Answered by:
Wireless with 802.1X using Microsoft Win2k8 R2 as Radius Server and Certificate Authority doesn't work

Question
-
Hi Everyone, I would like to ask for a clue to my case, any help is welcome.
I tryed to use the answers already posted in the forum, but I still with the same problem.
I am trying to configure a wireless network with - WPA2/IEEE 802.1x using PEAP, with PSK works fine, but
with 802.1x doesn't work. The server generated the following message:
"An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP).
Check EAP log files for EAP errors."
Below are the details of my configuration in the server Win2k8 R2 and the Windows 7 client.
NPS:
Radius Clients and Servers:
Radius Client: I defined my access point:
Friendly name:yyyy
IP: xxxxx
Shared Secret: xxxxxx
Vendor: Radius Standard
Additional Options: Unchecked
Policies:
Connection Request Policies:
The first Police:
Overview:
Policy name: same as friendly name
Policy State: enable
Network Connection Method: Unspecified
Conditions:
Client Friendly name: yyyy (the same as radius client)
Settings:
Athentication Methods: Check in Override Network Policy authentication
Athentication: Authentica requests on this server
Accounting: Unavailable
Attribute: No configured / nothing
Radius Attributes-Standard: No configured / nothing
Radius Attributes-Vendor Specific: No configured / nothing
Network Policies:
The first Police:
Overview:
Policy name: same as friendly name
Policy State: enable
Access Permission: Check "Grand Access"
Check "Ignore user account dial-in properties"
Network Connection Method:
Type of network access server: Unspecified
Conditions:
User Groups - Value (mydomain\domain users)
Constraints:
Authentication Methods: EAP type: PEAP
PEAP edit: Point to my certificate (the server is also AD CA)
Enable fast Reconnect
Secured password (EAP-MSCHAP v2)
Idle Timeout: default
Session timeout: default
Called Station ID: default
Day and time Restrictions: default
NAS Port type: Checked: Wireless IEEE 802.11 and Ethernet on Commun
802.1x connection tunnel types.
Settings:
Radius Attributes-Standard: No configured / nothing
Radius Attributes-Vendor Specific: No configured / nothing
Default to all other options in Network access protection and Routing and
Remote Access
==============================================================================
Certificate Authority: in the same server
Default options in the wizard to ADD the role of AD CS, except for "standalone" and "7 years".
The certificate is there, don't have subject alternative name, but in Subject is specified correct the
domain.
Issued certificates:
7 days to expiration date
Also I verified in:
MMC > Add or Remove Snap-ins > certificate > local Computer > Then Certificates:
Personal > certificates > The certificate is there
Trusted Root Certification Authorities > Certificates > there are 2 certificates inside, with the same
name,but different icons.
===============================================================================
Windows 7 client:
Imported automatically the certificate.
WPA2-Enterprise/ AES /
Authentication Method: PEAP:
Validate server certificate: Point to certificate used by the Radius
Authentication Method: EAP-MSCHAP v2 (uncheck automatically use my win Logon)
check "Enable fast reconnect"
Advanced Settings:
802.1x settings:
Check "specify authentication mode" then Select "User Authentication"==========================================================
==========================================================
==========================================================
==========================================================
Logs when I tryed to connect:
Event Viewer: Network Policy and Access Services
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 9/6/2012 9:19:01 AM
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: NameOfTheServer.MyDomain.local
Description:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: MyDomain\MyUser
Account Domain: MyDomain
Fully Qualified Account Name: MyDomain\MyUser
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 0E-18-1A-36-2A-06:MySSID
Calling Station Identifier: 00-1F-E1-46-A6-65
NAS:
NAS IPv4 Address: 6.54.42.6
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: yyyy
Client IP Address: xxxx
Authentication Details:
Connection Request Policy Name: yyyy
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NameOfTheServer.MyDomain.local
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
===================================================
Event Viewer: Windows Logs: System
Log Name: System
Source: Schannel
Date: 9/6/2012 9:19:01 AM
Event ID: 36888
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: NameOfTheServer.MyDomain.local
Description:
The following fatal alert was generated: 20. The internal error state is 960.
