Answered by:
Wireless 802.1x works Health policy fails
Question
-
I have successfully configured NPS for Wireless authentication using EAP-PEAP MSCHAPv2. Everything works as expected. (XP sp3) I am trying to test using a health policy. In the health policy all I have enabled is the Firewall. We are using group policy to enable the Security Center and Firewall. They are both running on the Client. I have verified that the NAP agent service is running on the client. I have verified that EAP Quarentine enforcement has been enabled (79623).
When I add the health policy, the Network policy is no longer accepted - the CRP is still accepted. I have gone through the step by step guides to check if I missed anything and I can't find anything. IF I remove the Health policy it connects again just fine.
I have included the event log and RASTLS log contents.
event Viewer:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: DOMAIN\isacra
Account Name: DOMAIN\isacra
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\isacra
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-04-96-55-A6-B0:101
Calling Station Identifier: 00-0B-7D-1F-46-73
NAS:
NAS IPv4 Address: 10.35.0.11
NAS IPv6 Address: -
NAS Identifier: WM3600
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
RADIUS Client:
Client Friendly Name: 10.35.0.11
Client IP Address: 10.35.0.11
Authentication Details:
Connection Request Policy Name: WIFI 802.1x
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: OCITS.co
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 48
Reason: The connection request did not match any configured network policy.
RASTLS Log
[3964] 06-22 08:50:02:074: EapPeapBegin
[3964] 06-22 08:50:02:074: EapPeapBegin - flags(0x402)
[3964] 06-22 08:50:02:074: PeapReadUserData
[3964] 06-22 08:50:02:074:
[3964] 06-22 08:50:02:074: EapTlsBegin(DOMAIN\isacra)
[3964] 06-22 08:50:02:074: SetupMachineChangeNotification
[3964] 06-22 08:50:02:074: State change to Initial
[3964] 06-22 08:50:02:074: EapTlsBegin: Detected PEAP authentication
[3964] 06-22 08:50:02:074: MaxTLSMessageLength is now 16384
[3964] 06-22 08:50:02:074: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[3964] 06-22 08:50:02:074: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[3964] 06-22 08:50:02:074: The root cert will not be checked for revocation
[3964] 06-22 08:50:02:074: The cert will be checked for revocation
[3964] 06-22 08:50:02:074: EapPeapBegin done
[3964] 06-22 08:50:02:074: EapPeapMakeMessage
[3964] 06-22 08:50:02:074: EapPeapSMakeMessage, flags(0x805)
[3964] 06-22 08:50:02:074: EapPeapSMakeMessage, user prop flags(0x2)
[3964] 06-22 08:50:02:074: PEAP:PEAP_STATE_INITIAL
[3964] 06-22 08:50:02:074: EapTlsSMakeMessage, state(0)
[3964] 06-22 08:50:02:074: EapTlsReset
[3964] 06-22 08:50:02:074: State change to Initial
[3964] 06-22 08:50:02:074: EapGetCredentials
[3964] 06-22 08:50:02:074: Flag is Server and Store is local Machine
[3964] 06-22 08:50:02:074: GetCachedCredentials Flags = 0x40e1
[3964] 06-22 08:50:02:074: FindNodeInCachedCredList, flags(0x40e1), default cached creds(0), check thread token(1)
