none
WLC + NPS + EAP-TLS + Machine certificate = Deauth after EAPOL key exchange sequence RRS feed

  • Question

  • ----Update----

    My checkpoint FW apparently drop the package and ignore the policy, without a reference to any access rules. So, I guess I know why I have issues... Still do not know why the checkpoints drop it however... 

    ---Update----

    Hi!

    Since my account is not verified yet I can't share pictures or links (sry...), but please ask if there is anything that is unclear.

    I'm a bit lost here trying to set up EAP-TLS. I want my clients to automatically sign on to my corporate network using computer certificate (or user certificate, does not really matter – but I've tried both without any luck). I have the following "players" in my environment:

    WLC - Cisco 2500 Wireless Controller

    Radius NPS Windows 2012

    Windows 10 clients

    Local CA (Windows 2016)

    I have followed a few different guides, without any luck and I've decided to reach out instead of trying more :)

    So NPS configuration:

    Connection Request Policies.

    Conditions: NAS Port Type - Wireless - Other OR Wirless - IEEE 802.11

    Settings: Authentication Provider - Local Computer

    Network Policies.

    NAS Port Type - Wirless - IEEE802.11 OR Wirless – Other

    Settings:

    • Extensible Authentication Protocol Configuration - Configured
    • Ignore User Dial-In Properties - True
    • Access Permission - Grant Access
    • Extensible Authentication Protocol Method - Microsoft: Smart Card or other Certificate
    • Authentication Method - EAP
    • NAP Enforcement - Allow full netowrk access
    • Update Noncompliant Clients - True
    • Framed-Protocol - PPP
    • Service-Type - Framed

    Radius Clients

    Cisco WLAN Controller

    IP: 10.x.x.x

    Device Manufacturer: RADIUS Standard

    ...

    ______________

    Cisco WLC settings:

    RADIUS Authentication Servers:

    Server Address (IP address of my NPS server): 172.x.x.x 

    WLAN settings:

    General:

    • SSID: FT-EAP-TLS
    • Interface: [reused of the one currently used for laptops which connect via DA

    Security: 

    Layer 2

    • Layer 2 security: WPA+WPA2
    • WPA2 Policy [x]
    • WPA2 Encryption - AES [x]
    • Authentication Key management - 802.1X [x]

    AAA Servers: 

    Authentication Servers: NPS server.

    ______________

    CA template settings: 

    RADIUS NPS Certificate: Duplicate Workstation certificate &  allow PKE

    Client certificate: Duplicate Computer certificate & allow PKE

    ______________

    GPO for end user:

    Please note that I've published a GPO to configure the WLAN settings. 

    _______________

    End user experience when trying to access the WLAN:

    It keeps spinning until it times out. In the eventviewer from the client I can see:

    "Event 6105,netwtw06"

    "6105 - deauth after EAPOL key exchange sequence"

    _____________________

    Is there any settings I need to configure on the APs?

    Or do I need to upload the root & intermediate certificate to the WCL?

    _______________

    Additional information:

    When I generate a wlanraport ("netsh wlan show wlanreport" from cmd) I can see:

    1. Wireless security started
    2. Wireless 802.1x authentication started
    3. Wireless 802.1x authentication was restarted
    4. User Uses Saved Credentials
    5. Wireless 802.1x authentication was restarted
    6. User Uses Saved Credentials

    And it loops. 

    ____________

    From the WLCs message logs:

    *spamApTask7: Sep 02 12:53:20.868: %LWAPP-3-REPLAY_ERR: spam_lrad.c:41295 The system has received replay error on slot 0, WLAN ID 4, count 1 from AP 70:69:5a:xx:xx:xx
    *Dot1x_NW_MsgTask_2: Sep 02 12:53:16.525: %DOT1X-3-AAA_AUTH_SEND_FAIL: 1x_aaa.c:849 Unable to send AAA message for client a4:34:d9xx:xx:xx
    *Dot1x_NW_MsgTask_2: Sep 02 12:53:16.505: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:450 Authentication Aborted for client a4:34:d9:xx:xx:xx Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
    *spamApTask0: Sep 02 12:53:09.810: %LWAPP-3-REPLAY_ERR: spam_lrad.c:41295 The system has received replay error on slot 0, WLAN ID 4, count 4 from AP 40:01:7a:xx:xx:xx
    *Dot1x_NW_MsgTask_2: Sep 02 12:52:58.499: %DOT1X-3-AAA_AUTH_SEND_FAIL: 1x_aaa.c:849 Unable to send AAA message for client a4:34:d9:xx:xx:xx

    ___________________

    Please help :) This have been my headache for quite some time now!

    With best regards,

    TB




    • Edited by MrGiraff Monday, September 2, 2019 1:48 PM Updated information
    Monday, September 2, 2019 8:54 AM

Answers

  • You may find more information in these logs.

    Client side: Event Viewer->Applications and Services Logs->Microsoft->Windows->WLAN-AutoConfig.

    Server side: Event Viewer->Custom Views->ServerRoles->Network Policy and Access Services.

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 4, 2019 9:59 AM

All replies

  • You may find more information in these logs.

    Client side: Event Viewer->Applications and Services Logs->Microsoft->Windows->WLAN-AutoConfig.

    Server side: Event Viewer->Custom Views->ServerRoles->Network Policy and Access Services.

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 4, 2019 9:59 AM
  • Thought I'd update this thread.

    After looking in to the event viewer, as per recommendation by HK.LEON, I noticed the Netowrk Policy 'Connections ot other access servers' was the target - not my intended policy. The issue was resolved when I removed the 'EAP authentication' method requirement from the 'Network Policies' 'Condition'-tab. From Event Viewer I can see that it still communicates via EAP and certificate, but it just worked when I removed this additional setting. The Constrataints still require EAP Type for Smart card or certificate, so maybe there was one EAP requirement to much?


    Monday, October 28, 2019 1:35 PM