=====================================================================
netsh ras set tracing * en
Log: IASNAP.log
[1392] 09-06 09:19:01:141: The request comes from NAS type 0
[1392] 09-06 09:19:01:141: Applying CRP policy:yyyy
[2784] 09-06 09:19:01:188: The request comes from NAS type 0
[2784] 09-06 09:19:01:188: Applying CRP policy:yyyy
[1392] 09-06 09:19:01:203: The request comes from NAS type 0
[1392] 09-06 09:19:01:203: Applying CRP policy:yyyy
[1392] 09-06 09:19:01:219: The request comes from NAS type 0
[1392] 09-06 09:19:01:219: Applying CRP policy:yyyy
Log: IASRAD.log
[1392] 09-06 09:19:01:141: Receive RADIUS packet with size 172 from ::ffff:xxxx
[1392] 09-06 09:19:01:157: message authenticator Attribute added to out-bound RADIUS packet
[1392] 09-06 09:19:01:157: Message Authenticator Attribute set in out UDP buffer
[2784] 09-06 09:19:01:188: Receive RADIUS packet with size 300 from ::ffff:xxxx
[2784] 09-06 09:19:01:188: message authenticator Attribute added to out-bound RADIUS packet
[2784] 09-06 09:19:01:188: Message Authenticator Attribute set in out UDP buffer
[1392] 09-06 09:19:01:203: Receive RADIUS packet with size 201 from ::ffff:xxxx
[1392] 09-06 09:19:01:203: message authenticator Attribute added to out-bound RADIUS packet
[1392] 09-06 09:19:01:203: Message Authenticator Attribute set in out UDP buffer
[1392] 09-06 09:19:01:219: Receive RADIUS packet with size 540 from ::ffff:xxxx
[1392] 09-06 09:19:01:219: message authenticator Attribute added to out-bound RADIUS packet
[1392] 09-06 09:19:01:219: Message Authenticator Attribute set in out UDP buffer
Log:IASSAM.log
[1392] 09-06 09:19:01:141: NT-SAM Names handler received request with user identity MyDomain\MyUser.
[1392] 09-06 09:19:01:141: Username is already an NT4 account name.
[1392] 09-06 09:19:01:141: SAM-Account-Name is "MyDomain\MyUser".
[1392] 09-06 09:19:01:141: Successfully created new CRP Based EAP session for user MyDomain\MyUser.
[1392] 09-06 09:19:01:141: Allowed EAP type: 25
[1392] 09-06 09:19:01:157: Succesfully created EAP Host session with session id 117
[1392] 09-06 09:19:01:157: Processing output from EAP: action:1
[1392] 09-06 09:19:01:157: Inserting outbound EAP-Message of length 6.
[1392] 09-06 09:19:01:157: Issuing Access-Challenge.
[1392] 09-06 09:19:01:157: No AUTHENTICATION extensions, continuing
[1392] 09-06 09:19:01:157: No AUTHORIZATION extensions, continuing
[2784] 09-06 09:19:01:188: Successfully retrieved session (117) for user MyDomain\MyUser.
[2784] 09-06 09:19:01:188: Processing output from EAP: action:1
[2784] 09-06 09:19:01:188: Inserting outbound EAP-Message of length 1396.
[2784] 09-06 09:19:01:188: Issuing Access-Challenge.
[2784] 09-06 09:19:01:188: No AUTHENTICATION extensions, continuing
[2784] 09-06 09:19:01:188: No AUTHORIZATION extensions, continuing
[1392] 09-06 09:19:01:203: Successfully retrieved session (117) for user MyDomain\MyUser.
[1392] 09-06 09:19:01:203: Processing output from EAP: action:1
[1392] 09-06 09:19:01:203: Inserting outbound EAP-Message of length 234.
[1392] 09-06 09:19:01:203: Issuing Access-Challenge.
