locked
Wireless 802.1x works Health policy fails RRS feed

  • Question

  • I have successfully configured NPS for Wireless authentication using EAP-PEAP MSCHAPv2. Everything works as expected. (XP sp3) I am trying to test using a health policy. In the health policy all I have enabled is the Firewall. We are using group policy to enable the Security Center and Firewall. They are both running on the Client. I have verified that the NAP agent service is running on the client. I have verified that EAP Quarentine enforcement has been enabled (79623).

    When I add the health policy, the Network policy is no longer accepted - the CRP is still accepted. I have gone through the step by step guides to check if I missed anything and I can't find anything. IF I remove the Health policy it connects again just fine.

    I have included the event log and RASTLS log contents.

    event Viewer:

    Network Policy Server denied access to a user.

     

    Contact the Network Policy Server administrator for more information.

     

    User:

                    Security ID:                                            DOMAIN\isacra

                    Account Name:                                     DOMAIN\isacra

                    Account Domain:                                 DOMAIN

                    Fully Qualified Account Name:          DOMAIN\isacra

     

    Client Machine:

                    Security ID:                                            NULL SID

                    Account Name:                                     -

                    Fully Qualified Account Name:          -

                    OS-Version:                                           -

                    Called Station Identifier:                      00-04-96-55-A6-B0:101

                    Calling Station Identifier:                     00-0B-7D-1F-46-73

     

    NAS:

                    NAS IPv4 Address:                                10.35.0.11

                    NAS IPv6 Address:                                -

                    NAS Identifier:                                       WM3600

                    NAS Port-Type:                                     Wireless - IEEE 802.11

                    NAS Port:                                               1

     

    RADIUS Client:

                    Client Friendly Name:                           10.35.0.11

                    Client IP Address:                                  10.35.0.11

     

    Authentication Details:

                    Connection Request Policy Name:     WIFI 802.1x

                    Network Policy Name:                         -

                    Authentication Provider:                     Windows

                    Authentication Server:                         OCITS.co

                     Authentication Type:                           PEAP

                    EAP Type:                                               Microsoft: Secured password (EAP-MSCHAP v2)

                    Account Session Identifier:                 -

                    Logging Results:                                   Accounting information was written to the local log file.

                    Reason Code:                                        48

                    Reason:                                                  The connection request did not match any configured network policy.