[3964] 06-22 08:50:02:074: pNode->dwCredFlags = 0x12
[3964] 06-22 08:50:02:074: pNode->dwCredFlags = 0x32
[3964] 06-22 08:50:02:074: pNode->dwCredFlags = 0x12
[3964] 06-22 08:50:02:074: GetCachedCredentials: Using Cached Credentials
[3964] 06-22 08:50:02:074: GetCachedCredentials: Hash of the cert in the cache is
94 F1 5E 5B B0 EA F5 0B 69 0A 16 32 CA AA EB 10 |..^[....i..2....|
73 B1 AD 67 00 00 00 00 00 00 00 00 00 00 00 00 |s..g............|
[3964] 06-22 08:50:02:074: BuildPacket
[3964] 06-22 08:50:02:074: << Sending Request (Code: 1) packet: Id: 2, Length: 6, Type: 13, TLS blob length: 0. Flags: S
[3964] 06-22 08:50:02:074: State change to SentStart
[3964] 06-22 08:50:02:074: EapPeapSMakeMessage done
[3964] 06-22 08:50:02:074: EapPeapMakeMessage done
[3964] 06-22 08:50:02:074: EapPeapEnd
[3964] 06-22 08:50:02:074: EapTlsEnd
[3964] 06-22 08:50:02:074: EapTlsEnd(domain\isacra)
[3964] 06-22 08:50:02:074: EapPeapEnd done
[6884] 06-22 08:50:02:103: EapPeapMakeMessage
[6884] 06-22 08:50:02:103: EapPeapSMakeMessage, flags(0x805)
[6884] 06-22 08:50:02:103: EapPeapSMakeMessage, user prop flags(0x2)
[6884] 06-22 08:50:02:103: Cloned PPP_EAP_PACKET packet
[6884] 06-22 08:50:02:103: PEAP:PEAP_STATE_TLS_INPROGRESS
[6884] 06-22 08:50:02:103: EapTlsSMakeMessage, state(1)
[6884] 06-22 08:50:02:103: MakeReplyMessage
[6884] 06-22 08:50:02:103: Reallocating input TLS blob buffer
[6884] 06-22 08:50:02:103: SecurityContextFunction
[6884] 06-22 08:50:02:103: AcceptSecurityContext returned 0x90312
[6884] 06-22 08:50:02:103: State change to SentHello
[6884] 06-22 08:50:02:103: BuildPacket
[6884] 06-22 08:50:02:103: << Sending Request (Code: 1) packet: Id: 3, Length: 1396, Type: 13, TLS blob length: 1641. Flags: LM
[6884] 06-22 08:50:02:103: EapPeapSMakeMessage done
[6884] 06-22 08:50:02:103: EapPeapMakeMessage done
[3964] 06-22 08:50:02:135: EapPeapMakeMessage
[3964] 06-22 08:50:02:135: EapPeapSMakeMessage, flags(0xa05)
[3964] 06-22 08:50:02:135: EapPeapSMakeMessage, user prop flags(0x2)
[3964] 06-22 08:50:02:135: Cloned PPP_EAP_PACKET packet
[3964] 06-22 08:50:02:135: PEAP:PEAP_STATE_TLS_INPROGRESS
[3964] 06-22 08:50:02:135: EapTlsSMakeMessage, state(2)
[3964] 06-22 08:50:02:135: BuildPacket
[3964] 06-22 08:50:02:135: << Sending Request (Code: 1) packet: Id: 4, Length: 261, Type: 13, TLS blob length: 0. Flags:
[3964] 06-22 08:50:02:135: EapPeapSMakeMessage done
[3964] 06-22 08:50:02:135: EapPeapMakeMessage done
[6884] 06-22 08:50:02:199: EapPeapMakeMessage
[6884] 06-22 08:50:02:199: EapPeapSMakeMessage, flags(0xa05)
[6884] 06-22 08:50:02:199: EapPeapSMakeMessage, user prop flags(0x2)
[6884] 06-22 08:50:02:199: Cloned PPP_EAP_PACKET packet
[6884] 06-22 08:50:02:199: PEAP:PEAP_STATE_TLS_INPROGRESS
[6884] 06-22 08:50:02:199: EapTlsSMakeMessage, state(2)
[6884] 06-22 08:50:02:199: MakeReplyMessage
[6884] 06-22 08:50:02:199: Reallocating input TLS blob buffer
[6884] 06-22 08:50:02:199: SecurityContextFunction
[6884] 06-22 08:50:02:202: AcceptSecurityContext returned 0x0
[6884] 06-22 08:50:02:202: AuthenticateUser
[6884] 06-22 08:50:02:202: Got no credentials from the client and executing PEAP. This is normal for PEAP.
