locked
Wireless with 802.1X using Microsoft Win2k8 R2 as Radius Server and Certificate Authority doesn't work RRS feed

  • Question

  • Hi Everyone, I would like to ask for a clue to my case, any help is welcome.
    I tryed to use the answers already posted in the forum, but I still with the same problem.

    I am trying to configure a wireless network with - WPA2/IEEE 802.1x using PEAP, with PSK works fine, but

    with 802.1x doesn't work. The server generated the following message:

    "An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP).

    Check EAP log files for EAP errors."

    Below are the details of my configuration in the server Win2k8 R2 and the Windows 7 client.

    NPS:
    Radius Clients and Servers:
        Radius Client: I defined my access point:
            Friendly name:yyyy
            IP: xxxxx
            Shared Secret: xxxxxx
            Vendor: Radius Standard
            Additional Options: Unchecked

    Policies:
        Connection Request Policies:
            The first Police:
            Overview:
                Policy name: same as friendly name
                Policy State: enable
                Network Connection Method: Unspecified
            Conditions:
                Client Friendly name: yyyy (the same as radius client)
            Settings:
                Athentication Methods: Check in Override Network Policy authentication
                Athentication: Authentica requests on this server
                Accounting: Unavailable
                Attribute: No configured / nothing
                Radius Attributes-Standard: No configured / nothing
                Radius Attributes-Vendor Specific: No configured / nothing
        Network Policies:
            The first Police:
            Overview:
                Policy name: same as friendly name
                Policy State: enable
                Access Permission:     Check "Grand Access"
                        Check "Ignore user account dial-in properties"
                Network Connection Method:
                        Type of network access server: Unspecified
            Conditions:
                User Groups - Value (mydomain\domain users)
            Constraints:
                Authentication Methods: EAP type: PEAP
                    PEAP edit: Point to my certificate (the server is also AD CA)
                        Enable fast Reconnect
                        Secured password (EAP-MSCHAP v2)
                Idle Timeout: default
                Session timeout: default
                Called Station ID: default
                Day and time Restrictions: default
                NAS Port type: Checked: Wireless IEEE 802.11 and Ethernet on Commun

    802.1x connection tunnel types.
            Settings:
                Radius Attributes-Standard: No configured / nothing
                Radius Attributes-Vendor Specific: No configured / nothing
                Default to all other options in Network access protection and Routing and

    Remote Access

    ==============================================================================

    Certificate Authority: in the same server

    Default options in the wizard to ADD the role of AD CS, except for "standalone" and "7 years".
    The certificate is there, don't have subject alternative name, but in Subject is specified correct the

    domain.
    Issued certificates:
        7 days to expiration date
    Also I verified in:
    MMC > Add or Remove Snap-ins > certificate > local Computer > Then Certificates:
    Personal > certificates > The certificate is there
    Trusted Root Certification Authorities > Certificates > there are 2 certificates inside, with the same

    name,but different icons.

    ===============================================================================

    Windows 7 client:

    Imported automatically the certificate.

    WPA2-Enterprise/ AES /
    Authentication Method: PEAP:
            Validate server certificate: Point to certificate used by the Radius
            Authentication Method: EAP-MSCHAP v2 (uncheck automatically use my win Logon)
            check "Enable fast reconnect"
    Advanced Settings:
            802.1x settings:
                Check "specify authentication mode" then Select "User Authentication"

    ==========================================================

    ==========================================================

    ==========================================================

    ==========================================================

    Logs when I tryed to connect:

    Event Viewer: Network Policy and Access Services
    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          9/6/2012 9:19:01 AM
    Event ID:      6273
    Task Category: Network Policy Server
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      NameOfTheServer.MyDomain.local
    Description:
    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
        Security ID:            NULL SID
        Account Name:            MyDomain\MyUser
        Account Domain:            MyDomain
        Fully Qualified Account Name:    MyDomain\MyUser

    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        0E-18-1A-36-2A-06:MySSID
        Calling Station Identifier:        00-1F-E1-46-A6-65

    NAS:
        NAS IPv4 Address:        6.54.42.6
        NAS IPv6 Address:        -
        NAS Identifier:            -
        NAS Port-Type:            Wireless - IEEE 802.11
        NAS Port:            0

