topic Re: Configure Wired 802.1X with NPS in Network Access Control

Configure Wired 802.1X with NPS

MrBeginner — Fri, 21 Feb 2020 19:03:34 GMT

Hi,

I would like to request to help for 802.1 wired authentication with NPS.I already tested using PEAP and username,password authentication for 802.1x with NPS. It is working.

I would like to use 802.1x authentication in our network but i don't want to join all my PCs to domain.

Now i would like to know can i use the 802.1x authentication for normal PC ?

If i don't want to type user name and password which method should i need to use ?

Even i am using certificate authenticate, still i need to type username and password ?

My network have a lot of devices( printers and ip phones).

if i add mac in domain to use MAB,it is very complicate

How to use MAB for those devices ?

Can i add this devices MAC in NPS server ?

Re: Configure Wired 802.1X with NPS

Rob Ingram — Tue, 12 Mar 2019 09:32:47 GMT

Hi,

You can use certificates to authenticate, this will not prompt you to enter a username or password. The login will be transparent.

It appears MAB authentication is possibly on NPS, here is an example to help you. Ultimately you would need to add a user account within AD, the username and password would be the MAC address of the device. You will have to do this manually for each MAC address.

Alternatively depending on the make/model of your printers and phones you could probably use certificates or PEAP (username and password) instead of MAB.

HTH

Re: Configure Wired 802.1X with NPS

MrBeginner — Tue, 12 Mar 2019 10:07:24 GMT

Hi,

can I use certificates to authenticate with NPS ?

When i tried with NPS ,it always show username and password box but whatever username and password i type it is not success.I install root cert and i also using CSR for our PC.i use two certificate.Let me know do i need to export cert fom NPS and install this cert to clients ?

Which certificate template should i use for this ? Should i use default user certificate template or customize (user ,workstation) ?

802.1x using EAP and MAB using PAP. So if i want use NPS for both ( 802.1x and MAB) , i need to add two network policy in NPS (one for 802.1x and one for MAB) ?

Re: Configure Wired 802.1X with NPS

Rob Ingram — Tue, 12 Mar 2019 10:19:05 GMT

Hi,
If the client computer is prompting you for a username and password then the native supplicant is probably mis-configured. On the client computer in the Ethernet adapter properties, ensure the network authentication method is "Microsoft: Smart card or certificate" - I assume currently it is PEAP?

The client computers that are not domain joined will need the Root Certificate installed in the Trusted Root Store + the client identity certificate, either User or Computer or both depending on how you've configured the native supplicant.

Do you plan on authenticating the User or Computer? Either way you could use the default Microsoft Templates "User" and "Computer" - if you wish you could duplicate those templates and create your own using those default settings.

Yes, you would need another network policy for MAB.

HTH

Re: Configure Wired 802.1X with NPS

MrBeginner — Tue, 12 Mar 2019 11:19:06 GMT

Hi,

On the client computer in the Ethernet adapter properties,i tried both . i install root cert in trust,and user cert and computer cert also installed.

If i use Microsoft: Smart card or certificate , authentication show failed . if i use PEAP show username and address box.

I also tested MAB with computer by uncheck 802.1x box. but i got below error.

021840: *Mar 6 16:58:54: %DOT1X-5-FAIL: Authentication failed for client (d0bf.9cf9.5982) on Interface Fa0/20 AuditSessionID 0A648064000000421BA96976
021841: 5d08h: dot1x-packet:[d0bf.9cf9.5982, Fa0/20] Dot1x did not receive any key data
021842: 5d08h: dot1x-ev:[d0bf.9cf9.5982, Fa0/20] Processing client delete for hdl 0x540000EE sent by Auth Mgr
021843: 5d08h: dot1x-ev:[d0bf.9cf9.5982, Fa0/20] d0bf.9cf9.5982: sending canned failure due to method termination
021844: 5d08h: dot1x-ev:[Fa0/20] Sending EAPOL packet to group PAE address
021845: 5d08h: dot1x-registry:registry:dot1x_ether_macaddr called
021846: 5d08h: dot1x-ev:[Fa0/20] Sending out EAPOL packet
021847: 5d08h: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
021848: 5d08h: dot1x-packet: length: 0x0004
021849: 5d08h: dot1x-packet:EAP code: 0x4 id: 0x1 length: 0x0004
021850: 5d08h: dot1x-packet:[d0bf.9cf9.5982, Fa0/20] EAPOL canned status packet sent to client 0x540000EE
021851: 5d08h: dot1x-ev:[d0bf.9cf9.5982, Fa0/20] Deleting client 0x540000EE (d0bf.9cf9.5982)
021852: 5d08h: dot1x-ev:[d0bf.9cf9.5982, Fa0/20] Delete auth client (0x540000EE) message
021853: 5d08h: dot1x-ev:Auth client ctx destroyed