[6884] 06-22 08:50:02:202: CreateMPPEKeyAttributes
[6884] 06-22 08:50:02:202: State change to SentFinished
[6884] 06-22 08:50:02:202: BuildPacket
[6884] 06-22 08:50:02:202: << Sending Request (Code: 1) packet: Id: 5, Length: 69, Type: 13, TLS blob length: 59. Flags: L
[6884] 06-22 08:50:02:202: EapPeapSMakeMessage done
[6884] 06-22 08:50:02:202: EapPeapMakeMessage done
[3964] 06-22 08:50:02:228: EapPeapMakeMessage
[3964] 06-22 08:50:02:228: EapPeapSMakeMessage, flags(0xa05)
[3964] 06-22 08:50:02:228: EapPeapSMakeMessage, user prop flags(0x2)
[3964] 06-22 08:50:02:228: Cloned PPP_EAP_PACKET packet
[3964] 06-22 08:50:02:228: PEAP:PEAP_STATE_TLS_INPROGRESS
[3964] 06-22 08:50:02:228: EapTlsSMakeMessage, state(3)
[3964] 06-22 08:50:02:228: Negotiation successful
[3964] 06-22 08:50:02:228: IsTLSSessionReconnect
[3964] 06-22 08:50:02:228: Full Tls authentication performed
[3964] 06-22 08:50:02:228: BuildPacket
[3964] 06-22 08:50:02:228: << Sending Success (Code: 3) packet: Id: 5, Length: 4, Type: 0, TLS blob length: 0. Flags:
[3964] 06-22 08:50:02:228: AuthResultCode = (0), bCode = (3)
[3964] 06-22 08:50:02:228: PeapGetTunnelProperties
[3964] 06-22 08:50:02:228: Successfully negotiated TLS with following parametersdwProtocol = 0x40, Cipher= 0x660e,CipherStrength=0x80, Hash=0x8004
[3964] 06-22 08:50:02:228: PeapGetTunnelProperties done
[3964] 06-22 08:50:02:228: Full authentication
[3964] 06-22 08:50:02:228: PeapEncryptTunnelData
[3964] 06-22 08:50:02:228: Blob length 37
[3964] 06-22 08:50:02:228: PeapEncryptTunnelData completed with status 0x0
[3964] 06-22 08:50:02:228: EapPeapSMakeMessage done
[3964] 06-22 08:50:02:228: EapPeapMakeMessage done
[6884] 06-22 08:50:02:259: EapPeapMakeMessage
[6884] 06-22 08:50:02:259: EapPeapSMakeMessage, flags(0xa05)
[6884] 06-22 08:50:02:259: EapPeapSMakeMessage, user prop flags(0x2)
[6884] 06-22 08:50:02:259: Cloned PPP_EAP_PACKET packet
[6884] 06-22 08:50:02:259: PEAP:PEAP_STATE_IDENTITY_REQUEST_SENT
[6884] 06-22 08:50:02:259: PeapDecryptTunnelData dwSizeofData = 90, pData = 0xc0770a6
[6884] 06-22 08:50:02:259: Blob length 90
[6884] 06-22 08:50:02:259: PeapDecryptTunnelData completed with status 0x0
[6884] 06-22 08:50:02:259: Buffer length is 0
[6884] 06-22 08:50:02:259: PeapDecryptTunnelData completed with status 0x0 for SECBUFFER_EXTRA
[6884] 06-22 08:50:02:259: PeapEncryptTunnelData
[6884] 06-22 08:50:02:259: Blob length 53
[6884] 06-22 08:50:02:259: PeapEncryptTunnelData completed with status 0x0
[6884] 06-22 08:50:02:259: EapPeapSMakeMessage done
[6884] 06-22 08:50:02:259: EapPeapMakeMessage done
[3964] 06-22 08:50:02:294: EapPeapMakeMessage
[3964] 06-22 08:50:02:294: EapPeapSMakeMessage, flags(0xa05)
[3964] 06-22 08:50:02:294: EapPeapSMakeMessage, user prop flags(0x2)
[3964] 06-22 08:50:02:294: Cloned PPP_EAP_PACKET packet
[3964] 06-22 08:50:02:294: PEAP:PEAP_STATE_CAPABILITIES_REQ_SENT
[3964] 06-22 08:50:02:294: PeapDecryptTunnelData dwSizeofData = 90, pData = 0xc07fbf6
[3964] 06-22 08:50:02:294: Blob length 90
[3964] 06-22 08:50:02:294: PeapDecryptTunnelData completed with status 0x0
[3964] 06-22 08:50:02:294: Buffer length is 0
[3964] 06-22 08:50:02:294: PeapDecryptTunnelData completed with status 0x0 for SECBUFFER_EXTRA
[3964] 06-22 08:50:02:294: Invalid packet received when expecting capabilities response OR nak, treating it as inner fragmentationnon capable
[3964] 06-22 08:50:02:294: CRP - Create Identity Attribute
[3964] 06-22 08:50:02:294: EapPeapSMakeMessage done
[3964] 06-22 08:50:02:294: EapPeapMakeMessage done
