We help IT Professionals succeed at work.

Configuring Wireless Computer Authentication with Certificates in Windows 7

Howdy All -

I have 10 laptops running Windows 7 Professional I need to deploy.  Laptops will be shared by users and they'll be wireless.  I have Cisco WAP4410N access points which support WPA2-Enterprise and RADIUS authentication.

I would like to use certificates to authenticate the computers to the wireless network before users log in, validate the user logging in just like any other domain computer they would log into.   In the event that the computer is stolen or lost, I want to revoke the certificates issued to the computer so that it cannot be used on my wireless network any more.  I also don't want Joe Q User to be able to bring his laptop from home and get on our company wireless network.     Basically if we don't ship them a wireless device setup for the company wireless network,  i don't want them to use something wirelessly.

I have a Windows Active Directory single forest, single domain at 2003 Native forest and domain functional levels.   I have a Windows 2008 R2 standard edition DC, a Windows 2003 R2 standard edition DC and a Windows 2003 standard edition DC.  FSMO roles are shared on the 2 2003 DC's currently, all 3 are global catalogs.   (doubt this makes a difference for the problem but want to get the details out there, none of these are virtual machines);  currently I have no domain logon problems anywhere on my network, replication is functioning between the 3 DCs.

I have a machine configured as an internal Enterprise Certification Authority which is 2008 R2 Enterprise edition.  The CA is authorized in AD and its self signed certificate's public key is deployed through GPO to the trusted root certificate store on all domain joined machines.  I have setup / allowed the auto issue of the Workstation Authentication V2 certificate which when I request it, seems to work.   The Certification Authority is the only service running on the host (its virtual, but it shouldn't make a difference)

I have setup an instance of Windows Server 2008 R2 Standard with NPS and used the wizard to start the configuration for Wireless 802.1x authentication.   I also issued the NPS server a IAS / Radius certificate from my internal CA.  I have configured one of the access points (the only one I'm setting up so far) as a radius client and ensured that the shared secret matches on the device and the server, the WAP has the proper static IP and vice versa for the NPS radius client.
 
On my NPS connection request policy, i have 2 rules -
Secure Wireless Connections - enabled @priority 1 - NAS port type   wireless - other or wireless IEEE 802.11, local computer as the authentication provider and override authentication is disabled.
Use Windows Authentication for all users - has some day & time restructions that amount of 7 days pwer week 00:00-24:00 with authentication provider on the local computer.




Under Network Policies there are 4 rules:
1 - domain computers - machine groups:   leepdc\domain computers,  user groups leepdc\domain users - granting full network access
2 - secure wireless - NAS port type as wireless other or Wireless IEEE 802.11,  windows groups domain users or domain computers,  auth type = PEAP, allowed EAP:  MS Smart card or certificate, or MS PEAP- smart card or other cert, machine group:  domain computers.   On match, full network access.

No health policies are defined or remediation servers (I'm just looking for RADIUS really, not NAP).

For testing/debugging, the firewalls on the CA and NPS box are completly disabled.  I have ensured communication between the CA and NPS servers in addition to the WAP.  


So now I am trying to configure the windows 7 machines to authentication wirelessly at the machine/computer level and then allow any domain user to log on.   I have ensured that the WLAN auto config service is started and running,  I have created a wireless connection profile with the SSID name on my access point (which is broad casting).  The properties are as follows:
- connect automatically when network in range
connect even if the network is not broadcasting SSID
- Security type:  WPA2-Enterprise
- Encryption Type:  AES
- network authenticaiton method:  MS Protected EAP (PEAP), remember credentials,
-- under settings I am validating the server certificate and have checked my internal CA certificate.   authentication method is smart card or other certificate using a certificate on this computer with use simple certificate selection and again, have selected my internal CA in the trusted root authorities.
- Fast reconnect is checked

Under advanced settings for 802.1x I have tried both computer authentication and "user or computer authentication", when user is selected, I have tried with enable SSO for htis network, perform immediatley before user logon.

Under 802.11 settings, I ahve left the defaults of enable pairewise master key caching


Using the local MMC Certificates snap in, I have a workstation authentication certificate with properties for client authentication in the personal certificates store under the computer context (and have tried under the user context as well), in the case of this test laptop, each context has the certificate.

When I try to connect, I get a baloon pop up telling me that a certificate is required to conneect to my SSID and to contact my administrator.  I am never presented with an option to pick a certificate.

