none
EAP-TLS with Certificate, NPS and client not connecting

    Pregunta

  • Hello,

    I am trying to put WPA-Enterprise security on my wireless network. In my environment, all the wireless users are Domain users and their will be no Mobile Phones. Now at first I started with PEAP Authentication and that worked for me. I was using Server 2008 Root CA, NPS as radius server and different clients including Windows 7, XP, 2003, 2008

    When I enabled PEAP authentication, clients used to ask domain username and password, once the username and password are entered, all different clients were getting connected with my WPA-Enterprise wireless enabled.

    Then I use certificate-based-authentication that is EAP-TLS, So When I changed my Network Policies in NPS to accept EAP-TLS by selecting "Smart card or other certificate" option for authentication and respective changes on clientside. My wireless is no longer working with the new settings.

    I found that EAP-TLS requires user certificate on the client side to authenticate user and a computer certificate on the NPS server. NPS server already have the computer certificate and then I issued a user certificate and imported to the client under "Trusted Root Authority" it didnt work either.

    I have imported the certificate to client but still showing error "A certificate is required to connect to SSID, contact your network administrator"

    Can anybody tell me a simple way to authenticate wireless clients using certificates. I am ready to import the certificates to the clients manually.


    jueves, 13 de noviembre de 2014 9:48

Respuestas

  • Hi,

    According to the report of gpresult, there is not any Wireless Network (IEEE 802.11) Policies was applied to the wireless client.

    I would like to confirm if the report was generated in one wireless client. And based on your original post, the wireless clients are domain computers.

    Now we could configure domain group policy by following steps below.

    1. Run gpmc.msc, to open Group Policy Management.

    2. In the Group Policy Management console, expand Forest: sita1.lab\Domains\sita1.lab, right-click sita1.lab, click Create a GPO in this domain, and Link it here… (sita1.lab is my domain name)

    3. In the New GPO dialogue box, enter a name, such as wireless in the Name edit, click OK.

    4. Right-click the new created GPO, click Edit.

    5. In the Group Policy Management Editor console, expand Computer Configuration\Policies\Windows Settings\Security Settings\Wireless Network (IEEE 802.11) Policies,

    6. Right-click Wireless Network (IEEE 802.11) Policies, click Create A New Wireless Network Policy for Windows Vista and Later Releases for Windows 7, click Create A New Wireless Windows XP Policy for Windows XP.

    The rest steps is the same as the article I provided above.

    After finish all steps, we could run gpupdate /force command in DC and all clients. To ensure this GPO was applied to domain clients, we could use gpresult /h c:\report.html command in the clients.

    Here is a screenshot about the Wireless Network (802.11) policies, my configurations are not complete. But if we see this in the report, it shows that the group policy was applied to a computer.

    Best Regards,

    Tina


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marcado como respuesta srguy miércoles, 10 de diciembre de 2014 8:49
    miércoles, 10 de diciembre de 2014 2:31
    Moderador
  • Hi Steven,

    Thanks for your prompt reply. Once again i tried to configure all the policies again with the help of shared links and got some success.

    1. created a new policy on NPS Server (old policy is still enabled) but on seq#2
    2. Enabled Auto-Enrollment Policy on GPO
    3. Enable RADIUS client is NAP-capable under Radius Client configuration
    4. Configure duplicate RAS & IAS Server template

    After all this i successfully got some access granted logs under NPS Server > NPS

    Certificate is auto-enrolling into client computer but while connecting to Wireless AP, its giving error that certificate is unavailable.

    Previously, i was manually creating a certificate in Personal and than exporting it to client but after RAS & IAS its all automatically generating event 

    nps-TEST1-CA nps-TEST1-CA 11/6/2019 <All> <None>    
    test1.nps.com nps-TEST1-CA 12/23/2015 Directory Service Email Replication <None>     Directory Email Replication
    test1.nps.com nps-TEST1-CA 12/23/2015 Server Authentication, Client Authentication <None>     RAS and IAS Server1
    test1.nps.com nps-TEST1-CA 12/23/2015 Client Authentication, Server Authentication, Smart Card Logon <None>     Domain Controller Authentication
    test1.nps.com nps-TEST1-CA 12/23/2015 Server Authentication, Client Authentication <None>     Computer1

    Again gathered all the RRAS traces 

    https://drive.google.com/file/d/0B6Zbyw2VLdjHZldTU3NRN3NRWFk/view?usp=sharing

    Client IP (LAN): 10.10.10.15
    Client IP (Wireless): 10.10.10.25

    NPSServer: 10.10.10.2

    Please tell me what is going wrong and why client is unable to connect to AP.