Re: Configure Wired 802.1X with NPS

Rob Ingram — Tue, 12 Mar 2019 11:27:46 GMT

What policies do you have configured on the NPS server?
What were the errors on the NPS server? Check the Windows Event logs for NPS and provide the output of the error
Do you have MAB configured under the interface aswell as dot1x?

Re: Configure Wired 802.1X with NPS

MrBeginner — Wed, 13 Mar 2019 01:43:24 GMT

Hi,

I configure Two policy 802.1x wired policy and MAB policy in NPS.

Please see below attachment for NPS log.

interface FastEthernet0/19
description Management Network
switchport access vlan 203
switchport mode access
authentication host-mode multi-host
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
!
interface FastEthernet0/20
description Management Network
switchport access vlan 203
switchport mode access
authentication order mab dot1x
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast

Re: Configure Wired 802.1X with NPS

Rob Ingram — Wed, 13 Mar 2019 21:39:19 GMT

Sorry but there isn't really anything useful in those attachments to determine where the issue is. What conditions do you have configured under each policy?

Re: Configure Wired 802.1X with NPS

MrBeginner — Mon, 18 Mar 2019 11:41:39 GMT

Hi,

I am using below setting in NPS.If my client is join to domain,802.1x is working whatever i am using PEAP or EAP-TLS.Afer that i test as you advice with CSR and root Cert install to workgroup computer and tested.Ant then i export user certificate from domain computer and import to work group computer and tested.

If work group computer is using smart card authentication setting and connect to 802.1x running port,authentication is fail.If working group computer is using PEAP setting, I saw below username and password box .but i don't know which user name and password should be use.I already typed domain user acc and pass but it is fail.Please help me to fix ?

I didn't put MAB setting in NPS. I would like to know can we put MAB setting in NPS ?

Let me share your experience how to configure MAB configuration in NPS or sample link to follow.

Re: Configure Wired 802.1X with NPS

Rob Ingram — Mon, 18 Mar 2019 15:29:52 GMT

Hi,

Your EAP-TLS Network Policy configuration looks incorrect, it should not have the Windows Groups as a condition. Check out this link for an example NPS EAP-TLS configuration

HTH

Re: Configure Wired 802.1X with NPS

MrBeginner — Sat, 23 Mar 2019 04:11:00 GMT

Hi,
I tried it but still get error. i confuse when i read cisco 802.1x deployment documentations i saw below EAP-TLS process diagram.Let me know this mean : Even though we use EAP-TL with certificate we still need to type user name and passwords ?

Re: Configure Wired 802.1X with NPS

Rob Ingram — Mon, 25 Mar 2019 20:55:37 GMT

I found the document you are referring to, it does imply that there is a password involved in the screenshot. However EAP-TLS is mutual authentication of the server and client certificates - no actual username/password combo involved. PEAP/MSCHAPv2 requires a server certificate + username/password.

If you are being prompted for authentication, then I would imagine your configuration is still not correct. I re-read a previous comment "i export user certificate from domain computer and import to work group computer and tested." - you shouldn't need to do this, you would create the CSR on the workgroup computer and take the CSR to the CA and sign the certificate. You would then import the signed certificate and import to the local computer store (user or computer). You would also need to import the Root CA certificate into the trusted root certificate store.

HTH

Re: Configure Wired 802.1X with NPS

MrBeginner — Tue, 26 Mar 2019 09:10:51 GMT

Hi,

If you are being prompted for authentication, then I would imagine your configuration is still not correct.