I have tried using   netsh ras set tracing * enabled   during connection atttemtps to grab some extra logging information.   Based on reviewing the log files, the one with the most relevant information (that I can determine) is %systemroot%\tracing\svchost_RASTLS.log which I have included the latest output of below.

The certificate hashes in the log correspond to the issued certificates in the computer store.   So it is finding those but not using them.

I'm really kind of stumped, and not sure where I'm failing - wrong type of certificate, NPS policy mis configured or client misconfigured.    I feel that since the client sees the network and tells me I need a valid certificate, I'm very close and have something very small mis-configured.

I can elabortate further on any of the configurations if needed but hopefully the above has provided enough detail for a summary of the relevant portions of my network.

Suggestions greatly appreciated!

Mark L.

[5112] 06-13 16:47:42:673: EAP-TLS using All-purpose cert
[5112] 06-13 16:47:42:673:  Self Signed Certificates will not be selected.
[5112] 06-13 16:47:42:673: EAP-TLS will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: EapTlsInitialize2: PEAP using All-purpose cert
[5112] 06-13 16:47:42:673: PEAP will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: PeapGetIdentity returned the identity as host/LAPTOPT
EST.lmfj.com
[5112] 06-13 16:47:42:673: EAP-TLS using All-purpose cert
[5112] 06-13 16:47:42:673:  Self Signed Certificates will not be selected.
[5112] 06-13 16:47:42:673: EAP-TLS will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: EapTlsInitialize2: PEAP using All-purpose cert
[5112] 06-13 16:47:42:673: PEAP will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: PeapReadConnectionData
[5112] 06-13 16:47:42:673: IsIdentityPrivacyInPeapConnPropValid
[5112] 06-13 16:47:42:673: PeapReadUserData
[5112] 06-13 16:47:42:673: No Credentails passed
[5112] 06-13 16:47:42:673: RasEapGetInfo
[5112] 06-13 16:47:42:673: EAP-TLS using All-purpose cert
[5112] 06-13 16:47:42:673:  Self Signed Certificates will not be selected.
[5112] 06-13 16:47:42:673: EAP-TLS will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: EapTlsInitialize2: PEAP using All-purpose cert
[5112] 06-13 16:47:42:673: PEAP will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: PeapReDoUserData
[5112] 06-13 16:47:42:673: EAP-TLS using All-purpose cert
[5112] 06-13 16:47:42:673:  Self Signed Certificates will not be selected.
[5112] 06-13 16:47:42:673: EAP-TLS will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: EapTlsInitialize2: PEAP using All-purpose cert
[5112] 06-13 16:47:42:673: PEAP will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: EapTlsInvokeIdentityUI
[5112] 06-13 16:47:42:673: GetCertInfo flags: 0x100a2
[5112] 06-13 16:47:42:673: GetDefaultClientMachineCert
[5112] 06-13 16:47:42:673: FCheckTimeValidity
[5112] 06-13 16:47:42:673: FCheckUsage: All-Purpose: 1
[5112] 06-13 16:47:42:673: DwGetEKUUsage
[5112] 06-13 16:47:42:673: Number of EKUs on the cert are 1
[5112] 06-13 16:47:42:673: Cert do have CDP but do not have AIA OCSP extension
[5112] 06-13 16:47:42:673: FCheckTimeValidity
[5112] 06-13 16:47:42:673: FCheckUsage: All-Purpose: 1
[5112] 06-13 16:47:42:673: DwGetEKUUsage
[5112] 06-13 16:47:42:673: Number of EKUs on the cert are 3
[5112] 06-13 16:47:42:673: Cert do have CDP but do not have AIA OCSP extension
[5112] 06-13 16:47:42:673: Found Machine Cert based on machinename, client auth,
 time validity.
[5112] 06-13 16:47:42:673: GetDefaultClientMachineCert done.
[5112] 06-13 16:47:42:673: Got the default Machine Cert
[5112] 06-13 16:47:42:673: Successfully got certificate. Hash follows
[5112] 16:47:42:673: D9 41 67 6B 1C 1E 1E 5A B0 01 12 99 1E 43 5D 82 |.Agk...Z..
...C].|
[5112] 16:47:42:673: 9A 45 1E EC 00 00 00 00 00 00 00 00 00 00 00 00 |.E........
......|
[5112] 06-13 16:47:42:673: EAP-TLS using All-purpose cert
[5112] 06-13 16:47:42:673:  Self Signed Certificates will not be selected.
[5112] 06-13 16:47:42:673: EAP-TLS will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: EapTlsInitialize2: PEAP using All-purpose cert
[5112] 06-13 16:47:42:673: PEAP will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: PeapGetIdentity returned the identity as host/LAPTOPT
EST.lmfj.com
[5112] 06-13 16:47:42:673: EAP-TLS using All-purpose cert
[5112] 06-13 16:47:42:673:  Self Signed Certificates will not be selected.
[5112] 06-13 16:47:42:673: EAP-TLS will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: EapTlsInitialize2: PEAP using All-purpose cert
[5112] 06-13 16:47:42:673: PEAP will accept the  All-purpose cert

