cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11837
Views
35
Helpful
17
Replies

Configure Wired 802.1X with NPS

MrBeginner
Spotlight
Spotlight

Hi,

I would like to request to help for 802.1 wired authentication with NPS.I already tested using PEAP and username,password authentication for 802.1x with NPS. It is working.

I would like to use 802.1x authentication in our network but i don't want to join all my PCs to domain.

Now i would like to know can i use the 802.1x authentication for normal PC  ?

If i don't want to type user name and password which method should i need to use ?

Even i am using certificate authenticate, still i need to type username and password ?

My network have a lot of devices( printers and ip phones).

 if i add mac in domain to use MAB,it is very complicate

How to use MAB for those devices ?

Can i add this devices MAC in NPS server ?

 

 

17 Replies 17

Hi,

You can use certificates to authenticate, this will not prompt you to enter a username or password. The login will be transparent.


It appears MAB authentication is possibly on NPS, here is an example to help you. Ultimately you would need to add a user account within AD, the username and password would be the MAC address of the device. You will have to do this manually for each MAC address.


Alternatively depending on the make/model of your printers and phones you could probably use certificates or PEAP (username and password) instead of MAB.

 

HTH

Hi,

can I use certificates to authenticate with NPS ?

When i tried with NPS ,it always show username and password box but whatever username and password i type it is not success.I install root cert and i also using CSR for our PC.i use two certificate.Let me know do i need to export cert fom NPS and install this cert to clients ?

Which certificate template should i use for this ? Should i use default user certificate template or customize (user ,workstation) ?

 

802.1x using EAP and MAB using PAP. So if i  want use NPS for both ( 802.1x and MAB) , i need to add two network policy in NPS (one for 802.1x and one for MAB) ?

Hi,
If the client computer is prompting you for a username and password then the native supplicant is probably mis-configured. On the client computer in the Ethernet adapter properties, ensure the network authentication method is "Microsoft: Smart card or certificate" - I assume currently it is PEAP?

The client computers that are not domain joined will need the Root Certificate installed in the Trusted Root Store + the client identity certificate, either User or Computer or both depending on how you've configured the native supplicant.

Do you plan on authenticating the User or Computer? Either way you could use the default Microsoft Templates "User" and "Computer" - if you wish you could duplicate those templates and create your own using those default settings.

Yes, you would need another network policy for MAB.

HTH

Hi,

On the client computer in the Ethernet adapter properties,i tried both . i install root cert in trust,and user cert and computer cert also installed.

If i use Microsoft: Smart card or certificate , authentication show failed . if i use PEAP show username and address box.

additional.PNGPEAP.PNGSmart Card.PNG

 

 

 

I also tested MAB with computer by uncheck 802.1x box. but i got below error.

 

 

021840: *Mar 6 16:58:54: %DOT1X-5-FAIL: Authentication failed for client (d0bf.9cf9.5982) on Interface Fa0/20 AuditSessionID 0A648064000000421BA96976
021841: 5d08h: dot1x-packet:[d0bf.9cf9.5982, Fa0/20] Dot1x did not receive any key data
021842: 5d08h: dot1x-ev:[d0bf.9cf9.5982, Fa0/20] Processing client delete for hdl 0x540000EE sent by Auth Mgr
021843: 5d08h: dot1x-ev:[d0bf.9cf9.5982, Fa0/20] d0bf.9cf9.5982: sending canned failure due to method termination
021844: 5d08h: dot1x-ev:[Fa0/20] Sending EAPOL packet to group PAE address
021845: 5d08h: dot1x-registry:registry:dot1x_ether_macaddr called
021846: 5d08h: dot1x-ev:[Fa0/20] Sending out EAPOL packet
021847: 5d08h: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
021848: 5d08h: dot1x-packet: length: 0x0004
021849: 5d08h: dot1x-packet:EAP code: 0x4 id: 0x1 length: 0x0004
021850: 5d08h: dot1x-packet:[d0bf.9cf9.5982, Fa0/20] EAPOL canned status packet sent to client 0x540000EE
021851: 5d08h: dot1x-ev:[d0bf.9cf9.5982, Fa0/20] Deleting client 0x540000EE (d0bf.9cf9.5982)
021852: 5d08h: dot1x-ev:[d0bf.9cf9.5982, Fa0/20] Delete auth client (0x540000EE) message
021853: 5d08h: dot1x-ev:Auth client ctx destroyed

What policies do you have configured on the NPS server?
What were the errors on the NPS server? Check the Windows Event logs for NPS and provide the output of the error
Do you have MAB configured under the interface aswell as dot1x?