    • Editado srguy martes, 23 de diciembre de 2014 13:12
    • Marcado como respuesta srguy martes, 30 de diciembre de 2014 10:12
    martes, 23 de diciembre de 2014 12:28
  • Hi,

    Please refer to this article Windows 7 users cannot get wifi cert.

    It seems like this issue caused by Group Policy.

    Thank you.

    Regards,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marcado como respuesta srguy martes, 30 de diciembre de 2014 10:09
    jueves, 25 de diciembre de 2014 11:45
  • Hi Steven,

    Thanks, your last link worked and i have created the profile again. It's now working fine. I will test with Windows XP client as well and then replicate the changes on live environment.

    thanks once again

    • Marcado como respuesta srguy martes, 30 de diciembre de 2014 10:12
    martes, 30 de diciembre de 2014 10:11

Todas las respuestas

  • One certificate is the Root CA certificate that would make trust relationship with the certificate authority and the other certificate would be user certificate for authentication.

    Root CA certificate will be imported in the Trust Root Authority under User Account and the user certificate will be imported in Personal under User Account. I have manually imported these under certificate > user account and is visible

    jueves, 13 de noviembre de 2014 10:01
  • Hi,

    The NPS server and wireless client need to trust the root CA certificate, so the root CA certificate should be installed in the NPS server and wireless client. That is to say, if you have installed the root CA certificate successfully, you can see the root CA certificate in the Trusted Root Certification Authorities/Certificates of these computers.

    Due to the EAP-TLS is a Mutual Authentication, so the NPS server should apply a computer certificate, the wireless client also need to apply a computer or a user certificate. You should install the computer or user certificate in the Personal container.

    Also when you use the user certificate for wireless client, you need to store it in the user certificate store. So when use MMC to add a Certificates snap-in, we need to select My user account. Then expand the Certificates – Current User\Personal\Certificates, right-click Certificates, click Request New Certificate.

    When you use the computer certificate for wireless client and NPS server, you need to store it in the computer certificate store. So when use MMC to add a Certificate snap-in, we need to select Computer account. Then expand the Certificates (Local Computer)\Personal\Certificates, the rest is the same.

    Best Regards,

    Tina

    • Propuesto como respuesta Elke Stangl domingo, 23 de noviembre de 2014 21:08
    viernes, 14 de noviembre de 2014 9:37
    Moderador
  • The NPS server and wireless client need to trust the root CA certificate, so the root CA certificate should be installed in the NPS server and wireless client. That is to say, if you have installed the root CA certificate successfully, you can see the root CA certificate in the Trusted Root Certification Authorities/Certificates of these computers.

    it should be displayed on NPS and Wireless client at Certificates (Local Computer)\ Trusted Root Certification Authorities/Certificates\Certificates

    I am using Computer Certificate for wireless client and NPS so i will only be using it rather than also implement user certificate as you have informed in 3rd para

    When you use the computer certificate for wireless client and NPS server, you need to store it in the computer certificate store. So when use MMC to add a Certificate snap-in, we need to select Computer account. Then expand the Certificates (Local Computer)\Personal\Certificates, the rest is the same.

    so there will be only 4 certificates to be installed that is Root CA will be installed on NPS and wireless client
    second step will be to import certificate in Certificates (Local Computer)\Personal\Certificates on client and NPS Server


    What is the best way to revoke / delete a certificate from NPS and client
    • Editado srguy viernes, 14 de noviembre de 2014 11:58
    viernes, 14 de noviembre de 2014 9:47
  • nobody faced a similar issue ??
    jueves, 20 de noviembre de 2014 17:16
  • Hi,

    I'm sorry for replying late. Yes, your understanding is correct.

    If you want to delete a certificate from NPS server and wireless client, expand Personal container, click Certificates, in the right pane, right click the certificates which you want to delete, click Delete.

    Also please ensure the wireless clients have proper configurations.

