Remove From My Forums

Wireless with 802.1X using Microsoft Win2k8 R2 as Radius Server and Certificate Authority doesn't work

Question
0

Sign in to vote

Hi Everyone, I would like to ask for a clue to my case, any help is welcome.
I tryed to use the answers already posted in the forum, but I still with the same problem.

I am trying to configure a wireless network with - WPA2/IEEE 802.1x using PEAP, with PSK works fine, but

with 802.1x doesn't work. The server generated the following message:

"An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP).

Check EAP log files for EAP errors."

Below are the details of my configuration in the server Win2k8 R2 and the Windows 7 client.

NPS:
Radius Clients and Servers:
   Radius Client: I defined my access point:
       Friendly name:yyyy
       IP: xxxxx
       Shared Secret: xxxxxx
       Vendor: Radius Standard
       Additional Options: Unchecked

Policies:
   Connection Request Policies:
       The first Police:
       Overview:
           Policy name: same as friendly name
           Policy State: enable
           Network Connection Method: Unspecified
       Conditions:
           Client Friendly name: yyyy (the same as radius client)
       Settings:
           Athentication Methods: Check in Override Network Policy authentication
           Athentication: Authentica requests on this server
           Accounting: Unavailable
           Attribute: No configured / nothing
           Radius Attributes-Standard: No configured / nothing
           Radius Attributes-Vendor Specific: No configured / nothing
   Network Policies:
       The first Police:
       Overview:
           Policy name: same as friendly name
           Policy State: enable
           Access Permission:    Check "Grand Access"
                   Check "Ignore user account dial-in properties"
           Network Connection Method:
                   Type of network access server: Unspecified
       Conditions:
           User Groups - Value (mydomain\domain users)
       Constraints:
           Authentication Methods: EAP type: PEAP
               PEAP edit: Point to my certificate (the server is also AD CA)
                   Enable fast Reconnect
                   Secured password (EAP-MSCHAP v2)
           Idle Timeout: default
           Session timeout: default
           Called Station ID: default
           Day and time Restrictions: default
           NAS Port type: Checked: Wireless IEEE 802.11 and Ethernet on Commun

802.1x connection tunnel types.
       Settings:
           Radius Attributes-Standard: No configured / nothing
           Radius Attributes-Vendor Specific: No configured / nothing
           Default to all other options in Network access protection and Routing and

Remote Access

==============================================================================

Certificate Authority: in the same server

Default options in the wizard to ADD the role of AD CS, except for "standalone" and "7 years".
The certificate is there, don't have subject alternative name, but in Subject is specified correct the

domain.
Issued certificates:
   7 days to expiration date
Also I verified in:
MMC > Add or Remove Snap-ins > certificate > local Computer > Then Certificates:
Personal > certificates > The certificate is there
Trusted Root Certification Authorities > Certificates > there are 2 certificates inside, with the same

name,but different icons.

===============================================================================

Windows 7 client:

Imported automatically the certificate.

WPA2-Enterprise/ AES /
Authentication Method: PEAP:
       Validate server certificate: Point to certificate used by the Radius
       Authentication Method: EAP-MSCHAP v2 (uncheck automatically use my win Logon)
       check "Enable fast reconnect"
Advanced Settings:
       802.1x settings:
           Check "specify authentication mode" then Select "User Authentication"

==========================================================

==========================================================

==========================================================

==========================================================

Logs when I tryed to connect:

Event Viewer: Network Policy and Access Services
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          9/6/2012 9:19:01 AM
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      NameOfTheServer.MyDomain.local
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
   Security ID:           NULL SID
   Account Name:           MyDomain\MyUser
   Account Domain:           MyDomain
   Fully Qualified Account Name:   MyDomain\MyUser

Client Machine:
   Security ID:           NULL SID
   Account Name:           -
   Fully Qualified Account Name:   -
   OS-Version:           -
   Called Station Identifier:       0E-18-1A-36-2A-06:MySSID
   Calling Station Identifier:       00-1F-E1-46-A6-65

NAS:
   NAS IPv4 Address:       6.54.42.6
   NAS IPv6 Address:       -
   NAS Identifier:           -
   NAS Port-Type:           Wireless - IEEE 802.11
   NAS Port:           0

RADIUS Client:
   Client Friendly Name:       yyyy
   Client IP Address:           xxxx