    RASTLS Log

    [3964] 06-22 08:50:02:074: EapPeapBegin
    [3964] 06-22 08:50:02:074: EapPeapBegin - flags(0x402)
    [3964] 06-22 08:50:02:074: PeapReadUserData
    [3964] 06-22 08:50:02:074:
    [3964] 06-22 08:50:02:074: EapTlsBegin(DOMAIN\isacra)
    [3964] 06-22 08:50:02:074: SetupMachineChangeNotification
    [3964] 06-22 08:50:02:074: State change to Initial
    [3964] 06-22 08:50:02:074: EapTlsBegin: Detected PEAP authentication
    [3964] 06-22 08:50:02:074: MaxTLSMessageLength is now 16384
    [3964] 06-22 08:50:02:074: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
    [3964] 06-22 08:50:02:074: CRYPT_E_REVOCATION_OFFLINE will not be ignored
    [3964] 06-22 08:50:02:074: The root cert will not be checked for revocation
    [3964] 06-22 08:50:02:074: The cert will be checked for revocation
    [3964] 06-22 08:50:02:074: EapPeapBegin done
    [3964] 06-22 08:50:02:074: EapPeapMakeMessage
    [3964] 06-22 08:50:02:074: EapPeapSMakeMessage, flags(0x805)
    [3964] 06-22 08:50:02:074: EapPeapSMakeMessage, user prop flags(0x2)
    [3964] 06-22 08:50:02:074: PEAP:PEAP_STATE_INITIAL
    [3964] 06-22 08:50:02:074: EapTlsSMakeMessage, state(0)
    [3964] 06-22 08:50:02:074: EapTlsReset
    [3964] 06-22 08:50:02:074: State change to Initial
    [3964] 06-22 08:50:02:074: EapGetCredentials
    [3964] 06-22 08:50:02:074: Flag is Server and Store is local Machine
    [3964] 06-22 08:50:02:074: GetCachedCredentials Flags = 0x40e1
    [3964] 06-22 08:50:02:074: FindNodeInCachedCredList, flags(0x40e1), default cached creds(0), check thread token(1)
    [3964] 06-22 08:50:02:074: pNode->dwCredFlags = 0x12
    [3964] 06-22 08:50:02:074: pNode->dwCredFlags = 0x32
    [3964] 06-22 08:50:02:074: pNode->dwCredFlags = 0x12
    [3964] 06-22 08:50:02:074: GetCachedCredentials: Using Cached Credentials
    [3964] 06-22 08:50:02:074: GetCachedCredentials: Hash of the cert in the cache is
    94 F1 5E 5B B0 EA F5 0B 69 0A 16 32 CA AA EB 10 |..^[....i..2....|
    73 B1 AD 67 00 00 00 00 00 00 00 00 00 00 00 00 |s..g............|
    [3964] 06-22 08:50:02:074: BuildPacket
    [3964] 06-22 08:50:02:074: << Sending Request (Code: 1) packet: Id: 2, Length: 6, Type: 13, TLS blob length: 0. Flags: S
    [3964] 06-22 08:50:02:074: State change to SentStart
    [3964] 06-22 08:50:02:074: EapPeapSMakeMessage done
    [3964] 06-22 08:50:02:074: EapPeapMakeMessage done
    [3964] 06-22 08:50:02:074: EapPeapEnd
    [3964] 06-22 08:50:02:074: EapTlsEnd
    [3964] 06-22 08:50:02:074: EapTlsEnd(domain\isacra)
    [3964] 06-22 08:50:02:074: EapPeapEnd done
    [6884] 06-22 08:50:02:103: EapPeapMakeMessage
    [6884] 06-22 08:50:02:103: EapPeapSMakeMessage, flags(0x805)
    [6884] 06-22 08:50:02:103: EapPeapSMakeMessage, user prop flags(0x2)
    [6884] 06-22 08:50:02:103: Cloned PPP_EAP_PACKET packet
    [6884] 06-22 08:50:02:103: PEAP:PEAP_STATE_TLS_INPROGRESS
    [6884] 06-22 08:50:02:103: EapTlsSMakeMessage, state(1)
    [6884] 06-22 08:50:02:103: MakeReplyMessage
    [6884] 06-22 08:50:02:103: Reallocating input TLS blob buffer
    [6884] 06-22 08:50:02:103: SecurityContextFunction