    Configure Wireless Clients running Windows 7 and Windows Vista for EAP-TLS Authentication

    http://msdn.microsoft.com/en-us/library/dd759246.aspx

    Configure Wireless Clients running Windows XP for EAP-TLS Authentication

    http://msdn.microsoft.com/en-us/library/dd759138.aspx

    Best Regards,

    Tina

    • Propuesto como respuesta Elke Stangl domingo, 23 de noviembre de 2014 21:08
    viernes, 21 de noviembre de 2014 13:40
    Moderador
  • I have tried with PEAP and Smart Card but both giving same error
    Policy name is not showing which I have created

    secondly, in user Dial-In properties its control access through NPS is selected


    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
    Security ID: NPS\shariq
    Account Name: shariq
    Account Domain: NPS
    Fully Qualified Account Name: nps.com/Users/shariq siddiqui

    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: 00259cd2033a
    Calling Station Identifier: 001a73a7f748

    NAS:
    NAS IPv4 Address: 10.10.10.5
    NAS IPv6 Address: -
    NAS Identifier: 00259cd2033a
    NAS Port-Type: Wireless - IEEE 802.11
    NAS Port: 24

    RADIUS Client:
    Client Friendly Name: Cafeteria
    Client IP Address: 10.10.10.5

    Authentication Details:
    Connection Request Policy Name: Use Windows authentication for all users
    Network Policy Name: Connections to other access servers
    Authentication Provider: Windows
    Authentication Server: test1.nps.com
    Authentication Type: EAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 65
    Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.



    • Editado srguy miércoles, 26 de noviembre de 2014 11:06
    miércoles, 26 de noviembre de 2014 10:55
  • Hi,

    Based on the event log, the NPS server use the Connections to other access servers network policy to authenticate the user. I suppose this network policy was configured with Deny access. Due to you choose Control access through NPS Network Policy in the Dial-in tab. So the user need to match a policy with Grant access permission.

    You could try to change the Connections to other access servers network policy to Grant access. Then see if the user can pass the authentication. Of course, we don’t need to use this network policy to authenticate users. We need to use the policy which we configured.

    So please check if the policies which you created has any problems. We typically configure 802.1x policies in the Getting Started page, by selecting RADIUS server for 802.1X Wireless or Wired Connections.

    Then please move up the wireless policy, so this policy will be checked first. Right click the network policy, then you could move it up.

    Because the connection attempt is evaluated against the profile and user account settings of that profile. If the connection attempt doesn’t match the profile or user account settings of the first network policy that matches the connection attempt, the connection attempt is rejected. No other policies are checked.

    For more details, please refer to the article below,

    Use the 802.1X Wizard to Configure NPS Network Policies

    http://technet.microsoft.com/en-us/library/dd283091(v=WS.10).aspx

    Best Regards,

    Tina

    jueves, 27 de noviembre de 2014 9:24
    Moderador
  • Hello, Last time i have created the NPS profile by Policies > Network Polcies >

    Now this time have created with your method. Will try it out and update

    ---

    I checked by granting access on Connections to other access servers and the error changed

    the user attempted to use an authentication method that is not enabled on matchingn policy

    after granting denied access its showing the same error again.

    Request policy name is current but current policy name is showing wrong


    • Editado srguy lunes, 01 de diciembre de 2014 12:41
    jueves, 27 de noviembre de 2014 13:30
  • Hi srsiddiqui,

    Have you configured the corresponding domain group policy for wireless client and created network policy as I mentioned above?

    If you have configured the network policy, you could disable the Connections to other access servers network policy.

    If you have created new network policy as above, and you grant Deny access in the Connections to other access servers network policy. It is possible that the authentication method of client is different from the authentication method in the network policy. Then the authentication failed. So please double check if you have configured this two parts correctly. And if the group policy has applied to the clients.

    Best Regards,

    Tina

    jueves, 04 de diciembre de 2014 3:53
    Moderador
  • Hi,

    I have created the policy by the name of Wireless-New in NPS, its also visible on snapshot but the corresponding policy is not being used

    is the domain group policy you're referring to ??

    already disable the Connections to other access servers network policy. only wireless-new policy is granting access while other two are denied access

    I have configured Authentication Method on client as WPA2-Enterprise + AES 

    tried to update the client forcefully with update/gpudpate


    • Editado srguy jueves, 04 de diciembre de 2014 5:27
    jueves, 04 de diciembre de 2014 5:21
  • Hi,

    Yes, it is the domain group policy. You could configure wireless client profile for domain users by using this group policy.

    To configure EAP-TLS, we should choose Microsoft: Smart Card or other certificate.

    When you configure the wireless client profile, have you selected Microsoft: Smart Card or other certificate in the Security tab of Profile properties?