Authentication Details:
   Connection Request Policy Name:   yyyy
   Network Policy Name:       -
   Authentication Provider:       Windows
   Authentication Server:       NameOfTheServer.MyDomain.local
   Authentication Type:       PEAP
   EAP Type:           -
   Account Session Identifier:       -
   Logging Results:           Accounting information was written to the local log file.
   Reason Code:           23
   Reason:               An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

===================================================
Event Viewer: Windows Logs: System

Log Name:      System
Source:        Schannel
Date:          9/6/2012 9:19:01 AM
Event ID:      36888
Task Category: None
Level:         Error
Keywords:
User:          SYSTEM
Computer:      NameOfTheServer.MyDomain.local
Description:
The following fatal alert was generated: 20. The internal error state is 960.

=====================================================================

netsh ras set tracing * en

Log: IASNAP.log

[1392] 09-06 09:19:01:141: The request comes from NAS type 0
[1392] 09-06 09:19:01:141: Applying CRP policy:yyyy
[2784] 09-06 09:19:01:188: The request comes from NAS type 0
[2784] 09-06 09:19:01:188: Applying CRP policy:yyyy
[1392] 09-06 09:19:01:203: The request comes from NAS type 0
[1392] 09-06 09:19:01:203: Applying CRP policy:yyyy
[1392] 09-06 09:19:01:219: The request comes from NAS type 0
[1392] 09-06 09:19:01:219: Applying CRP policy:yyyy

Log: IASRAD.log

[1392] 09-06 09:19:01:141: Receive RADIUS packet with size 172 from ::ffff:xxxx
[1392] 09-06 09:19:01:157: message authenticator Attribute added to out-bound RADIUS packet
[1392] 09-06 09:19:01:157: Message Authenticator Attribute set in out UDP buffer
[2784] 09-06 09:19:01:188: Receive RADIUS packet with size 300 from ::ffff:xxxx
[2784] 09-06 09:19:01:188: message authenticator Attribute added to out-bound RADIUS packet
[2784] 09-06 09:19:01:188: Message Authenticator Attribute set in out UDP buffer
[1392] 09-06 09:19:01:203: Receive RADIUS packet with size 201 from ::ffff:xxxx
[1392] 09-06 09:19:01:203: message authenticator Attribute added to out-bound RADIUS packet
[1392] 09-06 09:19:01:203: Message Authenticator Attribute set in out UDP buffer
[1392] 09-06 09:19:01:219: Receive RADIUS packet with size 540 from ::ffff:xxxx
[1392] 09-06 09:19:01:219: message authenticator Attribute added to out-bound RADIUS packet
[1392] 09-06 09:19:01:219: Message Authenticator Attribute set in out UDP buffer

Log:IASSAM.log

[1392] 09-06 09:19:01:141: NT-SAM Names handler received request with user identity MyDomain\MyUser.
[1392] 09-06 09:19:01:141: Username is already an NT4 account name.
[1392] 09-06 09:19:01:141: SAM-Account-Name is "MyDomain\MyUser".
[1392] 09-06 09:19:01:141: Successfully created new CRP Based EAP session for user MyDomain\MyUser.
[1392] 09-06 09:19:01:141: Allowed EAP type: 25
[1392] 09-06 09:19:01:157: Succesfully created EAP Host session with session id 117
[1392] 09-06 09:19:01:157: Processing output from EAP: action:1
[1392] 09-06 09:19:01:157: Inserting outbound EAP-Message of length 6.
[1392] 09-06 09:19:01:157: Issuing Access-Challenge.
[1392] 09-06 09:19:01:157: No AUTHENTICATION extensions, continuing
[1392] 09-06 09:19:01:157: No AUTHORIZATION extensions, continuing
[2784] 09-06 09:19:01:188: Successfully retrieved session (117) for user MyDomain\MyUser.
[2784] 09-06 09:19:01:188: Processing output from EAP: action:1
[2784] 09-06 09:19:01:188: Inserting outbound EAP-Message of length 1396.
[2784] 09-06 09:19:01:188: Issuing Access-Challenge.
[2784] 09-06 09:19:01:188: No AUTHENTICATION extensions, continuing
[2784] 09-06 09:19:01:188: No AUTHORIZATION extensions, continuing
[1392] 09-06 09:19:01:203: Successfully retrieved session (117) for user MyDomain\MyUser.
[1392] 09-06 09:19:01:203: Processing output from EAP: action:1
[1392] 09-06 09:19:01:203: Inserting outbound EAP-Message of length 234.
[1392] 09-06 09:19:01:203: Issuing Access-Challenge.
[1392] 09-06 09:19:01:203: No AUTHENTICATION extensions, continuing
[1392] 09-06 09:19:01:203: No AUTHORIZATION extensions, continuing
[1392] 09-06 09:19:01:219: Successfully retrieved session (117) for user MyDomain\MyUser.
[1392] 09-06 09:19:01:219: Processing output from EAP: action:2
[1392] 09-06 09:19:01:219: Translating attributes returned by EAPHost.
[1392] 09-06 09:19:01:219: EAP authentication failed.
[1392] 09-06 09:19:01:219: No AUTHENTICATION extensions, continuing
[1392] 09-06 09:19:01:219: No AUTHORIZATION extensions, continuing
[1392] 09-06 09:19:01:219: Inserting outbound EAP-Message of length 4.