[3964] 06-22 08:50:02:305: EapPeapMakeMessage
[3964] 06-22 08:50:02:305: EapPeapSMakeMessage, flags(0x2a05)
[3964] 06-22 08:50:02:305: EapPeapSMakeMessage, user prop flags(0x2)
[3964] 06-22 08:50:02:305: PEAP:PEAP_STATE_CAPABILITIES_REQ_SENT
[3964] 06-22 08:50:02:305: CRP NAP - Starting Soh Negotiation
[3964] 06-22 08:50:02:305: Starting SOH Negotiation
[3964] 06-22 08:50:02:305: PeapEncryptTunnelData
[3964] 06-22 08:50:02:305: Blob length 53
[3964] 06-22 08:50:02:305: PeapEncryptTunnelData completed with status 0x0
[3964] 06-22 08:50:02:305: EapPeapSMakeMessage done
[3964] 06-22 08:50:02:305: EapPeapMakeMessage done
[6884] 06-22 08:50:02:322: EapPeapMakeMessage
[6884] 06-22 08:50:02:322: EapPeapSMakeMessage, flags(0x2a05)
[6884] 06-22 08:50:02:322: EapPeapSMakeMessage, user prop flags(0x2)
[6884] 06-22 08:50:02:322: Cloned PPP_EAP_PACKET packet
[6884] 06-22 08:50:02:322: PEAP:PEAP_STATE_WAIT_FOR_CLIENT_TLV
[6884] 06-22 08:50:02:322: CRP NAP
[6884] 06-22 08:50:02:322: PeapDecryptTunnelData dwSizeofData = 74, pData = 0x1d4dd486
[6884] 06-22 08:50:02:322: Blob length 74
[6884] 06-22 08:50:02:322: PeapDecryptTunnelData completed with status 0x0
[6884] 06-22 08:50:02:322: Buffer length is 0
[6884] 06-22 08:50:02:322: PeapDecryptTunnelData completed with status 0x0 for SECBUFFER_EXTRA
[6884] 06-22 08:50:02:323: PeapEncryptTunnelData
[6884] 06-22 08:50:02:323: Blob length 69
[6884] 06-22 08:50:02:323: PeapEncryptTunnelData completed with status 0x0
[6884] 06-22 08:50:02:323: EapPeapSMakeMessage done
[6884] 06-22 08:50:02:323: EapPeapMakeMessage done
[3964] 06-22 08:50:02:353: EapPeapMakeMessage
[3964] 06-22 08:50:02:353: EapPeapSMakeMessage, flags(0xa05)
[3964] 06-22 08:50:02:353: EapPeapSMakeMessage, user prop flags(0x2)
[3964] 06-22 08:50:02:353: Cloned PPP_EAP_PACKET packet
[3964] 06-22 08:50:02:353: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
[3964] 06-22 08:50:02:353: PeapDecryptTunnelData dwSizeofData = 138, pData = 0xb8f5886
[3964] 06-22 08:50:02:353: Blob length 138
[3964] 06-22 08:50:02:353: PeapDecryptTunnelData completed with status 0x0
[3964] 06-22 08:50:02:353: Buffer length is 0
[3964] 06-22 08:50:02:353: PeapDecryptTunnelData completed with status 0x0 for SECBUFFER_EXTRA
[3964] 06-22 08:50:02:356: PeapEncryptTunnelData
[3964] 06-22 08:50:02:356: Blob length 85
[3964] 06-22 08:50:02:356: PeapEncryptTunnelData completed with status 0x0
[3964] 06-22 08:50:02:356: EapPeapSMakeMessage done
[3964] 06-22 08:50:02:356: EapPeapMakeMessage done
[6884] 06-22 08:50:02:384: EapPeapMakeMessage
[6884] 06-22 08:50:02:384: EapPeapSMakeMessage, flags(0xa05)
[6884] 06-22 08:50:02:384: EapPeapSMakeMessage, user prop flags(0x2)
[6884] 06-22 08:50:02:384: Cloned PPP_EAP_PACKET packet
[6884] 06-22 08:50:02:384: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
[6884] 06-22 08:50:02:384: PeapDecryptTunnelData dwSizeofData = 74, pData = 0x1d4dd546
[6884] 06-22 08:50:02:384: Blob length 74
[6884] 06-22 08:50:02:384: PeapDecryptTunnelData completed with status 0x0
[6884] 06-22 08:50:02:384: Buffer length is 0
[6884] 06-22 08:50:02:384: PeapDecryptTunnelData completed with status 0x0 for SECBUFFER_EXTRA
[6884] 06-22 08:50:02:384: PeapSetTypeUserAttributes
[6884] 06-22 08:50:02:384: RasAuthAttributeConcat
[6884] 06-22 08:50:02:384: Peap passing Inner Method attributes
[6884] 06-22 08:50:02:384: EapPeapSMakeMessage done
[6884] 06-22 08:50:02:384: EapPeapMakeMessage done
[6884] 06-22 08:50:02:385: EapPeapMakeMessage
[6884] 06-22 08:50:02:385: EapPeapSMakeMessage, flags(0xa05)
