locked
Microsoft NPS with EAP-TLS for Wireless RRS feed

  • Question

  • Hi community,

    We are trying to authenticate wireless access with user certificate (EAP-TLS) with a Windows Group defined to allow the authentication.

    We are facing and issue with a NPS deployment within Windows Server 2012 R2, where DC, CA and NPS are on separate virtual servers.

    RADIUS request match Proxy-Policy-Name but Fully-Qualified-User-Name is in hexadecinmal, so Reason-Code equals 8 ("no such user").

    We have another deployment, with DC, CA and NPS on a same virtual server, but for a completely different domain, and with exactly the same configuration, and User-Name is always in plain text, so all the authentication process works like a charm, without any problem.

    Does anybody knows a workaround?

    Regards.

    Jesus

    Monday, May 1, 2017 5:50 PM

Answers

  • Hi there,

    After further incvestigation, we have found the issue. Customer certificates where created with a custom template with no SubjectAlternativeName extension. As for Microsoft certificate requirements for remote authentication, "For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN)."

    Now wireless authentication is correct!

    • Marked as answer by ChusTM Thursday, May 25, 2017 5:35 PM
    Thursday, May 25, 2017 5:35 PM

All replies

  • Hi ChusTM

    >>RADIUS request match Proxy-Policy-Name but Fully-Qualified-User-Name is in hexadecinmal, so Reason-Code equals 8 ("no such user").

    Based on your description, the authentication failed. Please check the event logs in event viewer. 

    Please post the logs for both successfully or unsuccessfully.

    Best Regards

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 2, 2017 7:18 AM
  • This are the LOG lines for the non-working NPS:

    10.225.0.11,host/IRCLLCNU315B153.uralita.net,04/21/2017,11:04:12,IAS,SPCP1DCOAUT01,4,10.225.0.11,32,00:11:74:86:E6:FF-URSAWLAN,30,00-11-74-86-E6-FF-URSAWLAN,61,19,5,0,31,84-3A-4B-BB-A8-18,77,CONNECT 0Mbps 802.11b,44,843a4bbba818186E6FF1492765458,12,1400,4108,10.225.0.11,4116,0,4128,Mojo_APs,4154,RadiusProxy,4155,1,4129,URALITA\IRCLLCNU315B153$,4130,URALITA\IRCLLCNU315B153$,25,311 1 10.130.10.107 04/20/2017 14:18:11 8,4127,5,4136,1,4142,0
    10.225.0.11,host/IRCLLCNU315B153.uralita.net,04/21/2017,11:04:12,IAS,SPCP1DCOAUT01,25,311 1 10.130.10.107 04/20/2017 14:18:11 8,4127,5,4130,URALITA\IRCLLCNU315B153$,44,843a4bbba818186E6FF1492765458,4129,URALITA\IRCLLCNU315B153$,4155,1,4108,10.225.0.11,4116,0,4128,Mojo_APs,4154,RadiusProxy,4136,3,4142,48
    10.225.0.11,URALITA\DFerra,04/21/2017,11:04:13,IAS,SPCP1DCOAUT01,4,10.225.0.11,32,00:11:74:86:E6:FF-URSAWLAN,30,00-11-74-86-E6-FF-URSAWLAN,61,19,5,0,31,84-3A-4B-BB-A8-18,77,CONNECT 0Mbps 802.11b,44,843a4bbba818186E6FF1492765459,12,1400,4108,10.225.0.11,4116,0,4128,Mojo_APs,4154,RadiusProxy,4155,1,4129,URALITA\DFerra,4130,URALITA\DFerra,25,311 1 10.130.10.107 04/20/2017 14:18:11 9,4127,5,4149,Wireless EAP-TLS,4132,,8136,0,4136,1,4142,0
    10.225.0.11,URALITA\DFerra,04/21/2017,11:04:13,IAS,SPCP1DCOAUT01,25,311 1 10.130.10.107 04/20/2017 14:18:11 9,4132,,8136,0,44,843a4bbba818186E6FF1492765459,4108,10.225.0.11,4116,0,4128,Mojo_APs,4154,RadiusProxy,4155,1,4129,URALITA\DFerra,4130,URALITA\DFerra,4127,5,4149,Wireless EAP-TLS,4136,3,4142,22
    10.225.0.11,0x466572726120456C766972612C2044616E69656C,04/21/2017,11:04:18,IAS,SPCP1DCOAUT01,4,10.225.0.11,32,00:11:74:86:E6:FF-URSAWLAN,30,00-11-74-86-E6-FF-URSAWLAN,61,19,5,0,31,84-3A-4B-BB-A8-18,77,CONNECT 0Mbps 802.11b,44,843a4bbba818186E6FF1492765464,12,1400,4108,10.225.0.11,4116,0,4128,Mojo_APs,4154,RadiusProxy,4155,1,4129,0x5552414C4954415C466572726120456C766972612C2044616E69656C,4130,0x5552414C4954415C466572726120456C766972612C2044616E69656C,25,311 1 10.130.10.107 04/20/2017 14:18:11 10,4127,5,4136,1,4142,0
    10.225.0.11,0x466572726120456C766972612C2044616E69656C,04/21/2017,11:04:18,IAS,SPCP1DCOAUT01,25,311 1 10.130.10.107 04/20/2017 14:18:11 10,4127,5,4130,0x5552414C4954415C466572726120456C766972612C2044616E69656C,4129,0x5552414C4954415C466572726120456C766972612C2044616E69656C,4155,1,44,843a4bbba818186E6FF1492765464,4154,RadiusProxy,4108,10.225.0.11,4116,0,4128,Mojo_APs,4136,3,4142,8