Log: SVCHOST_RASCHAP.log

[1392] 09-06 09:19:01:157: EapMSChapv2End
[1392] 09-06 09:19:01:157: EapMSChapv2End

Log: SVCHOST_RASTLS.log

[1392] 09-06 09:19:01:141: EapPeapEnd
[1392] 09-06 09:19:01:141: EapTlsEnd
[1392] 09-06 09:19:01:141: EapTlsEnd(MyDomain\MyUser)
[1392] 09-06 09:19:01:157: EapPeapEnd done
[1392] 09-06 09:19:01:157: EapPeapEnd
[1392] 09-06 09:19:01:157: EapTlsEnd
[1392] 09-06 09:19:01:157: EapTlsEnd(MyDomain\MyUser)
[1392] 09-06 09:19:01:157: EapPeapEnd done
[1392] 09-06 09:19:01:157: EapPeapBegin
[1392] 09-06 09:19:01:157: EapPeapBegin - flags(0x402)
[1392] 09-06 09:19:01:157: PeapReadUserData
[1392] 09-06 09:19:01:157:
[1392] 09-06 09:19:01:157: EapTlsBegin(MyDomain\MyUser)
[1392] 09-06 09:19:01:157: SetupMachineChangeNotification
[1392] 09-06 09:19:01:157: State change to Initial
[1392] 09-06 09:19:01:157: EapTlsBegin: Detected PEAP authentication
[1392] 09-06 09:19:01:157: MaxTLSMessageLength is now 16384
[1392] 09-06 09:19:01:157: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[1392] 09-06 09:19:01:157: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[1392] 09-06 09:19:01:157: The root cert will not be checked for revocation
[1392] 09-06 09:19:01:157: The cert will be checked for revocation
[1392] 09-06 09:19:01:157: EapPeapBegin done
[1392] 09-06 09:19:01:157: EapPeapMakeMessage
[1392] 09-06 09:19:01:157: EapPeapSMakeMessage, flags(0xc05)
[1392] 09-06 09:19:01:157: EapPeapSMakeMessage, user prop flags(0x3)
[1392] 09-06 09:19:01:157: PEAP:PEAP_STATE_INITIAL
[1392] 09-06 09:19:01:157: EapTlsSMakeMessage, state(0)
[1392] 09-06 09:19:01:157: EapTlsReset
[1392] 09-06 09:19:01:157: State change to Initial
[1392] 09-06 09:19:01:157: EapGetCredentials
[1392] 09-06 09:19:01:157: Flag is Server and Store is local Machine
[1392] 09-06 09:19:01:157: GetCachedCredentials Flags = 0x40e1
[1392] 09-06 09:19:01:157: FindNodeInCachedCredList, flags(0x40e1), default cached creds(0), check thread token(1)
[1392] 09-06 09:19:01:157: pNode->dwCredFlags = 0x32
[1392] 09-06 09:19:01:157: pNode->dwCredFlags = 0x12
[1392] 09-06 09:19:01:157: GetCachedCredentials Flags = 0x40e1
[1392] 09-06 09:19:01:157: FindNodeInCachedCredList, flags(0x40e1), default cached creds(1), check thread token(1)
[1392] 09-06 09:19:01:157: pNode->dwCredFlags = 0x32
[1392] 09-06 09:19:01:157: GetCachedCredentials: Using Cached Credentials
[1392] 09-06 09:19:01:157: GetCachedCredentials: Hash of the cert in the cache is
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[1392] 09-06 09:19:01:157: Using cached credentials for default machine cert.
[1392] 09-06 09:19:01:157: BuildPacket
[1392] 09-06 09:19:01:157: << Sending Request (Code: 1) packet: Id: 101, Length: 6, Type: 13, TLS blob length: 0. Flags: S