[6884] 06-22 08:50:02:385: EapPeapSMakeMessage, user prop flags(0x2)
[6884] 06-22 08:50:02:385: PEAP:PEAP_STATE_WAIT_FOR_SERVER_TLV
[6884] 06-22 08:50:02:385: CreateEAPTLVPacket
[6884] 06-22 08:50:02:385: TLV contents:
80 03 00 02 00 02 00 00 00 00 00 00 00 00 00 00 |................|
[6884] 06-22 08:50:02:385: Found a status TLV
[6884] 06-22 08:50:02:385: Client returned Failure TLV
[6884] 06-22 08:50:02:385: PeapEncryptTunnelData
[6884] 06-22 08:50:02:385: Blob length 37
[6884] 06-22 08:50:02:385: PeapEncryptTunnelData completed with status 0x0
[6884] 06-22 08:50:02:385: Authentication failed due to IAS policy restrictions
[6884] 06-22 08:50:02:385: EapPeapSMakeMessage done
[6884] 06-22 08:50:02:385: EapPeapMakeMessage done
[3964] 06-22 08:50:02:415: EapPeapMakeMessage
[3964] 06-22 08:50:02:415: EapPeapSMakeMessage, flags(0xa05)
[3964] 06-22 08:50:02:415: EapPeapSMakeMessage, user prop flags(0x2)
[3964] 06-22 08:50:02:415: Cloned PPP_EAP_PACKET packet
[3964] 06-22 08:50:02:415: PEAP:PEAP_STATE_PEAP_FAIL_SEND
[3964] 06-22 08:50:02:415: PeapDecryptTunnelData dwSizeofData = 74, pData = 0xc738c86
[3964] 06-22 08:50:02:415: Blob length 74
[3964] 06-22 08:50:02:415: PeapDecryptTunnelData completed with status 0x0
[3964] 06-22 08:50:02:415: Buffer length is 0
[3964] 06-22 08:50:02:415: PeapDecryptTunnelData completed with status 0x0 for SECBUFFER_EXTRA
[3964] 06-22 08:50:02:415: GetPEAPTLVStatusMessageValueServer
[3964] 06-22 08:50:02:415: Found a result TLV 2
[3964] 06-22 08:50:02:415: SetTLSFastReconnect
[3964] 06-22 08:50:02:415: IsTLSSessionReconnect
[3964] 06-22 08:50:02:415: Full Tls authentication performed
[3964] 06-22 08:50:02:415: The session is not setup for fast reconnects. No need to disable.
[3964] 06-22 08:50:02:415: PeapAddContextAttributes
[3964] 06-22 08:50:02:415: RasAuthAttributeConcat
[3964] 06-22 08:50:02:415: EapPeapSMakeMessage done
[3964] 06-22 08:50:02:415: EapPeapMakeMessage doneWednesday, June 22, 2011 2:08 PM
Answers
-
Hi,
On XP clients, you do not use the EAP quarantine enforcement client for wireless. You must enable the wireless EAPOL enforcement client (79620).
If you are using Group Policy to configure NAP settings, see http://technet.microsoft.com/en-us/library/dd348439(WS.10).aspx otherwise, see http://technet.microsoft.com/en-us/library/dd851746.aspx.
I hope this helps,
-Greg
P.S. A summary of requirements to get 802.1X working with NAP is here: http://technet.microsoft.com/en-us/library/dd125308(WS.10).aspx.
- Marked as answer by craymond Thursday, June 23, 2011 1:16 PM
Thursday, June 23, 2011 5:20 AM
All replies
-
Hi,
On XP clients, you do not use the EAP quarantine enforcement client for wireless. You must enable the wireless EAPOL enforcement client (79620).
If you are using Group Policy to configure NAP settings, see http://technet.microsoft.com/en-us/library/dd348439(WS.10).aspx otherwise, see http://technet.microsoft.com/en-us/library/dd851746.aspx.
I hope this helps,
-Greg
P.S. A summary of requirements to get 802.1X working with NAP is here: http://technet.microsoft.com/en-us/library/dd125308(WS.10).aspx.
- Marked as answer by craymond Thursday, June 23, 2011 1:16 PM
Thursday, June 23, 2011 5:20 AM -
Thanks Greg - The problem that I had was that when using the Broadcom Driver and software WZC is turned off. Once I used Windows to controll it and enabled WZC it all worked correctly. I will do some more testing to see if I can get it to work using the broadcom controller, but otherwise it is working the way it is supposed to!Thursday, June 23, 2011 1:21 PM