[1392] 09-06 09:19:01:203: No AUTHENTICATION extensions, continuing
[1392] 09-06 09:19:01:203: No AUTHORIZATION extensions, continuing
[1392] 09-06 09:19:01:219: Successfully retrieved session (117) for user MyDomain\MyUser.
[1392] 09-06 09:19:01:219: Processing output from EAP: action:2
[1392] 09-06 09:19:01:219: Translating attributes returned by EAPHost.
[1392] 09-06 09:19:01:219: EAP authentication failed.
[1392] 09-06 09:19:01:219: No AUTHENTICATION extensions, continuing
[1392] 09-06 09:19:01:219: No AUTHORIZATION extensions, continuing
[1392] 09-06 09:19:01:219: Inserting outbound EAP-Message of length 4.
Log: SVCHOST_RASCHAP.log
[1392] 09-06 09:19:01:157: EapMSChapv2End
[1392] 09-06 09:19:01:157: EapMSChapv2End
Log: SVCHOST_RASTLS.log
[1392] 09-06 09:19:01:141: EapPeapEnd
[1392] 09-06 09:19:01:141: EapTlsEnd
[1392] 09-06 09:19:01:141: EapTlsEnd(MyDomain\MyUser)
[1392] 09-06 09:19:01:157: EapPeapEnd done
[1392] 09-06 09:19:01:157: EapPeapEnd
[1392] 09-06 09:19:01:157: EapTlsEnd
[1392] 09-06 09:19:01:157: EapTlsEnd(MyDomain\MyUser)
[1392] 09-06 09:19:01:157: EapPeapEnd done
[1392] 09-06 09:19:01:157: EapPeapBegin
[1392] 09-06 09:19:01:157: EapPeapBegin - flags(0x402)
[1392] 09-06 09:19:01:157: PeapReadUserData
[1392] 09-06 09:19:01:157:
[1392] 09-06 09:19:01:157: EapTlsBegin(MyDomain\MyUser)
[1392] 09-06 09:19:01:157: SetupMachineChangeNotification
[1392] 09-06 09:19:01:157: State change to Initial
[1392] 09-06 09:19:01:157: EapTlsBegin: Detected PEAP authentication
[1392] 09-06 09:19:01:157: MaxTLSMessageLength is now 16384
[1392] 09-06 09:19:01:157: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[1392] 09-06 09:19:01:157: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[1392] 09-06 09:19:01:157: The root cert will not be checked for revocation
[1392] 09-06 09:19:01:157: The cert will be checked for revocation
[1392] 09-06 09:19:01:157: EapPeapBegin done
[1392] 09-06 09:19:01:157: EapPeapMakeMessage
[1392] 09-06 09:19:01:157: EapPeapSMakeMessage, flags(0xc05)
[1392] 09-06 09:19:01:157: EapPeapSMakeMessage, user prop flags(0x3)
[1392] 09-06 09:19:01:157: PEAP:PEAP_STATE_INITIAL
[1392] 09-06 09:19:01:157: EapTlsSMakeMessage, state(0)
[1392] 09-06 09:19:01:157: EapTlsReset
[1392] 09-06 09:19:01:157: State change to Initial
[1392] 09-06 09:19:01:157: EapGetCredentials
[1392] 09-06 09:19:01:157: Flag is Server and Store is local Machine
[1392] 09-06 09:19:01:157: GetCachedCredentials Flags = 0x40e1
[1392] 09-06 09:19:01:157: FindNodeInCachedCredList, flags(0x40e1), default cached creds(0), check thread token(1)
[1392] 09-06 09:19:01:157: pNode->dwCredFlags = 0x32
[1392] 09-06 09:19:01:157: pNode->dwCredFlags = 0x12
[1392] 09-06 09:19:01:157: GetCachedCredentials Flags = 0x40e1
[1392] 09-06 09:19:01:157: FindNodeInCachedCredList, flags(0x40e1), default cached creds(1), check thread token(1)
[1392] 09-06 09:19:01:157: pNode->dwCredFlags = 0x32
[1392] 09-06 09:19:01:157: GetCachedCredentials: Using Cached Credentials
[1392] 09-06 09:19:01:157: GetCachedCredentials: Hash of the cert in the cache is
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[1392] 09-06 09:19:01:157: Using cached credentials for default machine cert.