=> Yes correct.I am using PEAP authentication. If i use EAP-TLS didn't prompted for authentication but authentication is also fail. I also concern my CSR request.

Because if i use "Build from this Active Directory information " under subject tab of Template ,this template can enroll from AD but cannot request with web.If i choose "supply in the request" under subject tab of Template,this templeate can see from web request (http://localhost\certsrv) . I duplicate RAS and IAS server Template.

Second => I also worry my csr request file configuration may be wrong. I use custom request with subject name is computer name,DNS name is my Domain (crypto.local),key usage is Digital sign,etc.

Let me know we should use same Tamplate for NPS certificate and client certificate ?

let me know should we use web enrollment for both NPS and clients ?

Let me know the key point of Certficate Template for 802.1x and which template should I use ?

Can i request to help if you any CSR request sample or key point or sample reference guide,please?

Re: Configure Wired 802.1X with NPS

Rob Ingram — Tue, 26 Mar 2019 10:42:18 GMT

I wouldn't worry about creating a new template, you should be able to use the "User" template that already exists. Is it the CSR generation on the client computer you are having an issue with?

From memory:-
- In the MMC add the Current User, then go to Personal > Certificates, then Advanced Operations > Create Custom Request. Create the CSR.
- Copy the contents of the CSR file
- Go to the WebGUI http://server/certsrv
- Click Request a certificate, then advanced certificate request
- Copy and paste the contents of the CSR
- Select template as "User"
- Submit and save file
- On the MMC select import and import the signed file
- Double click the newly imported certificate and confirm "You have a private key that corresponds to this certificate" - bottom of the General tab
- Confirm the certificate path, to make sure the computer has the root certificate.

HTH

Re: Configure Wired 802.1X with NPS

MrBeginner — Wed, 27 Mar 2019 12:18:42 GMT

Hi,

Now i can authentication work-group computers with user but i can use default user template only.If i duplicate Template of users and used this template,i got error.

Now i can authenticate with user CSR with default user template.

If i use local computer CSR ,I still got error .But i don't know why i can use computer certificate to authenticate.But no problem i will find solution late.

Now i testing MAB in NPS.if i use below setting i can authentication is success .But if i use authenticate requests on this server,authentication is fail.i added MAC in AD as users.

Let me know can i use below setting ?

Re: Configure Wired 802.1X with NPS

Rob Ingram — Wed, 27 Mar 2019 13:12:39 GMT

What error do you get when you use a custom template?
Why exactly do you need to use a custom template?
What error (in the NPS server logs) do you get when the computer authentication fails?

I wouldn't use that command, the NPS server is not authenticating the users then, that's not what you want.

What errors (in the NPS server logs) do you get when attempting to authenticate MAB devices? What did you define as the password for these accounts?

Re: Configure Wired 802.1X with NPS

MrBeginner — Thu, 28 Mar 2019 01:26:42 GMT

Hi ,

I followed this links . I defined mac address as username and password in AD.and i also to stored Mac address in NPS.

Re: Configure Wired 802.1X with NPS

Kombi — Sun, 06 Oct 2019 20:21:11 GMT

If you want to authenticate a PC to allow users to connect via wireless and not be prompted for a password after they have logged into the PC, you should use TLS (Smartcard). However, you will need a PKI (Cert Server) issuing certs to all your PC"s. At that stage, you might as well do users too. This can be done with the MS Cert server and AD. But all nodes will have to be hardwired once to pull the cert when they log in. After they get the cert, you will be good to go.

One of the most significant issues I have seen with any authentication type is making sure you picked the correct cert under setting highlight your EAP type and click edit. You will get a popup box. Make sure you have the correct root cert being used on your NPS policy. The next one is to change the user and computer Dial-in profile in AD from NPS control to allow access. I have run into issues when they are set to allow NPS to control policy. If you use PEAP, you do not need a PKI, but you will need a cert on NPS that is trusted by all your clients. A third party cert, such as Godaddy, would work because, in most cases, the node will already have GoDaddy as a trusted cert provider. You will have to make sure that under settings Authentication Methods, you edit your EAP type to match your desired cert. Remember, you also have to make sure you add your AP (Meraki) or Wireless controllers to the NPS server.

I hope this helps.