Open in new window

Comment
Watch Question

Distinguished Expert 2018

Commented:
At first read-through, I suspect that this is an issue between NPS and your access point. Cisco's in particular are very fussy about their configuration. NPS has an option when configuring the RADIUS portion to choose a vendor-specific implementation, but I've found that even choosing Cisco doesn't always work and is dependent on the version of IOS runninng on the access point.

Check the event logs for NPS logged errors (it'll log when it doesn't know what to do with a flag or if it rejected a RADIUS request) and equally, check your logs on your access point for errors connecting to the RADIUS server. Between the two, you should get an idea what the access point is choking on and be able to find a technet or Cisco knowledgebase article to address the inconsistency.

Author

Commented:
cgaliher -

I'll see if I can find anything known for the particular access points I'm using, but they are not full blown Cisco AP's they're in the Linksys Small Business family so typical IOS debugging and t-shooting doesn't seem to work.   When I enabled ssh on it attempting to turn on very detailed debugging and diagnostics..guess what, they don't have it.  The log file I found seems to only report on management changes and failed logins to the AP itself although I will continue to look.

As for the NPS logs, here are the last two entries,  I need to research and find out what the different pieces and parts are as I'm not to familar with them but maybe something will stand out to you:
-- LMFJ-NPS   192.168.5.36/24 --- name of my server
-- AP name is WAP-98A - 192.168.98.40/24

Everything in the log is coming in pairs with the same time stamp.  

the 311 to me stands out and the "Connections to other access servers",  looking at the other policies that came out of the box, there is a connecttions to routing and remote access that has a vendor class ID of 311 defined and is a deny access policy at priority 3.

So I guess this leads to how are these rules processed?  match any 1 top down or match all top down or is that RRAS deny policy similar ot a "deny by default" and if things are working right should never be reached.

MAL


"LMFJ-NPS","IAS",06/13/2010,18:11:50,1,"host/LAPTOPTEST.lmfj.com","lmfj.com/Computers/LAPTOPTEST","00-27-0D-05-BD-C1:LMFJ","70-F1-A1-5A-64-F5",,,,"192.168.98.40",0,0,"192.168.98.40","WAP-98A",,,19,"CONNECT 11Mbps 802.11b",,,5,"Connections to other access servers",0,"311 1 192.168.5.36 06/11/2010 19:55:23 54",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,

"LMFJ-NPS","IAS",06/13/2010,18:11:50,3,,"lmfj.com/Computers/LAPTOPTEST",,,,,,,,0,"192.168.98.40","WAP-98A",,,,,,,5,"Connections to other access servers",65,"311 1 192.168.5.36 06/11/2010 19:55:23 54",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,

Open in new window

Distinguished Expert 2018

Commented:
NPS logs can be a bit cryptic and in many cases are unnecessary for this type of troubleshooting. To clarify, use the "event viewer" administrative snapin and view the "application" event log. NPS does any significant logging there as well so warning and error events from NPS are easy to spot and provide enough information to know what is happening. Even "information" events from NPS will at least tell you that a RADIUS request was processed successfully and will have some details.

Author

Commented:
cgaliher -

Sorry for the misunderstanding on my part.   The Event Viewer once I finally found NPS in there  is giving me useful info.   Looks like the two policies I have one is bypassing dial in settings on the "user" and the other is set to follow them.   The machine account which is what is first trying to authenticate was/is set to deny in ADUC.  I've changed but won't be able to test further until I'm in the office tomorrow.