[1392] 09-06 09:19:01:157: BuildPacket
[1392] 09-06 09:19:01:157: << Sending Request (Code: 1) packet: Id: 101, Length: 6, Type: 13, TLS blob length: 0. Flags: S
[1392] 09-06 09:19:01:157: State change to SentStart
[1392] 09-06 09:19:01:157: EapPeapSMakeMessage done
[1392] 09-06 09:19:01:157: EapPeapMakeMessage done
[2784] 09-06 09:19:01:188: EapPeapMakeMessage
[2784] 09-06 09:19:01:188: EapPeapSMakeMessage, flags(0xc05)
[2784] 09-06 09:19:01:188: EapPeapSMakeMessage, user prop flags(0x3)
[2784] 09-06 09:19:01:188: Cloned PPP_EAP_PACKET packet
[2784] 09-06 09:19:01:188: PEAP:PEAP_STATE_TLS_INPROGRESS
[2784] 09-06 09:19:01:188: EapTlsSMakeMessage, state(1)
[2784] 09-06 09:19:01:188: MakeReplyMessage
[2784] 09-06 09:19:01:188: Reallocating input TLS blob buffer
[2784] 09-06 09:19:01:188: SecurityContextFunction
[2784] 09-06 09:19:01:188: AcceptSecurityContext returned 0x90312
[2784] 09-06 09:19:01:188: State change to SentHello
[2784] 09-06 09:19:01:188: BuildPacket
[2784] 09-06 09:19:01:188: << Sending Request (Code: 1) packet: Id: 102, Length: 1396, Type: 13, TLS blob length: 1614. Flags: LM
[2784] 09-06 09:19:01:188: EapPeapSMakeMessage done
[2784] 09-06 09:19:01:188: EapPeapMakeMessage done
[1392] 09-06 09:19:01:203: EapPeapMakeMessage
[1392] 09-06 09:19:01:203: EapPeapSMakeMessage, flags(0xe05)
[1392] 09-06 09:19:01:203: EapPeapSMakeMessage, user prop flags(0x3)
[1392] 09-06 09:19:01:203: Cloned PPP_EAP_PACKET packet
[1392] 09-06 09:19:01:203: PEAP:PEAP_STATE_TLS_INPROGRESS
[1392] 09-06 09:19:01:203: EapTlsSMakeMessage, state(2)
[1392] 09-06 09:19:01:203: BuildPacket
[1392] 09-06 09:19:01:203: << Sending Request (Code: 1) packet: Id: 103, Length: 234, Type: 13, TLS blob length: 0. Flags:
[1392] 09-06 09:19:01:203: EapPeapSMakeMessage done
[1392] 09-06 09:19:01:203: EapPeapMakeMessage done
[1392] 09-06 09:19:01:219: EapPeapMakeMessage
[1392] 09-06 09:19:01:219: EapPeapSMakeMessage, flags(0xe05)
[1392] 09-06 09:19:01:219: EapPeapSMakeMessage, user prop flags(0x3)
[1392] 09-06 09:19:01:219: Cloned PPP_EAP_PACKET packet
[1392] 09-06 09:19:01:219: PEAP:PEAP_STATE_TLS_INPROGRESS
[1392] 09-06 09:19:01:219: EapTlsSMakeMessage, state(2)
[1392] 09-06 09:19:01:219: MakeReplyMessage
[1392] 09-06 09:19:01:219: Reallocating input TLS blob buffer
[1392] 09-06 09:19:01:219: SecurityContextFunction
[1392] 09-06 09:19:01:219: AcceptSecurityContext returned 0x80090330
[1392] 09-06 09:19:01:219: State change to SentFinished. Error: 0x80090330
[1392] 09-06 09:19:01:219: Negotiation unsuccessful
[1392] 09-06 09:19:01:219: BuildPacket
[1392] 09-06 09:19:01:219: << Sending Failure (Code: 4) packet: Id: 104, Length: 4, Type: 0, TLS blob length: 0. Flags:
[1392] 09-06 09:19:01:219: AuthResultCode = (-2146893008), bCode = (4)
[1392] 09-06 09:19:01:219: EapPeapSMakeMessage done
[1392] 09-06 09:19:01:219: EapPeapMakeMessage done
============================================================================
Another Error: I guess related with radius accounting:
Log Name: System
Source: NPS
Date: 9/6/2012 9:23:35 AM
Event ID: 16
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: NameOfTheServer.MyDomain.local
Description:
A RADIUS message with the Code field set to 1, which is not valid, was received on port 1813 from RADIUS client yyyy. Valid values of the RADIUS Code field are documented in RFC 2865.