    RADIUS Client:
        Client Friendly Name:        yyyy
        Client IP Address:            xxxx

    Authentication Details:
        Connection Request Policy Name:    yyyy
        Network Policy Name:        -
        Authentication Provider:        Windows
        Authentication Server:        NameOfTheServer.MyDomain.local
        Authentication Type:        PEAP
        EAP Type:            -
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            23
        Reason:                An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

    ===================================================
    Event Viewer: Windows Logs: System

    Log Name:      System
    Source:        Schannel
    Date:          9/6/2012 9:19:01 AM
    Event ID:      36888
    Task Category: None
    Level:         Error
    Keywords:      
    User:          SYSTEM
    Computer:      NameOfTheServer.MyDomain.local
    Description:
    The following fatal alert was generated: 20. The internal error state is 960.

    =====================================================================

    netsh ras set tracing * en

    Log: IASNAP.log

    [1392] 09-06 09:19:01:141: The request comes from NAS type 0
    [1392] 09-06 09:19:01:141: Applying CRP policy:yyyy
    [2784] 09-06 09:19:01:188: The request comes from NAS type 0
    [2784] 09-06 09:19:01:188: Applying CRP policy:yyyy
    [1392] 09-06 09:19:01:203: The request comes from NAS type 0
    [1392] 09-06 09:19:01:203: Applying CRP policy:yyyy
    [1392] 09-06 09:19:01:219: The request comes from NAS type 0
    [1392] 09-06 09:19:01:219: Applying CRP policy:yyyy

    Log: IASRAD.log

    [1392] 09-06 09:19:01:141: Receive RADIUS packet with size 172 from ::ffff:xxxx
    [1392] 09-06 09:19:01:157: message authenticator Attribute added to out-bound RADIUS packet
    [1392] 09-06 09:19:01:157: Message Authenticator Attribute set in out UDP buffer
    [2784] 09-06 09:19:01:188: Receive RADIUS packet with size 300 from ::ffff:xxxx
    [2784] 09-06 09:19:01:188: message authenticator Attribute added to out-bound RADIUS packet
    [2784] 09-06 09:19:01:188: Message Authenticator Attribute set in out UDP buffer
    [1392] 09-06 09:19:01:203: Receive RADIUS packet with size 201 from ::ffff:xxxx
    [1392] 09-06 09:19:01:203: message authenticator Attribute added to out-bound RADIUS packet
    [1392] 09-06 09:19:01:203: Message Authenticator Attribute set in out UDP buffer
    [1392] 09-06 09:19:01:219: Receive RADIUS packet with size 540 from ::ffff:xxxx
    [1392] 09-06 09:19:01:219: message authenticator Attribute added to out-bound RADIUS packet
    [1392] 09-06 09:19:01:219: Message Authenticator Attribute set in out UDP buffer