    In the process of creating the new wireless network policy, you also need to select Microsoft: Smart Card or other certificate in select the EAP type for this policy page. If you have selected this, in the Authentication Methods of Constraints tab, you could see that only Microsoft: Smart Card or other certificate was displayed in EAP Types.

    In addition, we could use gpresult /h c:\report.html command to see if it was applied to domain clients.

    Best Regards,

    Tina

    jueves, 04 de diciembre de 2014 6:30
    Moderador
  • I have done the same as suggested by you

    Unable to upload GPResult output here

    https://drive.google.com/file/d/0B6Zbyw2VLdjHVVlwYkRvV0VQZkU/view?usp=sharing



    • Editado srguy jueves, 04 de diciembre de 2014 7:46
    jueves, 04 de diciembre de 2014 7:15
  • Hello Tina,

    Can you guide what is going wrong with my config

    martes, 09 de diciembre de 2014 4:39
  • Hi,

    According to the report of gpresult, there is not any Wireless Network (IEEE 802.11) Policies was applied to the wireless client.

    I would like to confirm if the report was generated in one wireless client. And based on your original post, the wireless clients are domain computers.

    Now we could configure domain group policy by following steps below.

    1. Run gpmc.msc, to open Group Policy Management.

    2. In the Group Policy Management console, expand Forest: sita1.lab\Domains\sita1.lab, right-click sita1.lab, click Create a GPO in this domain, and Link it here… (sita1.lab is my domain name)

    3. In the New GPO dialogue box, enter a name, such as wireless in the Name edit, click OK.

    4. Right-click the new created GPO, click Edit.

    5. In the Group Policy Management Editor console, expand Computer Configuration\Policies\Windows Settings\Security Settings\Wireless Network (IEEE 802.11) Policies,

    6. Right-click Wireless Network (IEEE 802.11) Policies, click Create A New Wireless Network Policy for Windows Vista and Later Releases for Windows 7, click Create A New Wireless Windows XP Policy for Windows XP.

    The rest steps is the same as the article I provided above.

    After finish all steps, we could run gpupdate /force command in DC and all clients. To ensure this GPO was applied to domain clients, we could use gpresult /h c:\report.html command in the clients.

    Here is a screenshot about the Wireless Network (802.11) policies, my configurations are not complete. But if we see this in the report, it shows that the group policy was applied to a computer.

    Best Regards,

    Tina


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marcado como respuesta srguy miércoles, 10 de diciembre de 2014 8:49
    miércoles, 10 de diciembre de 2014 2:31
    Moderador
  • I would like to confirm if the report was generated in one wireless client. And based on your original post, the wireless clients are domain computers.

    the report was generated on Domain Controller. Client Report is attached below
    https://drive.google.com/file/d/0B6Zbyw2VLdjHbEdvLUlqT0RQdlk/view?usp=sharing

    I haven't created any wireless policies in Group Policy Management Editor console, expand Computer Configuration\Policies\Windows Settings\Security Settings\Wireless Network (IEEE 802.11) Policiesbut now created two policies for Windows XP & Windows 7 + later

    Confirm me there is no setting for Wireless Policies, have just created and named it nothing else done on the policy in GPO



    • Editado srguy miércoles, 10 de diciembre de 2014 5:36
    miércoles, 10 de diciembre de 2014 5:19
  • Hello,

    Based on the client report, there is not corresponding group policy which was applied to the wireless clients. The group policy configures a profile for wireless client.

    Due to your all clients have joined the domain, so create a domain group policy, then apply it to these domain computers. It is a convenient method to configure profiles for all wireless clients.

    Create a new GPO, instead of using Default Domain Policy, we can manage the wireless network group policy more convenient.

    Best Regards,

    Tina


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    miércoles, 10 de diciembre de 2014 6:04
    Moderador
  • Hello,

    Got some success and the error changed to but still requested policy is not been used which is also highlighted below

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
    Security ID: NPS\shariq
    Account Name: NPS\shariq
    Account Domain: NPS
    Fully Qualified Account Name: nps.com/Users/shariq siddiqui

    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: 00259cd2033a
    Calling Station Identifier: 2016d85963f8

    NAS:
    NAS IPv4 Address: 10.10.10.5
    NAS IPv6 Address: -
    NAS Identifier: 00259cd2033a
    NAS Port-Type: Wireless - IEEE 802.11
    NAS Port: 2

    RADIUS Client:
    Client Friendly Name: Cafeteria
    Client IP Address: 10.10.10.5

    Authentication Details:
    Connection Request Policy Name: Wireless-New
    Network Policy Name: Connections to other access servers
    Authentication Provider: Windows
    Authentication Server: test1.nps.com
    Authentication Type: EAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 22
    Reason: The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

    miércoles, 10 de diciembre de 2014 7:38
  • Hi,

    Could you please attach a screenshot which display the network policies you created?