Thursday, September 6, 2012 6:18 PM
Answers
-
Hi,
You may refer to the following article to reconfigure the wireless 802.1x authetication.
Creating a secure 802.1x wireless infrastructure using Microsoft Windows
802.1X Authenticated Wireless Deployment Guide
http://technet.microsoft.com/en-us/library/dd283093(WS.10).aspx
Best Regards,Aiden
Aiden Cao
TechNet Community Support
Thursday, September 13, 2012 2:20 AM
All replies
-
Hi Guys,
I deleted my last policy and I created one exactly like this step by step.
http://na4.salesforce.com/_ui/selfservice/pkb/PublicKnowledgeSolution/d?orgId=00D600000006uBw&id=50160000000SAqm&retURL=%2Fsol%2Fpublic%2Fsolutionbrowser.jsp%3Fcid%3D02n60000000HGp3%26orgId%3D00D600000006uBw%26search%3DRADIUS%253A%2BCreating%2Ba%2Bpolicy%2Bin%2BNPS%2Bto%2Bsupport%2BPEAP-MSCHAPv2%2B-%2BMachine%2BAuthentication%26t%3D4&ps=1
But I still receiving the same problem.
Friday, September 7, 2012 10:28 PM -
Hi,
Thanks for your update.
I assume that the Windows 7 Client was domain joined. Please also verify that the Root CA was listed in the Certificate-Current User -> Trusted Root Certification Authorities container. In order to troubleshoot, please try to add another network policy to provide access, with conditions set to allow Computer Groups. At the client side, change the Advanced 802.1X settings authentication mode to User or computer authentication or Computer authentication.
Best Regards,
Aiden
Aiden Cao
TechNet Community Support
Monday, September 10, 2012 9:50 AM -
Hi Aiden, Thank you very much for your answer!
The result still the same error:
Event - System - Schannel: The following fatal alert was generated: 20. The internal error state is 960.
Event - Network Policy: Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.- The client is in the domain.
- The certificate is listed in Certificate-Current User -> Trusted Root Certification Authorities container in both (Radius/Root CA and Client).
- I create new group in the AD, I added the laptop that I am using to test. Then I create the new policy allowing the computer group.
Before I did that, I tried connect with my password wrong, but I received the same error, so isn't even going to the phase to check password in the AD, the problem must be in phase before.
If you have any other suggestion, it will be totally welcome!!! I will keep trying here, any change in the results I will post the here.
Again, thank you very much.
Estevao
Monday, September 10, 2012 6:12 PM -
Hi,
You may refer to the following article to reconfigure the wireless 802.1x authetication.
Creating a secure 802.1x wireless infrastructure using Microsoft Windows
802.1X Authenticated Wireless Deployment Guide
http://technet.microsoft.com/en-us/library/dd283093(WS.10).aspx
Best Regards,Aiden
Aiden Cao
TechNet Community Support
Thursday, September 13, 2012 2:20 AM