    Log:IASSAM.log

    [1392] 09-06 09:19:01:141: NT-SAM Names handler received request with user identity MyDomain\MyUser.
    [1392] 09-06 09:19:01:141: Username is already an NT4 account name.
    [1392] 09-06 09:19:01:141: SAM-Account-Name is "MyDomain\MyUser".
    [1392] 09-06 09:19:01:141: Successfully created new CRP Based EAP session for user MyDomain\MyUser.
    [1392] 09-06 09:19:01:141: Allowed EAP type: 25
    [1392] 09-06 09:19:01:157: Succesfully created EAP Host session with session id 117
    [1392] 09-06 09:19:01:157: Processing output from EAP: action:1
    [1392] 09-06 09:19:01:157: Inserting outbound EAP-Message of length 6.
    [1392] 09-06 09:19:01:157: Issuing Access-Challenge.
    [1392] 09-06 09:19:01:157: No AUTHENTICATION extensions, continuing
    [1392] 09-06 09:19:01:157: No AUTHORIZATION extensions, continuing
    [2784] 09-06 09:19:01:188: Successfully retrieved session (117) for user MyDomain\MyUser.
    [2784] 09-06 09:19:01:188: Processing output from EAP: action:1
    [2784] 09-06 09:19:01:188: Inserting outbound EAP-Message of length 1396.
    [2784] 09-06 09:19:01:188: Issuing Access-Challenge.
    [2784] 09-06 09:19:01:188: No AUTHENTICATION extensions, continuing
    [2784] 09-06 09:19:01:188: No AUTHORIZATION extensions, continuing
    [1392] 09-06 09:19:01:203: Successfully retrieved session (117) for user MyDomain\MyUser.
    [1392] 09-06 09:19:01:203: Processing output from EAP: action:1
    [1392] 09-06 09:19:01:203: Inserting outbound EAP-Message of length 234.
    [1392] 09-06 09:19:01:203: Issuing Access-Challenge.
    [1392] 09-06 09:19:01:203: No AUTHENTICATION extensions, continuing
    [1392] 09-06 09:19:01:203: No AUTHORIZATION extensions, continuing
    [1392] 09-06 09:19:01:219: Successfully retrieved session (117) for user MyDomain\MyUser.
    [1392] 09-06 09:19:01:219: Processing output from EAP: action:2
    [1392] 09-06 09:19:01:219: Translating attributes returned by EAPHost.
    [1392] 09-06 09:19:01:219: EAP authentication failed.
    [1392] 09-06 09:19:01:219: No AUTHENTICATION extensions, continuing
    [1392] 09-06 09:19:01:219: No AUTHORIZATION extensions, continuing
    [1392] 09-06 09:19:01:219: Inserting outbound EAP-Message of length 4.

    Log:  SVCHOST_RASCHAP.log

    [1392] 09-06 09:19:01:157: EapMSChapv2End
    [1392] 09-06 09:19:01:157: EapMSChapv2End