    Based on the event log, the used network policy is Connections to other access servers network policy, instead of the network policies which you created.

    Best Regards,

    Tina


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    miércoles, 10 de diciembre de 2014 8:28
    Moderador
  • miércoles, 10 de diciembre de 2014 8:49
  • Hi srsiddiqui,

    If we configured multiple policies, when a user attempts to connect, the first policy in the ordered list of policies is checked. If all of the conditions of the policy do not match the connection attempt, the next policy in the ordered list is checked, until a policy matches the connection attempt.

    Based on the order of the policies, the Wireless-New network policy should be checked at first. But it didn’t match, then checked Connections to other access servers network policy. But this network policy didn’t configure EAP types and it was also configured to deny access. So please also check if there are any other event logs which use Wireless-New network policy.

    Best Regards,

    Tina


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    miércoles, 10 de diciembre de 2014 12:13
    Moderador
  • I filter complete Event viewer policies but only find Wireless-New  in NPS

    You can download the complete logs from https://drive.google.com/file/d/0B6Zbyw2VLdjHZVJOTTNCT1p1a00/view?usp=sharing

    GP Result from DC: https://drive.google.com/file/d/0B6Zbyw2VLdjHbmJtRmJSVEtHTUU/view?usp=sharing

    GP Result from Client: https://drive.google.com/file/d/0B6Zbyw2VLdjHR3E2aFp0S2NXVWc/view?usp=sharing

    previously it was giving error 22 as i mistakenly configured PEAP in network policies under GPO

    and now its again giving error as 65

    • Editado srguy miércoles, 10 de diciembre de 2014 14:12
    miércoles, 10 de diciembre de 2014 12:44
  • Hi srsiddiqui,

    There are not event logs which are related to Wireless-New network policy indeed. How about disabling Connections to other access servers network policy in Overview tab? To see if the event logs has any changes.

    Best Regards,

    Tina


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    jueves, 11 de diciembre de 2014 8:55
    Moderador
  • after disabling its showing this error

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          12/11/2014 2:42:35 PM
    Event ID:      6273
    Task Category: Network Policy Server
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      test1.nps.com
    Description:
    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
    Security ID: NPS\TEST1$
    Account Name: host/test1.nps.com
    Account Domain: NPS
    Fully Qualified Account Name: NPS\TEST1$

    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: 00259cd2033a
    Calling Station Identifier: 2016d85963f8

    NAS:
    NAS IPv4 Address: 10.10.10.5
    NAS IPv6 Address: -
    NAS Identifier: 00259cd2033a
    NAS Port-Type: Wireless - IEEE 802.11
    NAS Port: 2

    RADIUS Client:
    Client Friendly Name: Cafeteria
    Client IP Address: 10.10.10.5

    Authentication Details:
    Connection Request Policy Name: Wireless-New
    Network Policy Name: -
    Authentication Provider: Windows
    Authentication Server: test1.nps.com
    Authentication Type: EAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 48
    Reason: The connection request did not match any configured network policy.

    • Editado srguy jueves, 11 de diciembre de 2014 9:45
    jueves, 11 de diciembre de 2014 9:39
  • Tried to troubleshoot with below links but still no success same Error Code 6273 Reason Code 48

    http://msdn.microsoft.com/en-us/library/dd314162%28v=ws.10%29.aspx

    http://msdn.microsoft.com/en-us/library/dd348461%28v=ws.10%29.aspx#napinfrastructureeventsanderrors

    one thing more username in above logs is from DC means TEST1 is DC where NPS anc CA is installed

    Security ID:  NPS\TEST1$
    Account Name:  host/test1.nps.com
    Account Domain: NPS
    Fully Qualified Account Name: NPS\TEST1$

    why it is showing DC name if i am connecting with the Windows 7 client machine


    • Editado srguy jueves, 11 de diciembre de 2014 13:10
    jueves, 11 de diciembre de 2014 10:37
  • Hi Tina,

    Please let me know what is going wrong with my test environment

    domingo, 14 de diciembre de 2014 8:13
  • I guess Microsoft don't have any solution for this issue ??
    martes, 16 de diciembre de 2014 8:30
  • Hi srsiddiqui,

    I'm trying to involve someone who is more familiar with this topic for a further look.

