locked
Nokia mobile phones unable to connect wifi that uses authentication backend based on NPS and AD RRS feed

  • Question

  • Hi soulmates,

    I'm setting up a wireless network with an authentication backend based upon Microsoft NPS and Microsoft AD:
    Mobile devices (phones, tablets), Laptops <=> Cisco AP's <=> Cisco WLC <=> MS NPS <=> MS AD
    The authentication protocol we're using is PEAP-MSCHAPv2.
    Everything works fine, except Nokia phones.
    For testing purposes I use Nokia E52 with newest firmware and following settings:
    ------

    Connectionname: SSIDname
    Bearer: Wireless LAN
    WLAN networkname: SSIDname
    Networkstatus: public
    WLANmode: Infrastructure
    WLANsecurity: 802.1x
    WPA/WPA2: EAP
    EAP-PEAP is enabled and set to highest priority
    Personal Certificate: none
    Authority Certificate: the root certificate of our internal CA which signed the NPS certificate
    Username in use: userdefined
    Username: ppokorny (I have played with this using constructs like clance\ppokorny)
    Realm in use: userdefined
    Realm : empty (I have played with this setting it to clance)
    PEAPv0: allowed
    PEAPv1: not allowed
    PEAPv2 not allowed
    EAP-MSCHAPv2 is enabled and set to highest priority
    Username: ppokorny (I have played with this using constructs like clance\ppokorny)
    Ask Password: yes (doesn't matter if yes or no for function)
    Password: the password of the ppokorny All encryption combinations are enabled

    ------

    Error reported by NPS:
    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          6/15/2011 9:24:36 AM
    Event ID:      6274
    Task Category: Network Policy Server
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      ACOMA.clance.local
    Description:
    Network Policy Server discarded the request for a user.

    Contact the Network Policy Server administrator for more information.

    User:
     Security ID:   NULL SID
     Account Name:   ppokorny@clance
     Account Domain:   CLANCE
     Fully Qualified Account Name: CLANCE\ppokorny

    Client Machine:
     Security ID:   NULL SID
     Account Name:   -
     Fully Qualified Account Name: -
     OS-Version:   -
     Called Station Identifier:  ec-c8-82-a5-b8-00:clnetd
     Calling Station Identifier:  90-cf-15-4b-a6-07

    NAS:
     NAS IPv4 Address:  10.30.0.70
     NAS IPv6 Address:  -
     NAS Identifier:   wlc-praha
     NAS Port-Type:   Wireless - IEEE 802.11
     NAS Port:   13

    RADIUS Client:
     Client Friendly Name:  WLC Praha
     Client IP Address:   10.30.0.70

    Authentication Details:
     Connection Request Policy Name: Policy - WiFi for internal users
     Network Policy Name:  -
     Authentication Provider:  Windows
     Authentication Server:  ACOMA.clance.local
     Authentication Type:  -
     EAP Type:   -
     Account Session Identifier:  -
     Reason Code:   1
     Reason:    An internal error occurred. Check the system event log for additional information.

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>6274</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12552</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2011-06-15T07:24:36.027036200Z" />
        <EventRecordID>153626341</EventRecordID>
        <Correlation />
        <Execution ProcessID="464" ThreadID="3500" />
        <Channel>Security</Channel>
        <Computer>ACOMA.clance.local</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-0-0</Data>
        <Data Name="SubjectUserName">ppokorny@clance</Data>
        <Data Name="SubjectDomainName">CLANCE</Data>
        <Data Name="FullyQualifiedSubjectUserName">CLANCE\ppokorny</Data>
        <Data Name="SubjectMachineSID">S-1-0-0</Data>
        <Data Name="SubjectMachineName">-</Data>
        <Data Name="FullyQualifiedSubjectMachineName">-</Data>
        <Data Name="MachineInventory">-</Data>
        <Data Name="CalledStationID">ec-c8-82-a5-b8-00:clnetd</Data>
        <Data Name="CallingStationID">90-cf-15-4b-a6-07</Data>
        <Data Name="NASIPv4Address">10.30.0.70</Data>
        <Data Name="NASIPv6Address">-</Data>
        <Data Name="NASIdentifier">wlc-praha</Data>
        <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
        <Data Name="NASPort">13</Data>
        <Data Name="ClientName">WLC Praha</Data>
        <Data Name="ClientIPAddress">10.30.0.70</Data>
        <Data Name="ProxyPolicyName">Policy - WiFi for internal users</Data>
        <Data Name="NetworkPolicyName">-</Data>
        <Data Name="AuthenticationProvider">Windows</Data>
        <Data Name="AuthenticationServer">ACOMA.clance.local</Data>
        <Data Name="AuthenticationType">-</Data>
        <Data Name="EAPType">-</Data>
        <Data Name="AccountSessionIdentifier">-</Data>
        <Data Name="ReasonCode">1</Data>
        <Data Name="Reason">An internal error occurred. Check the system event log for additional information.</Data>
      </EventData>
    </Event>


    Thanks in advance

    Michal Stoppl

    Wednesday, June 15, 2011 8:04 AM

All replies

  • Hi Michal,

     

    Thanks for posing here.