Hopefully it turns out to be this simple!

ML
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          6/13/2010 6:11:50 PM
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      LMFJ-NPS.lmfj.com
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			LEEPDC\LAPTOPTEST$
	Account Name:			host/LAPTOPTEST.lmfj.com
	Account Domain:			LEEPDC
	Fully Qualified Account Name:	lmfj.com/Computers/LAPTOPTEST

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		00-27-0D-05-BD-C1:LMFJ
	Calling Station Identifier:		70-F1-A1-5A-64-F5

NAS:
	NAS IPv4 Address:		192.168.98.40
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Wireless - IEEE 802.11
	NAS Port:			0

RADIUS Client:
	Client Friendly Name:		WAP-98A
	Client IP Address:			192.168.98.40

Authentication Details:
	Connection Request Policy Name:	Secure Wireless Connections
	Network Policy Name:		Connections to other access servers
	Authentication Provider:		Windows
	Authentication Server:		LMFJ-NPS.lmfj.com
	Authentication Type:		EAP
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			65
	Reason:				The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>6273</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2010-06-13T23:11:50.885378000Z" />
    <EventRecordID>12321</EventRecordID>
    <Correlation />
    <Execution ProcessID="496" ThreadID="1300" />
    <Channel>Security</Channel>
    <Computer>LMFJ-NPS.lmfj.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-1341351216-269885446-825688854-2357</Data>
    <Data Name="SubjectUserName">host/LAPTOPTEST.lmfj.com</Data>
    <Data Name="SubjectDomainName">LEEPDC</Data>
    <Data Name="FullyQualifiedSubjectUserName">lmfj.com/Computers/LAPTOPTEST</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">-</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">00-27-0D-05-BD-C1:LMFJ</Data>
    <Data Name="CallingStationID">70-F1-A1-5A-64-F5</Data>
    <Data Name="NASIPv4Address">192.168.98.40</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">-</Data>
    <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
    <Data Name="NASPort">0</Data>
    <Data Name="ClientName">WAP-98A</Data>
    <Data Name="ClientIPAddress">192.168.98.40</Data>
    <Data Name="ProxyPolicyName">Secure Wireless Connections</Data>
    <Data Name="NetworkPolicyName">Connections to other access servers</Data>
    <Data Name="AuthenticationProvider">Windows</Data>
    <Data Name="AuthenticationServer">LMFJ-NPS.lmfj.com</Data>
    <Data Name="AuthenticationType">EAP</Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">-</Data>
    <Data Name="ReasonCode">65</Data>
    <Data Name="Reason">The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.</Data>
    <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
  </EventData>
</Event>

Open in new window

Distinguished Expert 2018

Commented:
Good to know. From what you posted, that is what it looks like to me as well. So hopefully you will be able to resolve that. Let us know; I'm very curious to see the results.

Author

Commented:
Some progress has been made, but I'm not out of the woods yet.   The dial-in properties change did help a lot.

I am now getting this consistently in my NPS event log:

AuthenticationServer LMFJ-NPS.lmfj.com
  AuthenticationType EAP
  EAPType -
  AccountSessionIdentifier -
  ReasonCode 66
  Reason The user attempted to use an authentication method that is not enabled on the matching network policy.
  LoggingResult Accounting information was written to the local log file.


On my wireless client(s) I am getting "could not connect to LMFJ, contact your administrator" so at least thigns seem to be half way communicating.

The attached PDF has screen shots of the connection policy request and network policies that are currently in place in addition to the client's network properties pages.   I keep looking at these waiting for that "duh" moment to strike me.

the rastls log on the client is also finding a valid certificate that can be used now, selecting it and looks like it is getting through that phase.


So maybe once I get the protocols to match up, I will be rocking and rolling!