    Thanks for your understanding and support.

    Best Regards,

    Tina


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    martes, 16 de diciembre de 2014 9:23
    Moderador
  • Hi Tina,

    Am hoping to see the solution for this issue. It's been more than a month since i am facing this issue need and unable to find a solution on internet

    martes, 16 de diciembre de 2014 13:35
  • Hi srsiddiqui,

    From the initial information, the issue is complex.

    To such issue, it is not an efficient way to work in this community since we may need more resources, for example memory (application) dump or ETL trace, which is not appropriate to handle in community. I’d like to suggest that you submit a service request to MS Professional tech support service so that a dedicated Support Professional can further assist with this request. 

    Please visit the below link to see the various paid support options that are available to better meet your needs. http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone

    Anyway, I am providing the general troubleshoot step for your reference.

    Collect RRAS traces and network traces on a client and the NPS server. To do this,

     

    a. Download Microsoft Network Monitor Tool from the following link and install it on the client and the server.

    http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=983b941d-06cb-4658-b7f6-3088333d062f

    b. Start Network Monitor at "Start" ->"Program"-> "Microsoft Network Monitor 3.4" -> "Microsoft Network Monitor 3.4" on the client and the server.

    c. On the left-panel, select LAN connection on the server and select corresponding connection on the client.

    d. Click "Tools", click "Options", switch to the "Capture" tap, and set the "Temporary capture file size (MB)" to 200 on the client and the server.

    e. On the NPS server and the wireless client, run the following command under the command prompt to enable RRAS tracing.

     

    netsh ras set tracing * enabled

     

    f. Click "New Capture", click "Start" on the Capture menu in the two Network Monitor windows.

    g. Now from the client, try to establish the wireless connection to reproduce the problem.

    h. Once the problem occurs, click "Stop" on the Capture menu on the client and the server, and click "File"->"Save as" to save the captured files.

    i. Run the following command under the command prompt on both the NPS server and the client to disable RRAS tracing.

     

    netsh ras set tracing * disabled

     

    j. The tracing files are saved at %systemroot%\tracing folder. 

    Note: Please inform me the client’s and server’s IP address.

    Best regards,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    miércoles, 17 de diciembre de 2014 15:47
  • Hello Steven,

    Since i am trying to configure EAP-TLS in a test environment it will not be possible for me get Microsoft Incident Support on this issue neither i have support contract with Microsoft

    Secondly as suggested by you, the logs are attached for reference along with current event logs at NPSServer

    https://drive.google.com/file/d/0B6Zbyw2VLdjHbmxqTEI0V0hwQmM/view?usp=sharing

    Client IP (LAN): 10.10.10.15
    Client IP (Wireless): 10.10.10.25

    NPSServer: 10.10.10.2

    • Editado srguy jueves, 18 de diciembre de 2014 7:26
    jueves, 18 de diciembre de 2014 7:25
  • Hi srsiddiqui,

    Logs received. Will let you know the analysis later.

    Thank you.

    Best regards,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    viernes, 19 de diciembre de 2014 9:05
  • Hi Steven,

    Did you find anything suspicious

    lunes, 22 de diciembre de 2014 7:50
  • Hi Srsiddiqui,

    Sorry for the delay. I have checked the log carefully, but no RRAS Tracing since i did not receive it. I found that this error message "The connection request did not match any configured network policy."

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
     Security ID:   *No String Type*
     Account Name:   host/test1.nps.com
     Account Domain:   NPS
     Fully Qualified Account Name: NPS\TEST1$

    Client Machine:
     Security ID:   *No String Type*
     Account Name:   -
     Fully Qualified Account Name: -
     OS-Version:   -
     Called Station Identifier:  00259cd2033a
     Calling Station Identifier:  2016d85963f8

    NAS:
     NAS IPv4 Address:  10.10.10.5
     NAS IPv6 Address:  -
     NAS Identifier:   00259cd2033a
     NAS Port-Type:   Wireless - IEEE 802.11
     NAS Port:   2

    RADIUS Client:
     Client Friendly Name:  Cafeteria
     Client IP Address:   10.10.10.5

    Authentication Details:
     Proxy Policy Name:  Wireless-New
     Network Policy Name:  -
     Authentication Provider:  Windows
     Authentication Server:  test1.nps.com
     Authentication Type:  EAP
     EAP Type:   -
     Account Session Identifier:  -
     Reason Code:   48
     Reason:    The connection request did not match any configured network policy.

