version of Microsoft's RADIUS server which is called Network Policy Server (NPS), or it could be an older version of Microsoft's RADIUS server which was called Internet Authentication Server (IAS). We should verify which one it is first I think. I am not familiar at all with ACS but I might be able to help anyway.

    Since the error message and the certificate template both point to ACS, that is probably the server you have. I apologize for not realizing this earlier. I just assumed that it was NPS or IAS because you said the environment was Server 2003/2008 R2.

    I'm sure the problem is still going to be resolved by renewing the certificate, but I'll need to review some documentation on exactly how that is done on ACS.

    To verify what kind of RADIUS server you have, go to a command prompt and type "net start" which should give a list of all the services that are running. You could also use task manager.

    -Greg

    Friday, January 20, 2012 7:35 AM
  • Hi Greg

    Sorry I may not have explained it very well. From what you've just said and from what I've been viewing on the server, I am certain its the Cisco RADIUS server running Access Control Server (ACS). I found some additional warnings in the eventlog after restarting the server which also point to this conclusion as they mention "C:\Program Files\CiscoSecure ACS v4.0\bin\tac_mon.dll". (not serious as they seem to have been occurring regularly for years).

    I found a place within the ACS webpage to install ACS Certificate, ACS Cert Authority Setup, Edit Cert Trust list, Cert Revocation lists, Generate Cert Signing Request, Generate Self Signed Certificate.

    The previous admin is coming around on Monday and I have to go off now. So if it still isn't resolved on Monday I'll post back here (or if it gets resolved I'll post back with the answer.

    Thanks you so  much for your time and effort.


    --- Thanks & regards, James - JSRACS ------------------------
    • Edited by James987435 Friday, January 20, 2012 7:55 AM removed extra spacing
    Friday, January 20, 2012 7:55 AM
  • Thanks James,

    Yes I saw the ACS instructions also at http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml#acs-1

    The instructions are different from what is done on NPS or IAS so this is probably why we've had problems. Best of luck getting it resolved and let me know if you have other questions.

    -Greg

    Friday, January 20, 2012 8:00 AM
  • Hi All

    Thanks for all the responses. Turns out I was on the right track but had to request a new certificate manually using the Cisco ACS webpage. After this, turned out somehow the MS-PEAP authentication setting had been turned off, turned this back on again after renewing the cert the proper way, and everything started working again.

    These are the steps I figured out (for future problem havers)

    1. Browse to the certsrv webpage of your CA.
    2. Request a certificate > Advanced > Create and submit a request
    3. Choose the ACS template
    4. under Name, type the FQDN of your RADIUS server
    5. Leave everything else as default, ensuring Create New Key, is selected (should be by default)
    6. Submit request
    7. Install the certificate (you may wish to save it using the checkbox provided, I prefer to do it as per the following:
    8. Once installed, go to Tools > Internet Options (in IE) then the Content tab.
    9. Click on Certificates, select the certificate you just installed
    10. Choose Export > Next > Yes export the private key > Next (pfx selected by default) > create a password > Next > specify filename, then finish.
    11. Open up the Certificates snapin for local computer from MMC.
    12. Right Click on Trusted Root Certification Authorities, choose Import
    13. Browse to the .pfx you just exported and import it, entering the password you created earlier, make sure you tick "Mark as exportable" otherwise the Cisco page will have a sad later.
    14. Delete all other existing unexpired certificates which may exist under the ACS template (you will see why later).
    15. On the RADIUS server which has Cisco ACS installed, go to the ACS Admin page at http://127.0.0.1:2002/
    16. Go to System Configuration
    17. Click ACS Certificate Setup
    18. Click Install ACS Certificate (this will show your certificate information if you have one installed)
    19. If expired or whatever, click Install New Certificate. This will delete your currently installed certificate, you can't go back after clicking yes.
    20. Choose the "read from store" option, this will allow it to detect the cert you previously imported into Trusted Root Certification Authorities. Leave all the other fields blank and click submit. If you have created the cert correctly it will accept and ask you to restart the service.
    21. If things still don't work now, you may have to download a new CA cert and update it using a similar process (except reading from file instead of reading from store) although I don't know if this is necessary (I just did it anyway since)
    22. Make sure all settings are correct (in my case Allow EAP-MSCHAPv2 had become deselected under System Configuration > Global Authentication Setup, I needed to tick this again before things would work.)
    23. Hopefully done! If not, good luck to you

     


    --- Thanks & regards, James - JSRACS ------------------------
    • Marked as answer by James987435 Monday, January 23, 2012 5:27 AM
    Monday, January 23, 2012 5:26 AM