    Log:  SVCHOST_RASTLS.log

    [1392] 09-06 09:19:01:141: EapPeapEnd
    [1392] 09-06 09:19:01:141: EapTlsEnd
    [1392] 09-06 09:19:01:141: EapTlsEnd(MyDomain\MyUser)
    [1392] 09-06 09:19:01:157: EapPeapEnd done
    [1392] 09-06 09:19:01:157: EapPeapEnd
    [1392] 09-06 09:19:01:157: EapTlsEnd
    [1392] 09-06 09:19:01:157: EapTlsEnd(MyDomain\MyUser)
    [1392] 09-06 09:19:01:157: EapPeapEnd done
    [1392] 09-06 09:19:01:157: EapPeapBegin
    [1392] 09-06 09:19:01:157: EapPeapBegin - flags(0x402)
    [1392] 09-06 09:19:01:157: PeapReadUserData
    [1392] 09-06 09:19:01:157:
    [1392] 09-06 09:19:01:157: EapTlsBegin(MyDomain\MyUser)
    [1392] 09-06 09:19:01:157: SetupMachineChangeNotification
    [1392] 09-06 09:19:01:157: State change to Initial
    [1392] 09-06 09:19:01:157: EapTlsBegin: Detected PEAP authentication
    [1392] 09-06 09:19:01:157: MaxTLSMessageLength is now 16384
    [1392] 09-06 09:19:01:157: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
    [1392] 09-06 09:19:01:157: CRYPT_E_REVOCATION_OFFLINE will not be ignored
    [1392] 09-06 09:19:01:157: The root cert will not be checked for revocation
    [1392] 09-06 09:19:01:157: The cert will be checked for revocation
    [1392] 09-06 09:19:01:157: EapPeapBegin done
    [1392] 09-06 09:19:01:157: EapPeapMakeMessage
    [1392] 09-06 09:19:01:157: EapPeapSMakeMessage, flags(0xc05)
    [1392] 09-06 09:19:01:157: EapPeapSMakeMessage, user prop flags(0x3)
    [1392] 09-06 09:19:01:157: PEAP:PEAP_STATE_INITIAL
    [1392] 09-06 09:19:01:157: EapTlsSMakeMessage, state(0)
    [1392] 09-06 09:19:01:157: EapTlsReset
    [1392] 09-06 09:19:01:157: State change to Initial
    [1392] 09-06 09:19:01:157: EapGetCredentials
    [1392] 09-06 09:19:01:157: Flag is Server and Store is local Machine
    [1392] 09-06 09:19:01:157: GetCachedCredentials Flags = 0x40e1
    [1392] 09-06 09:19:01:157: FindNodeInCachedCredList, flags(0x40e1), default cached creds(0), check thread token(1)
    [1392] 09-06 09:19:01:157: pNode->dwCredFlags = 0x32
    [1392] 09-06 09:19:01:157: pNode->dwCredFlags = 0x12
    [1392] 09-06 09:19:01:157: GetCachedCredentials Flags = 0x40e1
    [1392] 09-06 09:19:01:157: FindNodeInCachedCredList, flags(0x40e1), default cached creds(1), check thread token(1)
    [1392] 09-06 09:19:01:157: pNode->dwCredFlags = 0x32
    [1392] 09-06 09:19:01:157: GetCachedCredentials: Using Cached Credentials
    [1392] 09-06 09:19:01:157: GetCachedCredentials: Hash of the cert in the cache is
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
    [1392] 09-06 09:19:01:157: Using cached credentials for default machine cert.
    [1392] 09-06 09:19:01:157: BuildPacket
    [1392] 09-06 09:19:01:157: << Sending Request (Code: 1) packet: Id: 101, Length: 6, Type: 13, TLS blob length: 0. Flags: S
    [1392] 09-06 09:19:01:157: State change to SentStart
    [1392] 09-06 09:19:01:157: EapPeapSMakeMessage done
    [1392] 09-06 09:19:01:157: EapPeapMakeMessage done
    [2784] 09-06 09:19:01:188: EapPeapMakeMessage
    [2784] 09-06 09:19:01:188: EapPeapSMakeMessage, flags(0xc05)
    [2784] 09-06 09:19:01:188: EapPeapSMakeMessage, user prop flags(0x3)
    [2784] 09-06 09:19:01:188: Cloned PPP_EAP_PACKET packet
    [2784] 09-06 09:19:01:188: PEAP:PEAP_STATE_TLS_INPROGRESS
    [2784] 09-06 09:19:01:188: EapTlsSMakeMessage, state(1)
    [2784] 09-06 09:19:01:188: MakeReplyMessage
    [2784] 09-06 09:19:01:188: Reallocating input TLS blob buffer
    [2784] 09-06 09:19:01:188: SecurityContextFunction
    [2784] 09-06 09:19:01:188: AcceptSecurityContext returned 0x90312
    [2784] 09-06 09:19:01:188: State change to SentHello
    [2784] 09-06 09:19:01:188: BuildPacket
    [2784] 09-06 09:19:01:188: << Sending Request (Code: 1) packet: Id: 102, Length: 1396, Type: 13, TLS blob length: 1614. Flags: LM
    [2784] 09-06 09:19:01:188: EapPeapSMakeMessage done
    [2784] 09-06 09:19:01:188: EapPeapMakeMessage done
    [1392] 09-06 09:19:01:203: EapPeapMakeMessage
    [1392] 09-06 09:19:01:203: EapPeapSMakeMessage, flags(0xe05)
    [1392] 09-06 09:19:01:203: EapPeapSMakeMessage, user prop flags(0x3)
    [1392] 09-06 09:19:01:203: Cloned PPP_EAP_PACKET packet
    [1392] 09-06 09:19:01:203: PEAP:PEAP_STATE_TLS_INPROGRESS
    [1392] 09-06 09:19:01:203: EapTlsSMakeMessage, state(2)
    [1392] 09-06 09:19:01:203: BuildPacket
    [1392] 09-06 09:19:01:203: << Sending Request (Code: 1) packet: Id: 103, Length: 234, Type: 13, TLS blob length: 0. Flags:
    [1392] 09-06 09:19:01:203: EapPeapSMakeMessage done
    [1392] 09-06 09:19:01:203: EapPeapMakeMessage done
    [1392] 09-06 09:19:01:219: EapPeapMakeMessage
    [1392] 09-06 09:19:01:219: EapPeapSMakeMessage, flags(0xe05)
    [1392] 09-06 09:19:01:219: EapPeapSMakeMessage, user prop flags(0x3)
    [1392] 09-06 09:19:01:219: Cloned PPP_EAP_PACKET packet
    [1392] 09-06 09:19:01:219: PEAP:PEAP_STATE_TLS_INPROGRESS
    [1392] 09-06 09:19:01:219: EapTlsSMakeMessage, state(2)
    [1392] 09-06 09:19:01:219: MakeReplyMessage
    [1392] 09-06 09:19:01:219: Reallocating input TLS blob buffer
    [1392] 09-06 09:19:01:219: SecurityContextFunction
    [1392] 09-06 09:19:01:219: AcceptSecurityContext returned 0x80090330
    [1392] 09-06 09:19:01:219: State change to SentFinished. Error: 0x80090330
    [1392] 09-06 09:19:01:219: Negotiation unsuccessful
    [1392] 09-06 09:19:01:219: BuildPacket
    [1392] 09-06 09:19:01:219: << Sending Failure (Code: 4) packet: Id: 104, Length: 4, Type: 0, TLS blob length: 0. Flags:
    [1392] 09-06 09:19:01:219: AuthResultCode = (-2146893008), bCode = (4)
    [1392] 09-06 09:19:01:219: EapPeapSMakeMessage done
    [1392] 09-06 09:19:01:219: EapPeapMakeMessage done