    [6884] 06-22 08:50:02:103: AcceptSecurityContext returned 0x90312
    [6884] 06-22 08:50:02:103: State change to SentHello
    [6884] 06-22 08:50:02:103: BuildPacket
    [6884] 06-22 08:50:02:103: << Sending Request (Code: 1) packet: Id: 3, Length: 1396, Type: 13, TLS blob length: 1641. Flags: LM
    [6884] 06-22 08:50:02:103: EapPeapSMakeMessage done
    [6884] 06-22 08:50:02:103: EapPeapMakeMessage done
    [3964] 06-22 08:50:02:135: EapPeapMakeMessage
    [3964] 06-22 08:50:02:135: EapPeapSMakeMessage, flags(0xa05)
    [3964] 06-22 08:50:02:135: EapPeapSMakeMessage, user prop flags(0x2)
    [3964] 06-22 08:50:02:135: Cloned PPP_EAP_PACKET packet
    [3964] 06-22 08:50:02:135: PEAP:PEAP_STATE_TLS_INPROGRESS
    [3964] 06-22 08:50:02:135: EapTlsSMakeMessage, state(2)
    [3964] 06-22 08:50:02:135: BuildPacket
    [3964] 06-22 08:50:02:135: << Sending Request (Code: 1) packet: Id: 4, Length: 261, Type: 13, TLS blob length: 0. Flags:
    [3964] 06-22 08:50:02:135: EapPeapSMakeMessage done
    [3964] 06-22 08:50:02:135: EapPeapMakeMessage done
    [6884] 06-22 08:50:02:199: EapPeapMakeMessage
    [6884] 06-22 08:50:02:199: EapPeapSMakeMessage, flags(0xa05)
    [6884] 06-22 08:50:02:199: EapPeapSMakeMessage, user prop flags(0x2)
    [6884] 06-22 08:50:02:199: Cloned PPP_EAP_PACKET packet
    [6884] 06-22 08:50:02:199: PEAP:PEAP_STATE_TLS_INPROGRESS
    [6884] 06-22 08:50:02:199: EapTlsSMakeMessage, state(2)
    [6884] 06-22 08:50:02:199: MakeReplyMessage
    [6884] 06-22 08:50:02:199: Reallocating input TLS blob buffer
    [6884] 06-22 08:50:02:199: SecurityContextFunction
    [6884] 06-22 08:50:02:202: AcceptSecurityContext returned 0x0
    [6884] 06-22 08:50:02:202: AuthenticateUser
    [6884] 06-22 08:50:02:202: Got no credentials from the client and executing PEAP. This is normal for PEAP.
    [6884] 06-22 08:50:02:202: CreateMPPEKeyAttributes
    [6884] 06-22 08:50:02:202: State change to SentFinished
    [6884] 06-22 08:50:02:202: BuildPacket
    [6884] 06-22 08:50:02:202: << Sending Request (Code: 1) packet: Id: 5, Length: 69, Type: 13, TLS blob length: 59. Flags: L
    [6884] 06-22 08:50:02:202: EapPeapSMakeMessage done
    [6884] 06-22 08:50:02:202: EapPeapMakeMessage done
    [3964] 06-22 08:50:02:228: EapPeapMakeMessage
    [3964] 06-22 08:50:02:228: EapPeapSMakeMessage, flags(0xa05)
    [3964] 06-22 08:50:02:228: EapPeapSMakeMessage, user prop flags(0x2)
    [3964] 06-22 08:50:02:228: Cloned PPP_EAP_PACKET packet
    [3964] 06-22 08:50:02:228: PEAP:PEAP_STATE_TLS_INPROGRESS
    [3964] 06-22 08:50:02:228: EapTlsSMakeMessage, state(3)
    [3964] 06-22 08:50:02:228: Negotiation successful
    [3964] 06-22 08:50:02:228: IsTLSSessionReconnect
    [3964] 06-22 08:50:02:228: Full Tls authentication performed
    [3964] 06-22 08:50:02:228: BuildPacket
    [3964] 06-22 08:50:02:228: << Sending Success (Code: 3) packet: Id: 5, Length: 4, Type: 0, TLS blob length: 0. Flags:
    [3964] 06-22 08:50:02:228: AuthResultCode = (0), bCode = (3)
    [3964] 06-22 08:50:02:228: PeapGetTunnelProperties
    [3964] 06-22 08:50:02:228: Successfully negotiated TLS with following parametersdwProtocol = 0x40, Cipher= 0x660e,