I would appreciate any insight anybody can offer.
[4008] 06-14 10:47:31:594: FCheckUsage: All-Purpose: 1
[4008] 06-14 10:47:31:594: DwGetEKUUsage
[4008] 06-14 10:47:31:594: Number of EKUs on the cert are 3
[4008] 06-14 10:47:31:594: FCheckSCardCertAndCanOpenSilentContext
[4008] 06-14 10:47:31:594: DwGetEKUUsage
[4008] 06-14 10:47:31:594: Number of EKUs on the cert are 3
[4008] 06-14 10:47:31:594: FCheckUsage: All-Purpose: 1
[4008] 06-14 10:47:31:594: Acquiring Context for Container Name: 545d5d7c630f44a715edf5680199c509_7245efe2-ed84-4bd8-b581-c2d3fdb57312, ProvName: Microsoft Enhanced Cryptographic Provider v1.0, ProvType 0x1
[4008] 06-14 10:47:31:610: FCheckTimeValidity
[4008] 06-14 10:47:31:610: Cert do have CDP but do not have AIA OCSP extension
[4008] 06-14 10:47:31:610: Add Selected Cert to List
[4008] 06-14 10:47:31:610: FCheckUsage: All-Purpose: 1
[4008] 06-14 10:47:31:610: DwGetEKUUsage
[4008] 06-14 10:47:31:610: Number of EKUs on the cert are 3
[4008] 06-14 10:47:31:610: FCheckSCardCertAndCanOpenSilentContext
[4008] 06-14 10:47:31:610: DwGetEKUUsage
[4008] 06-14 10:47:31:610: Number of EKUs on the cert are 3
[4008] 06-14 10:47:31:610: FCheckUsage: All-Purpose: 1
[4008] 06-14 10:47:31:610: Found SCard Cert in registey.  Skipping...
[4008] 06-14 10:47:31:610: No Certs were found in the Certificate Store.  (A cert was needed for the following purpose: UserAuth)  Aborting search for certificates.
[4008] 06-14 10:47:31:610: Successfully got certificate. Hash follows
[4008] 10:47:31:610: F3 84 4B 92 CC B1 9C 19 D5 BC 9D 16 63 C5 42 72 |..K.........c.Br|
[4008] 10:47:31:610: A4 99 78 48 00 00 00 00 00 00 00 00 00 00 00 00 |..xH............|
[4008] 06-14 10:47:31:610: EAP-TLS using All-purpose cert
[4008] 06-14 10:47:31:610:  Self Signed Certificates will not be selected.
[4008] 06-14 10:47:31:610: EAP-TLS will accept the  All-purpose cert
[4008] 06-14 10:47:31:610: EapTlsInitialize2: PEAP using All-purpose cert
[4008] 06-14 10:47:31:610: PEAP will accept the  All-purpose cert
[4008] 06-14 10:47:34:262: EAP-TLS using All-purpose cert
[4008] 06-14 10:47:34:262:  Self Signed Certificates will not be selected.
[4008] 06-14 10:47:34:262: EAP-TLS will accept the  All-purpose cert
[4008] 06-14 10:47:34:262: EapTlsInitialize2: PEAP using All-purpose cert
[4008] 06-14 10:47:34:262: PEAP will accept the  All-purpose cert
[4008] 06-14 10:47:34:262: EapTlsInvokeIdentityUI
[4008] 06-14 10:47:34:262: GetCertInfo flags: 0x40082
[4008] 06-14 10:47:34:262: FCheckUsage: All-Purpose: 1
[4008] 06-14 10:47:34:262: DwGetEKUUsage
[4008] 06-14 10:47:34:262: Number of EKUs on the cert are 3
[4008] 06-14 10:47:34:262: FCheckSCardCertAndCanOpenSilentContext
[4008] 06-14 10:47:34:262: DwGetEKUUsage
[4008] 06-14 10:47:34:262: Number of EKUs on the cert are 3
[4008] 06-14 10:47:34:262: FCheckUsage: All-Purpose: 1
[4008] 06-14 10:47:34:262: Acquiring Context for Container Name: 545d5d7c630f44a715edf5680199c509_7245efe2-ed84-4bd8-b581-c2d3fdb57312, ProvName: Microsoft Enhanced Cryptographic Provider v1.0, ProvType 0x1
[4008] 06-14 10:47:34:262: FCheckTimeValidity
[4008] 06-14 10:47:34:262: Cert do have CDP but do not have AIA OCSP extension
[4008] 06-14 10:47:34:262: Add Selected Cert to List
[4008] 06-14 10:47:34:262: FCheckUsage: All-Purpose: 1
[4008] 06-14 10:47:34:262: DwGetEKUUsage