    From the netmon tracing:

    1311 3:01:26 PM 12/18/2014 30.3386387  10.10.10.5 TEST1  EAP EAP:Response, Type = Identity {EAP:287, RADIUS:286, UDP:285, IPv4:284}

      Frame: Number = 1311, Captured Frame Length = 191, MediaType = ETHERNET
    + Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-01-B1-30],SourceAddress:[00-25-9C-D2-03-38]
    + Ipv4: Src = 10.10.10.5, Dest = 10.10.10.2, Next Protocol = UDP, Packet ID = 50229, Total IP Length = 177
    + Udp: SrcPort = 1025, DstPort = 1812, Length = 157
    + Radius: Access Request, Id = 3, Length = 149
    - EAPMessage: Response, Type = Identity
        Code: Response, 2(0x2)
        Identifier: 0 (0x0)
        Length: 23 bytes
        Type: Identity, 1(0x1)
        IdentityData: host/test1.nps.com

    1317 3:01:27 PM 12/18/2014 30.4548890  TEST1  10.10.10.5 EAP EAP:Failure {EAP:287, RADIUS:286, UDP:285, IPv4:284}

    This issue still related to the NPS policy and the certificate on the Client. I suggest you issue a computer certficate to Computer, and ensure if the issue persists. If not, please gather complete tracing for further troubleshooting.

    Regards,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    lunes, 22 de diciembre de 2014 9:52
  • Steven,

    Can you please suggest some link on how to generate certificate from certificate authority templates

    --

    I issued a new Computer Certificate for computer before but it didnt worked out. Everytime the NPS policy Connection to other access server is checked even the created policy is on top of the all the previous policies.

    So, i have disabled the policy Connection to other access server and tried to connect but its giving reason code 48 otherwise its giving reason code 65

    Since i am the NPS adminsitrator so have to resolve it this way. stucked at this error

    the tracing logs have been gathered in the same way as asked. If required i can also connect you to Teamviewer/Ammyadmin for a closer look on NPS Policies.

    • Editado srguy lunes, 22 de diciembre de 2014 11:29
    lunes, 22 de diciembre de 2014 10:09
  • Hi Srsiddiqui,

    Sorry for that it is not convenient to have a remote seesion due to the policy on our side. However, I am providing the relevant articles for your reference.

    Certificates and NPS

    http://technet.microsoft.com/en-us/library/cc772401(v=ws.10).aspx

    Creating a secure 802.1x wireless infrastructure using Microsoft Windows

    http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx

    RADIUS: Creating a Policy in NPS to support EAP-TLS authentication

    https://kb.meraki.com/knowledge_base/radius-creating-a-policy-in-nps-to-support-eap-tls-authentication

    Thank you for your understanding and cooperation.

    Best regards,

    Steven Song

    martes, 23 de diciembre de 2014 10:12
  • Hi Steven,

    Thanks for your prompt reply. Once again i tried to configure all the policies again with the help of shared links and got some success.

    1. created a new policy on NPS Server (old policy is still enabled) but on seq#2
    2. Enabled Auto-Enrollment Policy on GPO
    3. Enable RADIUS client is NAP-capable under Radius Client configuration
    4. Configure duplicate RAS & IAS Server template

    After all this i successfully got some access granted logs under NPS Server > NPS

    Certificate is auto-enrolling into client computer but while connecting to Wireless AP, its giving error that certificate is unavailable.

    Previously, i was manually creating a certificate in Personal and than exporting it to client but after RAS & IAS its all automatically generating event 

    nps-TEST1-CA nps-TEST1-CA 11/6/2019 <All> <None>    
    test1.nps.com nps-TEST1-CA 12/23/2015 Directory Service Email Replication <None>     Directory Email Replication
    test1.nps.com nps-TEST1-CA 12/23/2015 Server Authentication, Client Authentication <None>     RAS and IAS Server1
    test1.nps.com nps-TEST1-CA 12/23/2015 Client Authentication, Server Authentication, Smart Card Logon <None>     Domain Controller Authentication
    test1.nps.com nps-TEST1-CA 12/23/2015 Server Authentication, Client Authentication <None>     Computer1

    Again gathered all the RRAS traces 

    https://drive.google.com/file/d/0B6Zbyw2VLdjHZldTU3NRN3NRWFk/view?usp=sharing

    Client IP (LAN): 10.10.10.15
    Client IP (Wireless): 10.10.10.25

    NPSServer: 10.10.10.2

    Please tell me what is going wrong and why client is unable to connect to AP.