[1392] 09-06 09:19:01:157: State change to SentStart
[1392] 09-06 09:19:01:157: EapPeapSMakeMessage done
[1392] 09-06 09:19:01:157: EapPeapMakeMessage done
[2784] 09-06 09:19:01:188: EapPeapMakeMessage
[2784] 09-06 09:19:01:188: EapPeapSMakeMessage, flags(0xc05)
[2784] 09-06 09:19:01:188: EapPeapSMakeMessage, user prop flags(0x3)
[2784] 09-06 09:19:01:188: Cloned PPP_EAP_PACKET packet
[2784] 09-06 09:19:01:188: PEAP:PEAP_STATE_TLS_INPROGRESS
[2784] 09-06 09:19:01:188: EapTlsSMakeMessage, state(1)
[2784] 09-06 09:19:01:188: MakeReplyMessage
[2784] 09-06 09:19:01:188: Reallocating input TLS blob buffer
[2784] 09-06 09:19:01:188: SecurityContextFunction
[2784] 09-06 09:19:01:188: AcceptSecurityContext returned 0x90312
[2784] 09-06 09:19:01:188: State change to SentHello
[2784] 09-06 09:19:01:188: BuildPacket
[2784] 09-06 09:19:01:188: << Sending Request (Code: 1) packet: Id: 102, Length: 1396, Type: 13, TLS blob length: 1614. Flags: LM
[2784] 09-06 09:19:01:188: EapPeapSMakeMessage done
[2784] 09-06 09:19:01:188: EapPeapMakeMessage done
[1392] 09-06 09:19:01:203: EapPeapMakeMessage
[1392] 09-06 09:19:01:203: EapPeapSMakeMessage, flags(0xe05)
[1392] 09-06 09:19:01:203: EapPeapSMakeMessage, user prop flags(0x3)
[1392] 09-06 09:19:01:203: Cloned PPP_EAP_PACKET packet
[1392] 09-06 09:19:01:203: PEAP:PEAP_STATE_TLS_INPROGRESS
[1392] 09-06 09:19:01:203: EapTlsSMakeMessage, state(2)
[1392] 09-06 09:19:01:203: BuildPacket
[1392] 09-06 09:19:01:203: << Sending Request (Code: 1) packet: Id: 103, Length: 234, Type: 13, TLS blob length: 0. Flags:
[1392] 09-06 09:19:01:203: EapPeapSMakeMessage done
[1392] 09-06 09:19:01:203: EapPeapMakeMessage done
[1392] 09-06 09:19:01:219: EapPeapMakeMessage
[1392] 09-06 09:19:01:219: EapPeapSMakeMessage, flags(0xe05)
[1392] 09-06 09:19:01:219: EapPeapSMakeMessage, user prop flags(0x3)
[1392] 09-06 09:19:01:219: Cloned PPP_EAP_PACKET packet
[1392] 09-06 09:19:01:219: PEAP:PEAP_STATE_TLS_INPROGRESS
[1392] 09-06 09:19:01:219: EapTlsSMakeMessage, state(2)
[1392] 09-06 09:19:01:219: MakeReplyMessage
[1392] 09-06 09:19:01:219: Reallocating input TLS blob buffer
[1392] 09-06 09:19:01:219: SecurityContextFunction
[1392] 09-06 09:19:01:219: AcceptSecurityContext returned 0x80090330
[1392] 09-06 09:19:01:219: State change to SentFinished. Error: 0x80090330
[1392] 09-06 09:19:01:219: Negotiation unsuccessful
[1392] 09-06 09:19:01:219: BuildPacket
[1392] 09-06 09:19:01:219: << Sending Failure (Code: 4) packet: Id: 104, Length: 4, Type: 0, TLS blob length: 0. Flags:
[1392] 09-06 09:19:01:219: AuthResultCode = (-2146893008), bCode = (4)
[1392] 09-06 09:19:01:219: EapPeapSMakeMessage done
[1392] 09-06 09:19:01:219: EapPeapMakeMessage done

