Solved: 802.1x Configure Wired 802.1X with NPS

UCrypto · ‎10-06-2018

Dear Sir,

i would like to ask about 802.1x authenication . i try to configure 802.1x Configure Wired 802.1X with NPS without using ISE or third-party appliance. I watched youtube training video and i followed these tutorials.

But when i am testing,i got authenication failed error.I tried to use EAP (PEAP) authenication method.

Please help me to troubleshoot in this case.Please see below Switchesdebug file and NPS server Logs

in

Francesco Molino · ‎10-07-2018

Take a look here on how to configure your NPS, the client part is also explained but this is common for every use case no matter which radius you're using.

https://networklessons.com/uncategorized/peap-and-eap-tls-on-server-2008-and-cisco-wlc/

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

coolbreeze · ‎10-08-2018

Hello there,

Have you tried setting the "Certificate Issued To" to the certificate that is local, or has the FQDN in the name, to any avail (i.e. one of the .local certs, I'm assuming)?

In the "Edit Protected EAP Properties" dialog box, according to the "Network Lessons" URL link provided in Francesco's comment:

"Make sure you have selected the correct certificate. This is the computer certificate that will be presented to wireless users when they connect using PEAP. It allows our wireless clients to confirm the identity of the RADIUS server."

and the Microsoft guide for Deploy server certificates for 802.1X wired and wireless deployments:

"In the Edit Protected EAP Properties dialog box, in Certificate issued to, NPS displays the name of your server certificate in the format ComputerName.Domain. For example, if your NPS is named NPS-01 and your domain is example.com, NPS displays the certificate NPS-01.example.com. In addition, in Issuer, the name of your certification authority is displayed, and in Expiration date, the date of expiration of the server certificate is shown."

Also can you confirm the current certificate configuration of the client computer?

Thanks

View solution in original post

UCrypto · ‎10-06-2018

Hi,
when i check NPS event log,
I saw certificate error . It show The certificate chain was issued by an authority that is not trusted .
i followed https://community.spiceworks.com/topic/2120840-wired-802-1x-nps-and-certificates .
But i can't solve.
PLease help me.

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/7/2018 2:30:48 AM
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: CA.cadc.local
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: CADC\azt
Account Name: azt@cadc.local
Account Domain: CADC
Fully Qualified Account Name: cadc.local/eKiosk/azt

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 00-AA-6E-2A-50-0A
Calling Station Identifier: 40-16-7E-45-F2-67

NAS:
NAS IPv4 Address: 192.168.1.101
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Ethernet
NAS Port: 50110

RADIUS Client:
Client Friendly Name: Cisco Switch
Client IP Address: 192.168.1.101

Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: eKiosk 802.1x
Authentication Provider: Windows
Authentication Server: CA.cadc.local
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 265
Reason: The certificate chain was issued by an authority that is not trusted.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6273</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>12552</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2018-10-06T18:30:48.122645800Z" />
<EventRecordID>7948</EventRecordID>
<Correlation ActivityID="{A68ECF03-5D8A-0000-4DD0-8EA68A5DD401}" />
<Execution ProcessID="612" ThreadID="4240" />
<Channel>Security</Channel>
<Computer>CA.cadc.local</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-3858713045-1423114026-2227573672-1104</Data>
<Data Name="SubjectUserName">azt@cadc.local</Data>
<Data Name="SubjectDomainName">CADC</Data>
<Data Name="FullyQualifiedSubjectUserName">cadc.local/eKiosk/azt</Data>
<Data Name="SubjectMachineSID">S-1-0-0</Data>
<Data Name="SubjectMachineName">-</Data>
<Data Name="FullyQualifiedSubjectMachineName">-</Data>
<Data Name="CalledStationID">00-AA-6E-2A-50-0A</Data>
<Data Name="CallingStationID">40-16-7E-45-F2-67</Data>
<Data Name="NASIPv4Address">192.168.1.101</Data>
<Data Name="NASIPv6Address">-</Data>
<Data Name="NASIdentifier">-</Data>
<Data Name="NASPortType">Ethernet</Data>
<Data Name="NASPort">50110</Data>
<Data Name="ClientName">Cisco Switch</Data>
<Data Name="ClientIPAddress">192.168.1.101</Data>
<Data Name="ProxyPolicyName">Use Windows authentication for all users</Data>
<Data Name="NetworkPolicyName">eKiosk 802.1x</Data>
<Data Name="AuthenticationProvider">Windows</Data>
<Data Name="AuthenticationServer">CA.cadc.local</Data>
<Data Name="AuthenticationType">PEAP</Data>
<Data Name="EAPType">-</Data>
<Data Name="AccountSessionIdentifier">-</Data>
<Data Name="ReasonCode">265</Data>
<Data Name="Reason">The certificate chain was issued by an authority that is not trusted.</Data>
<Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
</EventData>
</Event>