    CipherStrength=0x80, Hash=0x8004
    [3964] 06-22 08:50:02:228: PeapGetTunnelProperties done
    [3964] 06-22 08:50:02:228: Full authentication
    [3964] 06-22 08:50:02:228: PeapEncryptTunnelData
    [3964] 06-22 08:50:02:228: Blob length 37
    [3964] 06-22 08:50:02:228: PeapEncryptTunnelData completed with status 0x0
    [3964] 06-22 08:50:02:228: EapPeapSMakeMessage done
    [3964] 06-22 08:50:02:228: EapPeapMakeMessage done
    [6884] 06-22 08:50:02:259: EapPeapMakeMessage
    [6884] 06-22 08:50:02:259: EapPeapSMakeMessage, flags(0xa05)
    [6884] 06-22 08:50:02:259: EapPeapSMakeMessage, user prop flags(0x2)
    [6884] 06-22 08:50:02:259: Cloned PPP_EAP_PACKET packet
    [6884] 06-22 08:50:02:259: PEAP:PEAP_STATE_IDENTITY_REQUEST_SENT
    [6884] 06-22 08:50:02:259: PeapDecryptTunnelData dwSizeofData = 90, pData = 0xc0770a6
    [6884] 06-22 08:50:02:259: Blob length 90
    [6884] 06-22 08:50:02:259: PeapDecryptTunnelData completed with status 0x0
    [6884] 06-22 08:50:02:259:  Buffer length is 0
    [6884] 06-22 08:50:02:259: PeapDecryptTunnelData completed with status 0x0 for SECBUFFER_EXTRA
    [6884] 06-22 08:50:02:259: PeapEncryptTunnelData
    [6884] 06-22 08:50:02:259: Blob length 53
    [6884] 06-22 08:50:02:259: PeapEncryptTunnelData completed with status 0x0
    [6884] 06-22 08:50:02:259: EapPeapSMakeMessage done
    [6884] 06-22 08:50:02:259: EapPeapMakeMessage done
    [3964] 06-22 08:50:02:294: EapPeapMakeMessage
    [3964] 06-22 08:50:02:294: EapPeapSMakeMessage, flags(0xa05)
    [3964] 06-22 08:50:02:294: EapPeapSMakeMessage, user prop flags(0x2)
    [3964] 06-22 08:50:02:294: Cloned PPP_EAP_PACKET packet
    [3964] 06-22 08:50:02:294: PEAP:PEAP_STATE_CAPABILITIES_REQ_SENT
    [3964] 06-22 08:50:02:294: PeapDecryptTunnelData dwSizeofData = 90, pData = 0xc07fbf6
    [3964] 06-22 08:50:02:294: Blob length 90
    [3964] 06-22 08:50:02:294: PeapDecryptTunnelData completed with status 0x0
    [3964] 06-22 08:50:02:294:  Buffer length is 0
    [3964] 06-22 08:50:02:294: PeapDecryptTunnelData completed with status 0x0 for SECBUFFER_EXTRA
    [3964] 06-22 08:50:02:294: Invalid packet received when expecting capabilities response OR nak, treating it as inner fragmentation

    non capable
    [3964] 06-22 08:50:02:294: CRP - Create Identity Attribute
    [3964] 06-22 08:50:02:294: EapPeapSMakeMessage done
    [3964] 06-22 08:50:02:294: EapPeapMakeMessage done
    [3964] 06-22 08:50:02:305: EapPeapMakeMessage
    [3964] 06-22 08:50:02:305: EapPeapSMakeMessage, flags(0x2a05)
    [3964] 06-22 08:50:02:305: EapPeapSMakeMessage, user prop flags(0x2)
    [3964] 06-22 08:50:02:305: PEAP:PEAP_STATE_CAPABILITIES_REQ_SENT
    [3964] 06-22 08:50:02:305: CRP NAP - Starting Soh Negotiation
    [3964] 06-22 08:50:02:305: Starting SOH Negotiation
    [3964] 06-22 08:50:02:305: PeapEncryptTunnelData
    [3964] 06-22 08:50:02:305: Blob length 53
    [3964] 06-22 08:50:02:305: PeapEncryptTunnelData completed with status 0x0
    [3964] 06-22 08:50:02:305: EapPeapSMakeMessage done
    [3964] 06-22 08:50:02:305: EapPeapMakeMessage done
    [6884] 06-22 08:50:02:322: EapPeapMakeMessage
    [6884] 06-22 08:50:02:322: EapPeapSMakeMessage, flags(0x2a05)
    [6884] 06-22 08:50:02:322: EapPeapSMakeMessage, user prop flags(0x2)
    [6884] 06-22 08:50:02:322: Cloned PPP_EAP_PACKET packet
    [6884] 06-22 08:50:02:322: PEAP:PEAP_STATE_WAIT_FOR_CLIENT_TLV
    [6884] 06-22 08:50:02:322: CRP NAP
    [6884] 06-22 08:50:02:322: PeapDecryptTunnelData dwSizeofData = 74, pData = 0x1d4dd486
    [6884] 06-22 08:50:02:322: Blob length 74
    [6884] 06-22 08:50:02:322: PeapDecryptTunnelData completed with status 0x0
    [6884] 06-22 08:50:02:322:  Buffer length is 0
    [6884] 06-22 08:50:02:322: PeapDecryptTunnelData completed with status 0x0 for SECBUFFER_EXTRA
    [6884] 06-22 08:50:02:323: PeapEncryptTunnelData
    [6884] 06-22 08:50:02:323: Blob length 69
    [6884] 06-22 08:50:02:323: PeapEncryptTunnelData completed with status 0x0
    [6884] 06-22 08:50:02:323: EapPeapSMakeMessage done
    [6884] 06-22 08:50:02:323: EapPeapMakeMessage done
    [3964] 06-22 08:50:02:353: EapPeapMakeMessage
    [3964] 06-22 08:50:02:353: EapPeapSMakeMessage, flags(0xa05)
    [3964] 06-22 08:50:02:353: EapPeapSMakeMessage, user prop flags(0x2)
    [3964] 06-22 08:50:02:353: Cloned PPP_EAP_PACKET packet
    [3964] 06-22 08:50:02:353: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
    [3964] 06-22 08:50:02:353: PeapDecryptTunnelData dwSizeofData = 138, pData = 0xb8f5886
    [3964] 06-22 08:50:02:353: Blob length 138
    [3964] 06-22 08:50:02:353: PeapDecryptTunnelData completed with status 0x0
    [3964] 06-22 08:50:02:353:  Buffer length is 0
    [3964] 06-22 08:50:02:353: PeapDecryptTunnelData completed with status 0x0 for SECBUFFER_EXTRA
    [3964] 06-22 08:50:02:356: PeapEncryptTunnelData
    [3964] 06-22 08:50:02:356: Blob length 85
    [3964] 06-22 08:50:02:356: PeapEncryptTunnelData completed with status 0x0
    [3964] 06-22 08:50:02:356: EapPeapSMakeMessage done
    [3964] 06-22 08:50:02:356: EapPeapMakeMessage done
    [6884] 06-22 08:50:02:384: EapPeapMakeMessage
    [6884] 06-22 08:50:02:384: EapPeapSMakeMessage, flags(0xa05)
    [6884] 06-22 08:50:02:384: EapPeapSMakeMessage, user prop flags(0x2)
    [6884] 06-22 08:50:02:384: Cloned PPP_EAP_PACKET packet
    [6884] 06-22 08:50:02:384: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
    [6884] 06-22 08:50:02:384: PeapDecryptTunnelData dwSizeofData = 74, pData = 0x1d4dd546
    [6884] 06-22 08:50:02:384: Blob length 74
    [6884] 06-22 08:50:02:384: PeapDecryptTunnelData completed with status 0x0
    [6884] 06-22 08:50:02:384:  Buffer length is 0
    [6884] 06-22 08:50:02:384: PeapDecryptTunnelData completed with status 0x0 for SECBUFFER_EXTRA
    [6884] 06-22 08:50:02:384: PeapSetTypeUserAttributes
    [6884] 06-22 08:50:02:384: RasAuthAttributeConcat
    [6884] 06-22 08:50:02:384: Peap passing Inner Method attributes
    [6884] 06-22 08:50:02:384: EapPeapSMakeMessage done
    [6884] 06-22 08:50:02:384: EapPeapMakeMessage done
    [6884] 06-22 08:50:02:385: EapPeapMakeMessage
    [6884] 06-22 08:50:02:385: EapPeapSMakeMessage, flags(0xa05)
    [6884] 06-22 08:50:02:385: EapPeapSMakeMessage, user prop flags(0x2)
    [6884] 06-22 08:50:02:385: PEAP:PEAP_STATE_WAIT_FOR_SERVER_TLV
    [6884] 06-22 08:50:02:385: CreateEAPTLVPacket
    [6884] 06-22 08:50:02:385: TLV contents:
    80 03 00 02 00 02 00 00 00 00 00 00 00 00 00 00 |................|
    [6884] 06-22 08:50:02:385: Found a status TLV
    [6884] 06-22 08:50:02:385: Client returned Failure TLV
    [6884] 06-22 08:50:02:385: PeapEncryptTunnelData
    [6884] 06-22 08:50:02:385: Blob length 37
    [6884] 06-22 08:50:02:385: PeapEncryptTunnelData completed with status 0x0
    [6884] 06-22 08:50:02:385: Authentication failed due to IAS policy restrictions
    [6884] 06-22 08:50:02:385: EapPeapSMakeMessage done
    [6884] 06-22 08:50:02:385: EapPeapMakeMessage done
    [3964] 06-22 08:50:02:415: EapPeapMakeMessage
    [3964] 06-22 08:50:02:415: EapPeapSMakeMessage, flags(0xa05)
    [3964] 06-22 08:50:02:415: EapPeapSMakeMessage, user prop flags(0x2)
    [3964] 06-22 08:50:02:415: Cloned PPP_EAP_PACKET packet
    [3964] 06-22 08:50:02:415: PEAP:PEAP_STATE_PEAP_FAIL_SEND
    [3964] 06-22 08:50:02:415: PeapDecryptTunnelData dwSizeofData = 74, pData = 0xc738c86
    [3964] 06-22 08:50:02:415: Blob length 74
    [3964] 06-22 08:50:02:415: PeapDecryptTunnelData completed with status 0x0
    [3964] 06-22 08:50:02:415:  Buffer length is 0
    [3964] 06-22 08:50:02:415: PeapDecryptTunnelData completed with status 0x0 for SECBUFFER_EXTRA
    [3964] 06-22 08:50:02:415: GetPEAPTLVStatusMessageValueServer
    [3964] 06-22 08:50:02:415: Found a result TLV 2
    [3964] 06-22 08:50:02:415: SetTLSFastReconnect
    [3964] 06-22 08:50:02:415: IsTLSSessionReconnect
    [3964] 06-22 08:50:02:415: Full Tls authentication performed
    [3964] 06-22 08:50:02:415: The session is not setup for fast reconnects.  No need to disable.
    [3964] 06-22 08:50:02:415: PeapAddContextAttributes
    [3964] 06-22 08:50:02:415: RasAuthAttributeConcat
    [3964] 06-22 08:50:02:415: EapPeapSMakeMessage done
    [3964] 06-22 08:50:02:415: EapPeapMakeMessage done

    Wednesday, June 22, 2011 2:08 PM

Answers

All replies