    ============================================================================
    Another Error: I guess related with radius accounting:

    Log Name:      System
    Source:        NPS
    Date:          9/6/2012 9:23:35 AM
    Event ID:      16
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      NameOfTheServer.MyDomain.local
    Description:
    A RADIUS message with the Code field set to 1, which is not valid, was received on port 1813 from RADIUS client yyyy. Valid values of the RADIUS Code field are documented in RFC 2865.

    Thursday, September 6, 2012 6:18 PM

Answers

All replies

  • Hi Guys,

    I deleted my last policy and I created one exactly like this step by step.

    http://na4.salesforce.com/_ui/selfservice/pkb/PublicKnowledgeSolution/d?orgId=00D600000006uBw&id=50160000000SAqm&retURL=%2Fsol%2Fpublic%2Fsolutionbrowser.jsp%3Fcid%3D02n60000000HGp3%26orgId%3D00D600000006uBw%26search%3DRADIUS%253A%2BCreating%2Ba%2Bpolicy%2Bin%2BNPS%2Bto%2Bsupport%2BPEAP-MSCHAPv2%2B-%2BMachine%2BAuthentication%26t%3D4&ps=1

    But I still receiving the same problem.

    Friday, September 7, 2012 10:28 PM
  • Hi,

    Thanks for your update.

    I assume that the Windows 7 Client was domain joined. Please also verify that the Root CA was listed in the Certificate-Current User -> Trusted Root Certification Authorities container. In order to troubleshoot, please try to add another network policy to provide access, with conditions set to allow Computer Groups. At the client side, change the Advanced 802.1X settings authentication mode to User or computer authentication or Computer authentication.

    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    Monday, September 10, 2012 9:50 AM
  • Hi Aiden, Thank you very much for your answer!

    The result still the same error:

    Event - System - Schannel: The following fatal alert was generated: 20. The internal error state is 960.

    Event - Network Policy: Reason Code: 23
        Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

    - The client is in the domain.

    - The certificate is listed in Certificate-Current User -> Trusted Root Certification Authorities container in both (Radius/Root CA and Client).

    - I create new group in the AD, I added the laptop that I am using to test. Then I create the new policy allowing the computer group.

    Before I did that, I tried connect with my password wrong, but I received the same error, so isn't even going to the phase to check password in the AD, the problem must be in phase before.

    If you have any other suggestion, it will be totally welcome!!! I will keep trying here, any change in the results I will post the here.

    Again, thank you very much.

    Estevao

    Monday, September 10, 2012 6:12 PM
  • Hi,

    You may refer to the following article to reconfigure the wireless 802.1x authetication.

    Creating a secure 802.1x wireless infrastructure using Microsoft Windows

    http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx

    802.1X Authenticated Wireless Deployment Guide

    http://technet.microsoft.com/en-us/library/dd283093(WS.10).aspx


    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    • Proposed as answer by Aiden_Cao Tuesday, September 18, 2012 2:31 AM
    • Marked as answer by Aiden_Cao Monday, September 24, 2012 1:55 AM
    Thursday, September 13, 2012 2:20 AM