Francesco Molino · ‎10-06-2018

Hi

Can you share outputs of your nps rule, windows client supplicant configuration and the template your cert?
Are you trying to authenticate using eap-tls or mschapv2?
What type of certificate are you using? Machine or user?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎10-06-2018

Hi ,

I am useing user certificate.

I am using PEAP .Not using MSCHAPv2.

i use auto enrollment certificate with GPO.But My server didn't recognized my computer as trusted.

my Radius said invilad client request.I think it is my certificate error.

I just want to know ,what kind of subject name will use for certificate ? i use user certificate template and subject name is PNP. In Certificate issued to drop drown list of NPS, what kind of certificate do i need to us i need to use local computer certificate or root CA ?.I am still confuse about this. I think i input wrong information request to create certificate

Please see below attachment for configuration screenshot

Francesco Molino · ‎10-07-2018

What you want to do is more EAP-TLS authentication using certificate.
In your template, the SN is set to none. What does your certificate looks like in your client machine?
I'm sorry I'm not very familiar with Microsoft tools (which includes NPS)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎10-07-2018

Hi,
i didn't familiar with NPS too.
I follow above link.but,i don't know what wrong.i am ok whatever eap-tls or
peap.
I want to know how to fix.
Please help me

Francesco Molino · ‎10-07-2018

Take a look here on how to configure your NPS, the client part is also explained but this is common for every use case no matter which radius you're using.

https://networklessons.com/uncategorized/peap-and-eap-tls-on-server-2008-and-cisco-wlc/

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

UCrypto · ‎10-07-2018

I already tried this way buy still got error authentication fail.

Francesco Molino · ‎10-08-2018

I've followed the network lesson step by step and it's working fine. I tried to found out some logs but again I'm not familiar with Microsoft world but found nothing. PM if you want to do a webex session, I believe I can help you out as I've done it in my lab.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

coolbreeze · ‎10-08-2018

Hello there,

Have you tried setting the "Certificate Issued To" to the certificate that is local, or has the FQDN in the name, to any avail (i.e. one of the .local certs, I'm assuming)?

In the "Edit Protected EAP Properties" dialog box, according to the "Network Lessons" URL link provided in Francesco's comment:

"Make sure you have selected the correct certificate. This is the computer certificate that will be presented to wireless users when they connect using PEAP. It allows our wireless clients to confirm the identity of the RADIUS server."

and the Microsoft guide for Deploy server certificates for 802.1X wired and wireless deployments:

"In the Edit Protected EAP Properties dialog box, in Certificate issued to, NPS displays the name of your server certificate in the format ComputerName.Domain. For example, if your NPS is named NPS-01 and your domain is example.com, NPS displays the certificate NPS-01.example.com. In addition, in Issuer, the name of your certification authority is displayed, and in Expiration date, the date of expiration of the server certificate is shown."

Also can you confirm the current certificate configuration of the client computer?

Thanks