    And these are for the one that works:

    192.168.10.12,administrator@labredes.local,04/04/2017,06:39:51,IAS,WIN-KI2VT2Q2B7G,40,2,45,1,4,192.168.10.12,32,00:11:74:EA:CD:3F-URSAWLAN,30,00-11-74-EA-CD-3F-URSAWLAN,61,19,5,0,31,28-B2-BD-0E-16-81,77,CONNECT 0Mbps 802.11b,44,28b2bd0e16812EACD3F1491280655,25,311 1 192.168.10.99 04/03/2017 07:44:00 33,46,136,47,351,48,0,42,617968,43,0,55,04/04/2017 04:39:54,8,192.168.20.115,49,1,4108,192.168.10.12,4116,0,4128,Access Points,4154,Wireless,4136,4,4142,0
    192.168.10.12,administrator@labredes.local,04/04/2017,06:39:51,IAS,WIN-KI2VT2Q2B7G,4,192.168.10.12,32,00:11:74:EA:CD:3F-URSAWLAN,30,00-11-74-EA-CD-3F-URSAWLAN,61,19,5,0,31,28-B2-BD-0E-16-81,77,CONNECT 0Mbps 802.11b,44,28b2bd0e16812EACD3F1491280794,12,1400,4108,192.168.10.12,4116,0,4128,Access Points,4154,Wireless,4155,1,4129,LABREDES\Administrator,4130,LABREDES\Administrator,25,311 1 192.168.10.99 04/03/2017 07:44:00 34,4127,5,4149,Wireless EAP-TLS,8136,0,4136,1,4142,0
    192.168.10.12,administrator@labredes.local,04/04/2017,06:39:51,IAS,WIN-KI2VT2Q2B7G,25,311 1 192.168.10.99 04/03/2017 07:44:00 34,27,30,8136,0,44,28b2bd0e16812EACD3F1491280794,4149,Wireless EAP-TLS,4108,192.168.10.12,4116,0,4128,Access Points,4154,Wireless,4155,1,4129,LABREDES\Administrator,4130,LABREDES\Administrator,4127,5,4136,11,4142,0
    192.168.10.12,administrator@labredes.local,04/04/2017,06:39:51,IAS,WIN-KI2VT2Q2B7G,4,192.168.10.12,32,00:11:74:EA:CD:3F-URSAWLAN,30,00-11-74-EA-CD-3F-URSAWLAN,61,19,5,0,31,28-B2-BD-0E-16-81,77,CONNECT 0Mbps 802.11b,44,28b2bd0e16812EACD3F1491280794,12,1400,4108,192.168.10.12,4116,0,4128,Access Points,4154,Wireless,4155,1,4129,LABREDES\Administrator,4130,LABREDES\Administrator,25,311 1 192.168.10.99 04/03/2017 07:44:00 35,4127,5,4149,Wireless EAP-TLS,8136,0,4136,1,4142,0
    192.168.10.12,administrator@labredes.local,04/04/2017,06:39:51,IAS,WIN-KI2VT2Q2B7G,25,311 1 192.168.10.99 04/03/2017 07:44:00 35,27,30,8136,0,44,28b2bd0e16812EACD3F1491280794,4108,192.168.10.12,4116,0,4128,Access Points,4149,Wireless EAP-TLS,4154,Wireless,4155,1,4129,LABREDES\Administrator,4130,LABREDES\Administrator,4127,5,4136,11,4142,0
    192.168.10.12,administrator@labredes.local,04/04/2017,06:39:51,IAS,WIN-KI2VT2Q2B7G,4,192.168.10.12,32,00:11:74:EA:CD:3F-URSAWLAN,30,00-11-74-EA-CD-3F-URSAWLAN,61,19,5,0,31,28-B2-BD-0E-16-81,77,CONNECT 0Mbps 802.11b,44,28b2bd0e16812EACD3F1491280794,12,1400,4108,192.168.10.12,4116,0,4128,Access Points,4154,Wireless,4155,1,4129,LABREDES\Administrator,4130,LABREDES\Administrator,4127,5,4149,Wireless EAP-TLS,25,311 1 192.168.10.99 04/03/2017 07:44:00 36,8136,0,8153,0,8111,0,4132,Microsoft: Smart Card or other certificate,4136,1,4142,0
    192.168.10.12,administrator@labredes.local,04/04/2017,06:39:51,IAS,WIN-KI2VT2Q2B7G,25,311 1 192.168.10.99 04/03/2017 07:44:00 36,8153,0,8111,0,4132,Microsoft: Smart Card or other certificate,44,28b2bd0e16812EACD3F1491280794,4108,192.168.10.12,4116,0,4128,Access Points,4154,Wireless,4155,1,4129,LABREDES\Administrator,4130,LABREDES\Administrator,4127,5,4149,Wireless EAP-TLS,8136,0,7,1,6,2,4294967210,50,4294967209,120,4136,2,4142,0
    192.168.10.12,administrator@labredes.local,04/04/2017,06:39:51,IAS,WIN-KI2VT2Q2B7G,40,1,45,1,4,192.168.10.12,32,00:11:74:EA:CD:3F-URSAWLAN,30,00-11-74-EA-CD-3F-URSAWLAN,61,19,5,0,31,28-B2-BD-0E-16-81,77,CONNECT 0Mbps 802.11b,44,28b2bd0e16812EACD3F1491280794,25,311 1 192.168.10.99 04/03/2017 07:44:00 36,8,192.168.20.115,4108,192.168.10.12,4116,0,4128,Access Points,4154,Wireless,4136,4,4142,0
    192.168.10.12,administrator@labredes.local,04/04/2017,06:40:24,IAS,WIN-KI2VT2Q2B7G,40,2,45,1,4,192.168.10.12,32,00:11:74:EA:CD:3F-URSAWLAN,30,00-11-74-EA-CD-3F-URSAWLAN,61,19,5,0,31,28-B2-BD-0E-16-81,77,CONNECT 0Mbps 802.11b,44,28b2bd0e16812EACD3F1491280794,25,311 1 192.168.10.99 04/03/2017 07:44:00 36,46,33,55,04/04/2017 04:40:27,8,192.168.20.115,49,1,4108,192.168.10.12,4116,0,4128,Access Points,4154,Wireless,4136,4,4142,0

    Wednesday, May 3, 2017 9:41 PM
  • Hi ChusTM,

    >>RADIUS request match Proxy-Policy-Name but Fully-Qualified-User-Name is in hexadecinmal, so Reason-Code equals 8 ("no such user")

    Could you please post the proxy for us to have a text in our lab?

    Best Regards

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 4, 2017 6:16 AM
  • Is there anyway of sending you the PDF wth configuration of Policies in NPS? or is there any CLI command to send you the output with the requiered configuration?

    Regards

    Thursday, May 4, 2017 8:52 AM
  • Hi ChusTM,

    You could post the main matching policy.

    Best Regards

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 5, 2017 1:56 AM
  • It's not possible for me to insert pictures as the error "Body text cannot contain images or links until we are able to verify your account" appears
    Monday, May 8, 2017 4:44 PM
  • Hi ChusTM,

    You could upload the policy to one drive and then post the link here.

    one drivehttps://onedrive.live.com

    Best Regards,

    Candy



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 9, 2017 9:02 AM
  • Hi ChusTM,

    I will text in my lab for a period time.

    If we have any updates about this issue, we will keep you posted as soon as possible. Your kind understanding is appreciated. 

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 11, 2017 7:32 AM
  • I understand. I hope you find what's happening here.

    Regards.

    Thursday, May 11, 2017 6:52 PM
  • Hi Candy, any finding by your side?

    Regards.

    Thursday, May 18, 2017 7:41 PM
  • Hi there,

    After further incvestigation, we have found the issue. Customer certificates where created with a custom template with no SubjectAlternativeName extension. As for Microsoft certificate requirements for remote authentication, "For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN)."

    Now wireless authentication is correct!

    • Marked as answer by ChusTM Thursday, May 25, 2017 5:35 PM
    Thursday, May 25, 2017 5:35 PM