============================================================================
Another Error: I guess related with radius accounting:

Log Name:      System
Source:        NPS
Date:          9/6/2012 9:23:35 AM
Event ID:      16
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      NameOfTheServer.MyDomain.local
Description:
A RADIUS message with the Code field set to 1, which is not valid, was received on port 1813 from RADIUS client yyyy. Valid values of the RADIUS Code field are documented in RFC 2865.

Thursday, September 6, 2012 6:18 PM

Answers

0

Sign in to vote
Hi,

You may refer to the following article to reconfigure the wireless 802.1x authetication.

Creating a secure 802.1x wireless infrastructure using Microsoft Windows

http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx

802.1X Authenticated Wireless Deployment Guide

http://technet.microsoft.com/en-us/library/dd283093(WS.10).aspx

Best Regards,

Aiden
Aiden Cao

TechNet Community Support
- Proposed as answer by Aiden_Cao Tuesday, September 18, 2012 2:31 AM
- Marked as answer by Aiden_Cao Monday, September 24, 2012 1:55 AM
Thursday, September 13, 2012 2:20 AM

All replies

0

Sign in to vote

Hi Guys,

I deleted my last policy and I created one exactly like this step by step.

http://na4.salesforce.com/_ui/selfservice/pkb/PublicKnowledgeSolution/d?orgId=00D600000006uBw&id=50160000000SAqm&retURL=%2Fsol%2Fpublic%2Fsolutionbrowser.jsp%3Fcid%3D02n60000000HGp3%26orgId%3D00D600000006uBw%26search%3DRADIUS%253A%2BCreating%2Ba%2Bpolicy%2Bin%2BNPS%2Bto%2Bsupport%2BPEAP-MSCHAPv2%2B-%2BMachine%2BAuthentication%26t%3D4&ps=1

But I still receiving the same problem.

Friday, September 7, 2012 10:28 PM
0

Sign in to vote

Hi,

Thanks for your update.

I assume that the Windows 7 Client was domain joined. Please also verify that the Root CA was listed in the Certificate-Current User -> Trusted Root Certification Authorities container. In order to troubleshoot, please try to add another network policy to provide access, with conditions set to allow Computer Groups. At the client side, change the Advanced 802.1X settings authentication mode to User or computer authentication or Computer authentication.

Best Regards,

Aiden
Aiden Cao

TechNet Community Support

Monday, September 10, 2012 9:50 AM
0

Sign in to vote

Hi Aiden, Thank you very much for your answer!

The result still the same error:

Event - System - Schannel: The following fatal alert was generated: 20. The internal error state is 960.

Event - Network Policy: Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

- The client is in the domain.

- The certificate is listed in Certificate-Current User -> Trusted Root Certification Authorities container in both (Radius/Root CA and Client).

- I create new group in the AD, I added the laptop that I am using to test. Then I create the new policy allowing the computer group.

Before I did that, I tried connect with my password wrong, but I received the same error, so isn't even going to the phase to check password in the AD, the problem must be in phase before.

If you have any other suggestion, it will be totally welcome!!! I will keep trying here, any change in the results I will post the here.

Again, thank you very much.

Estevao

Monday, September 10, 2012 6:12 PM
0

Sign in to vote
Hi,

You may refer to the following article to reconfigure the wireless 802.1x authetication.

Creating a secure 802.1x wireless infrastructure using Microsoft Windows

http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx

802.1X Authenticated Wireless Deployment Guide

http://technet.microsoft.com/en-us/library/dd283093(WS.10).aspx

Best Regards,

Aiden
Aiden Cao

TechNet Community Support
- Proposed as answer by Aiden_Cao Tuesday, September 18, 2012 2:31 AM
- Marked as answer by Aiden_Cao Monday, September 24, 2012 1:55 AM
Thursday, September 13, 2012 2:20 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Wireless with 802.1X using Microsoft Win2k8 R2 as Radius Server and Certificate Authority doesn't work

Question

Answers

All replies