locked
EAP-TLS Failure with Windows-XP STA & Win-2012 NAS RRS feed

  • Question

  • Hi,

    I'm facing a weird problem. I've installed both Active Directory, CA & NPS in a single machine.

    I've generated user-certificate & also copied CA certificate to Client Windows-XP machine and installed them onto "Personal" and Trusted root CA locations.When I create a profile and connect through WZC,  radius server rejects with reason: "An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors."

    To debug, I've setup another client machine with Windows-7. I did install same certificates which I installed in Windows-XP client and create profile to connect. And it just connects with-out any issue.

    I'm not sure what's the above error meant for Win-XP case. And how do I check EAP log files for EAP errors. I've tried enabling tracing for ras and looked for logs c:\windows\tracing. But I see all files were almost 0KB and no useful information at all.

    Can you help me debug this problem? Please see the snippet from eventviewer.

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
        Security ID:            NULL SID
        Account Name:            wifiuser@qcsr.com
        Account Domain:            QCSR
        Fully Qualified Account Name:    QCSR\wifiuser

    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        00904c130f31
        Calling Station Identifier:        00037f104912

    NAS:
        NAS IPv4 Address:        192.165.122.1
        NAS IPv6 Address:        -
        NAS Identifier:            00904c130f31
        NAS Port-Type:            Wireless - IEEE 802.11
        NAS Port:            11

    RADIUS Client:
        Client Friendly Name:        BROADCOM
        Client IP Address:            192.165.122.1

    Authentication Details:
        Connection Request Policy Name:    NAP 802.1X (Wireless)
        Network Policy Name:        -
        Authentication Provider:        Windows
        Authentication Server:        BANRADSVR01.qcsr.com
        Authentication Type:        EAP
        EAP Type:            Microsoft: Smart Card or other certificate
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            23
        Reason:                An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

    Saturday, September 24, 2016 10:15 AM

Answers

  • Hi Ram,

    >> Do you have idea on how to check what are these EAP log files & how do I check logs?

    You could find the log under path is /windows/system32/LogFiles.

    In addition, you could trace issue via enabling EAPHost Tracing.

    Please reference the link below for details information of EAPHost:

    Enabling EAPHost Tracing

    https://msdn.microsoft.com/en-us/library/windows/desktop/aa813696(v=vs.85).aspx

    Best Regards

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by John Lii Wednesday, October 12, 2016 9:34 AM
    • Marked as answer by Leo Han Thursday, October 13, 2016 8:43 AM
    Tuesday, September 27, 2016 4:57 AM

All replies

  • Hi Ramprasad,

    It did not recommend that installed other server roles on domain controller.

    There has a similar issue with yours, please check it to troubleshoot your issue:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/c66cf0a8-24dd-4ccd-b5bb-16bd28ad8d4c/having-issues-getting-peap-with-eapmschap-v2-working-on-windows-2008-r2?forum=winserverNAP

    what is the condition setting you are configured on NPS?

    Have you configured certificate properties at NPS authentication method?

    Here is article for your reference:

    RADIUS Server for 802.1X Wireless or Wired Connections

    https://msdn.microsoft.com/en-us/library/cc731853(v=ws.11).aspx

    Best Regards

    John

     


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 26, 2016 7:54 AM
  • Hi John,

    Thanks. I didn't have luxury of seperate machines, thus I had to install in same machine. And coming to configuration: yes I configured certificate. Infact with Windows-7 client EAP-TLS succeeds. And when I install exactly same user/CA certificate on Win-XP client it fails. 

    Do you have idea on how to check what are these EAP log files & how do I check logs? To me it looks like some interop issue. But would like to double check logs before I make that claim.

    "Reason:                An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors."

    Thanks,

    Ram


    -ram

    Monday, September 26, 2016 8:39 AM
  • Hi Ram,

    >> Do you have idea on how to check what are these EAP log files & how do I check logs?

    You could find the log under path is /windows/system32/LogFiles.

    In addition, you could trace issue via enabling EAPHost Tracing.

    Please reference the link below for details information of EAPHost:

    Enabling EAPHost Tracing

    https://msdn.microsoft.com/en-us/library/windows/desktop/aa813696(v=vs.85).aspx

    Best Regards

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by John Lii Wednesday, October 12, 2016 9:34 AM
    • Marked as answer by Leo Han Thursday, October 13, 2016 8:43 AM
    Tuesday, September 27, 2016 4:57 AM
  • Hi John,

    Thanks for your reply. I did try the ones you suggested already. But they didn't help me.

    1. /windows/system32/Logfiles. Do you know which specific log file I should be referring to? I remember seeing several forums indicating eap log file. But I couldn't find any log with that name.

    2. I tried EAPHost tracing. But I was stuck when I had to execute below command as I didn't what is pdb & tp. Can you help? I've got etl file with me. But I couldn't use it.

    tracerpt EapHostAuthr.etl –pdb <pdbpath> -tp <tracemessagefilesdirectorypath> -o

    Thanks,

    Ram


    -ram

    Wednesday, September 28, 2016 6:07 PM
  • Hi Ram,

    The -pdb <value> means that specify the symbol server path.

    The -tp <value> means that specify the TMF file search path.

    Please reference the article below to understand it:

    Tracerpt

    https://technet.microsoft.com/en-us/library/cc732700(v=ws.11).aspx

    Best Regards

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 29, 2016 8:37 AM
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 11, 2016 8:43 AM
  • Hi John,

    Thanks for the follow-up. I've been on holidays so didn't check. I will respond once I'm back to work.

    -ram


    -ram

    Tuesday, October 11, 2016 4:25 PM