    • Editado srguy martes, 23 de diciembre de 2014 13:12
    • Marcado como respuesta srguy martes, 30 de diciembre de 2014 10:12
    martes, 23 de diciembre de 2014 12:28
  • Hi,

    Sorry for the delay, I tried to reply this but it failed yesterday. I have checked the logs and found that no response sent from NPS server. Only the eap packets sending to AP, but no response.

    Client side:

    1379 8:34:42 PM 12/23/2014 43.4212286  [00259C D2033A] [Quanta Microsystems, INC. 96A064] EAP EAP:Request, Type = Identity {EAP:237}
    1410 8:34:55 PM 12/23/2014 56.3739874  [00259C D2033A] [Quanta Microsystems, INC. 96A064] EAP EAP:Request, Type = Identity {EAP:237}
    1412 8:34:55 PM 12/23/2014 56.3819564  [00259C D2033A] [Quanta Microsystems, INC. 96A064] EAP EAP:Request, Type = Identity {EAP:237}
    1458 8:34:58 PM 12/23/2014 59.8553508  [00259C D2033A] [Quanta Microsystems, INC. 96A064] EAP EAP:Request, Type = Identity {EAP:237}
    1460 8:34:58 PM 12/23/2014 59.8729614  [00259C D2033A] [Quanta Microsystems, INC. 96A064] EAP EAP:Request, Type = Identity {EAP:237}
    1500 8:35:03 PM 12/23/2014 63.9453916  [00259C D2033A] [Quanta Microsystems, INC. 96A064] EAP EAP:Request, Type = Identity {EAP:237}
    1563 8:35:06 PM 12/23/2014 67.4464273  [00259C D2033A] [Quanta Microsystems, INC. 96A064] EAP EAP:Request, Type = Identity {EAP:237}
    1565 8:35:06 PM 12/23/2014 67.4539549  [00259C D2033A] [Quanta Microsystems, INC. 96A064] EAP EAP:Request, Type = Identity {EAP:237}
    1625 8:35:16 PM 12/23/2014 77.6307490  [00259C D2033A] [Quanta Microsystems, INC. 96A064] EAP EAP:Request, Type = Identity {EAP:237}
    1627 8:35:16 PM 12/23/2014 77.6403368  [00259C D2033A] [Quanta Microsystems, INC. 96A064] EAP EAP:Request, Type = Identity {EAP:237}
    1689 8:35:20 PM 12/23/2014 81.1437593  [00259C D2033A] [Quanta Microsystems, INC. 96A064] EAP EAP:Request, Type = Identity {EAP:237}
    1690 8:35:20 PM 12/23/2014 81.1477638  [00259C D2033A] [Quanta Microsystems, INC. 96A064] EAP EAP:Request, Type = Identity {EAP:237}

    Thank you.

    Regards,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    jueves, 25 de diciembre de 2014 10:09
  • Hi Steven,

    So what might be the issue since i am seeing success msgs in NPS logs but still user face certificate error

    jueves, 25 de diciembre de 2014 10:15
  • Hi,

    Please refer to this article Windows 7 users cannot get wifi cert.

    It seems like this issue caused by Group Policy.

    Thank you.

    Regards,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marcado como respuesta srguy martes, 30 de diciembre de 2014 10:09
    jueves, 25 de diciembre de 2014 11:45
  • Hi Steven,

    Thanks, your last link worked and i have created the profile again. It's now working fine. I will test with Windows XP client as well and then replicate the changes on live environment.

    thanks once again

    • Marcado como respuesta srguy martes, 30 de diciembre de 2014 10:12
    martes, 30 de diciembre de 2014 10:11
  • hello, I'm internship currently they asked me to do the same thing, please explain me how did you do I am completely lost
    jueves, 12 de abril de 2018 8:25
  • Hi,

    It did worked for me with Windows 7 clients but it didn't worked with Windows XP client at that point of time.

    You can check with below link

    https://networklessons.com/wireless/peap-and-eap-tls-on-server-2008-and-cisco-wlc/#comment-67173

    viernes, 13 de abril de 2018 12:24