     

    Try authenticating by using UPN format> In your case, please try “ ppokorny@clance.local.

     

    User Name Formats

    http://msdn.microsoft.com/en-us/library/aa380525(VS.85).aspx

     

    Meanwhile, please recheck the phone certificate and the other wireless settings with following the steps in the link below:

     

    http://discussions.europe.nokia.com/t5/Connectivity/Nokia-E51-with-802-1x-EAP-PEAP-amp-EAP-MSCHAPv2-problem/td-p/233086

     

    Could you also verify the detail information of the authentication process by checking log files below form NPS sever and post back here?

    • NPS accounting log files

      By default, NPS accounting logs are located in %windir%\system32\logfiles. For information about the format of NPS accounting log files, see Interpret NPS Database Format Log Files (http://go.microsoft.com/fwlink/?LinkId=136631).
    • NPS trace logging files

      You can capture detailed information in log files on servers running NPS by enabling remote access tracing. The Remote Access service does not need to be installed or running to use remote access tracing. When you enable tracing on a server running NPS, several log files are created in %windir%\tracing. 

      The following log files contain helpful information about NAP:


    ·         IASNAP.LOG: Contains detailed information about NAP processes, NPS authentication, and NPS authorization.

    ·         IASSAM.LOG: Contains detailed information about user authentication and authorization.

    Membership in the local Administrators group, or equivalent, is the minimum required to enable tracing. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

    To create tracing log files on a server running NPS

    ·         Open a command line as an administrator.

    ·         Type netsh ras set tr * en.

    ·         Reproduce the scenario that you are troubleshooting.

    ·         Type netsh ras set tr * dis.

    ·         Close the command prompt window.

    For more information that regarding with the error event you posted please refer to the link below:

    Event ID 6274 — NPS Accounting Request Message Processing

    http://technet.microsoft.com/en-us/library/cc735339(WS.10).aspx

     

    Thanks.


    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, June 16, 2011 6:30 AM
  • Hi,

    thanks a lot for your answer. Logs did not recieve any explanation, so we have asked Microsoft to create an incident. They have refused, but after (about) 4 attempts to make them create an incident they have provided an explanation:

    PROBLEM:

    We are unable to get Nokia devices to authenticate against our NPS server (2008).

    CAUSE:

    NPS server sends an optional Cryptobinding TLV (non-mandatory AVP Type 12 ) in the final frame of the authentication sequence which the Nokia device is unable to handle and responds with an encrypted alert which results in the NPS server discarding the packet.

    RESOLUTION:

    No resolution from Microsoft side, as the issue is with the Nokia devices and we do not face the issue with Windows clients.

    I hope that it will help other guys, that will have a same issue.


    ------- Michal Stoppl MCP, MCSA, MCTS, MCITP, MCT Please always use Mark as answer if you are satisfied with provided solution.
    Friday, June 17, 2011 11:02 AM
  • News from Nokia: This problem has been recently resolved with firmware version 071.004 (in case of Nokia E52)


    ------- Michal Stoppl MCP, MCSA, MCTS, MCITP, MCT
    • Marked as answer by MStoppl Wednesday, July 20, 2011 12:40 PM
    • Unmarked as answer by MStoppl Monday, August 15, 2011 11:24 AM
    Wednesday, July 20, 2011 12:40 PM
  • Hello,

    I also spent really a lot of time to just see that it's not working. Nice to know that this is a Nokia software problem. I just today 10.08.2011 updated the firmware of my Nokia E5 to the latest available version but this hasn't improved anything.

    Cheers

    Robert

    Wednesday, August 10, 2011 2:01 PM
  • Hi,

    what firmware do you have?
    Correction: New firmware did not solve the issue. Problem has been re-escalated to Nokia
    Michal Stoppl



    Wednesday, August 10, 2011 3:13 PM
  • This worked fo me:

    http://www.nokia.com/ie-en/support/faq/?action=singleFAQ&caseid=FA136101_en_US

     

    What to do if WLAN EAP authentication to Windows NPS server fails? - Nokia FAQ

    If WLAN (WiFi) connection fails when trying to authenticate in EAP-PEAP MSCHAPv2 mode and the user credentials are authenticated by Microsoft NPS server (Network Policy Server), disable EAP capabilities negotiation in the Windows server side. This can be done by adding the registry entry below and restarting the NPS server:

    1. From Start menu select Run
    2. Type regedit and press OK
    3. Open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\25
    4. Right click 25 and select New > DWORD
    5. Name it BypassNegotiation and give it value 1 ( Base is Hexadecimal)
    6. Restart NPS server
    Tuesday, January 10, 2012 6:41 PM