Hi,

I configure Two policy  802.1x wired policy and MAB policy in NPS.

Please see below attachment for NPS log.

 

interface FastEthernet0/19
description Management Network
switchport access vlan 203
switchport mode access
authentication host-mode multi-host
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
!
interface FastEthernet0/20
description Management Network
switchport access vlan 203
switchport mode access
authentication order mab dot1x
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast

 

Sorry but there isn't really anything useful in those attachments to determine where the issue is. What conditions do you have configured under each policy?

Hi,

I am using below setting in NPS.If my client is join to domain,802.1x is working whatever i am using PEAP or EAP-TLS.Afer that i test as you advice with CSR and root Cert install to workgroup computer and tested.Ant then i export user certificate from domain computer and import to work group computer and tested.

If work group computer is using smart card authentication setting and connect  to 802.1x running port,authentication is fail.If working group computer is using PEAP setting, I saw below username and password box .but i don't know which user name and password should be use.I already typed domain user acc and pass but it is fail.Please help me to fix ?

 

user name and password.PNG

 

I didn't put MAB setting in NPS. I would like to know can we put MAB setting in NPS ?

Let me share your experience how to configure MAB configuration in NPS or sample link to follow.

Hi,

Your EAP-TLS Network Policy configuration looks incorrect, it should not have the Windows Groups as a condition. Check out this link for an example NPS EAP-TLS configuration

 

HTH

Hi,
I tried it but still get error. i confuse when i read cisco 802.1x deployment documentations i saw below EAP-TLS process diagram.Let me know this mean : Even though we use EAP-TL with certificate we still need to type user name and passwords ?

 

Certificate.jpg

 

 

I found the document you are referring to, it does imply that there is a password involved in the screenshot. However EAP-TLS is mutual authentication of the server and client certificates - no actual username/password combo involved. PEAP/MSCHAPv2 requires a server certificate + username/password.

If you are being prompted for authentication, then I would imagine your configuration is still not correct. I re-read a previous comment "i export user certificate from domain computer and import to work group computer and tested." - you shouldn't need to do this, you would create the CSR on the workgroup computer and take the CSR to the CA and sign the certificate. You would then import the signed certificate and import to the local computer store (user or computer). You would also need to import the Root CA certificate into the trusted root certificate store.

HTH

Hi,

If you are being prompted for authentication, then I would imagine your configuration is still not correct.

=> Yes correct.I am using PEAP authentication. If i use EAP-TLS didn't prompted for authentication but authentication is also fail. I also concern my CSR request.

Because if i use "Build from this Active Directory information " under subject tab of Template ,this template can enroll from AD but cannot request with web.If i choose "supply in the request" under subject tab of Template,this templeate can see from web request (http://localhost\certsrv) . I duplicate RAS and IAS server Template.

Second => I also worry my csr request file configuration may be wrong. I use custom request with subject name is computer name,DNS name is my Domain (crypto.local),key usage is Digital sign,etc.

 

Let me know we should use same Tamplate for NPS certificate and client certificate ? 

let me know should we use web enrollment for both NPS and clients ?

Let me know the key point of Certficate Template for 802.1x and which template should I use ?

Can i request to help if you any CSR request sample or key point or sample reference guide,please?

 

I wouldn't worry about creating a new template, you should be able to use the "User" template that already exists. Is it the CSR generation on the client computer you are having an issue with?

From memory:-
- In the MMC add the Current User, then go to Personal > Certificates, then Advanced Operations > Create Custom Request. Create the CSR.
- Copy the contents of the CSR file
- Go to the WebGUI http://server/certsrv
- Click Request a certificate, then advanced certificate request
- Copy and paste the contents of the CSR
- Select template as "User"
- Submit and save file
- On the MMC select import and import the signed file
- Double click the newly imported certificate and confirm "You have a private key that corresponds to this certificate" - bottom of the General tab
- Confirm the certificate path, to make sure the computer has the root certificate.

HTH

Hi,

Now i can authentication work-group computers with user but i can use default user template only.If i duplicate Template of users and used this template,i got error.

Now i can authenticate with user CSR with default user template.

If i use local computer CSR ,I still got error .But i don't know why i can use computer certificate to authenticate.But no problem i will find solution late.

Now i testing MAB in NPS.if i use below setting i can authentication is success .But if i use authenticate requests on this server,authentication is fail.i added MAC in AD as users.

Let me know can i use below setting ?

MAB.PNG

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: