none
Certificate Selection process logging RRS feed

  • Question

  • Through which means can I debug/log the certificate selection process involved in network authentication using Eap-TLS?

    Stan.

    Friday, November 29, 2019 10:52 AM

All replies

  • Check the following links for a hint.

    https://support.microsoft.com/en-us/help/814394/certificate-requirements-when-you-use-eap-tls-or-peap-with-eap-tls

    In Windows you have "Use simple certificate selection" which could give the user a list of certificates that they can try, but again, only one can be selected and sent to the radius server

    https://community.arubanetworks.com/t5/Security/EAP-TLS-clients-with-multiple-certificates/td-p/255381

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 2, 2019 6:19 AM
    Moderator
  • Teemo, i have unproposed your suggestion as answer. Mainly because it is incomplete and therefore does not answer my question.

    The links you provided describe correct information. But as far as the 'simple certificate selection' process goes, it only applies to user sessions.
    During computer connections, such as authenticated LAN connections, this does not apply.

    I have figured out that the application of the simple certificate solution can be closely monitored in the 'Microsoft-Windows-CAPI2/Operational' log. This of course is disabled by default and needs to be enabled.
    But for the different connections that use TLS, I now also monitor:

    • For wireless connections: Microsoft-Windows-WLAN-AutoConfig/Operational
    • For wired connections: Microsoft-Windows-Wired-AutoConfig/Operational

    For instance this type of error is logged for a wired connection:


        Error: 0x80420014
        EAP Reason: 0x31E
        EAP Root cause String: A certificate could not be found that can be used with this Extensible Authentication Protocol.
        EAP Error: 0x80420014

    I know that there is a valid certificate available on the system, but the chaining method builds a chain that does not hold the thumbprint that is the only issuer allowed in the EAP policy.

    To figure out what is happening behind the screens, I would like to closely debug (let's call it bridge) the information in and between CAPI2 and the other logs, to determine in detail how the certificate got selected or, in this case was not selected.

    Thanks for your help

    Tuesday, December 3, 2019 8:52 AM
  • Ok Stan, i understand your behavior.

    You could also open a support ticket for deep research on debug the information in and between CAPI2 and the other logs

    https://support.microsoft.com/en-gb/hub/4343728/support-for-business


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 9, 2019 8:48 AM
    Moderator