[4008] 06-14 10:47:34:262: Number of EKUs on the cert are 3
[4008] 06-14 10:47:34:262: FCheckSCardCertAndCanOpenSilentContext
[4008] 06-14 10:47:34:262: DwGetEKUUsage
[4008] 06-14 10:47:34:262: Number of EKUs on the cert are 3
[4008] 06-14 10:47:34:262: FCheckUsage: All-Purpose: 1
[4008] 06-14 10:47:34:262: Found SCard Cert in registey.  Skipping...
[4008] 06-14 10:47:34:262: No Certs were found in the Certificate Store.  (A cert was needed for the following purpose: UserAuth)  Aborting search for certificates.
[4008] 06-14 10:47:34:262: Successfully got certificate. Hash follows
[4008] 10:47:34:262: F3 84 4B 92 CC B1 9C 19 D5 BC 9D 16 63 C5 42 72 |..K.........c.Br|
[4008] 10:47:34:262: A4 99 78 48 00 00 00 00 00 00 00 00 00 00 00 00 |..xH............|
[4008] 06-14 10:47:34:262: EAP-TLS using All-purpose cert
[4008] 06-14 10:47:34:262:  Self Signed Certificates will not be selected.
[4008] 06-14 10:47:34:262: EAP-TLS will accept the  All-purpose cert
[4008] 06-14 10:47:34:262: EapTlsInitialize2: PEAP using All-purpose cert
[4008] 06-14 10:47:34:262: PEAP will accept the  All-purpose cert
[4008] 06-14 10:47:34:262: EAP-TLS using All-purpose cert
[4008] 06-14 10:47:34:262:  Self Signed Certificates will not be selected.
[4008] 06-14 10:47:34:262: EAP-TLS will accept the  All-purpose cert
[4008] 06-14 10:47:34:262: EapTlsInitialize2: PEAP using All-purpose cert
[4008] 06-14 10:47:34:262: PEAP will accept the  All-purpose cert
[4008] 06-14 10:47:34:262: EapTlsInvokeIdentityUI
[4008] 06-14 10:47:34:262: GetCertInfo flags: 0x40082
[4008] 06-14 10:47:34:262: FCheckUsage: All-Purpose: 1
[4008] 06-14 10:47:34:262: DwGetEKUUsage
[4008] 06-14 10:47:34:262: Number of EKUs on the cert are 3
[4008] 06-14 10:47:34:262: FCheckSCardCertAndCanOpenSilentContext
[4008] 06-14 10:47:34:262: DwGetEKUUsage
[4008] 06-14 10:47:34:262: Number of EKUs on the cert are 3
[4008] 06-14 10:47:34:262: FCheckUsage: All-Purpose: 1
[4008] 06-14 10:47:34:262: Acquiring Context for Container Name: 545d5d7c630f44a715edf5680199c509_7245efe2-ed84-4bd8-b581-c2d3fdb57312, ProvName: Microsoft Enhanced Cryptographic Provider v1.0, ProvType 0x1
[4008] 06-14 10:47:34:262: FCheckTimeValidity
[4008] 06-14 10:47:34:262: Cert do have CDP but do not have AIA OCSP extension
[4008] 06-14 10:47:34:262: Add Selected Cert to List
[4008] 06-14 10:47:34:262: FCheckUsage: All-Purpose: 1
[4008] 06-14 10:47:34:262: DwGetEKUUsage
[4008] 06-14 10:47:34:262: Number of EKUs on the cert are 3
[4008] 06-14 10:47:34:262: FCheckSCardCertAndCanOpenSilentContext
[4008] 06-14 10:47:34:262: DwGetEKUUsage
[4008] 06-14 10:47:34:262: Number of EKUs on the cert are 3
[4008] 06-14 10:47:34:262: FCheckUsage: All-Purpose: 1
[4008] 06-14 10:47:34:262: Found SCard Cert in registey.  Skipping...
[4008] 06-14 10:47:34:262: No Certs were found in the Certificate Store.  (A cert was needed for the following purpose: UserAuth)  Aborting search for certificates.
[4008] 06-14 10:47:34:262: Successfully got certificate. Hash follows
[4008] 10:47:34:262: F3 84 4B 92 CC B1 9C 19 D5 BC 9D 16 63 C5 42 72 |..K.........c.Br|
[4008] 10:47:34:262: A4 99 78 48 00 00 00 00 00 00 00 00 00 00 00 00 |..xH............|
[4008] 06-14 10:47:34:262: EAP-TLS using All-purpose cert
[4008] 06-14 10:47:34:262:  Self Signed Certificates will not be selected.
[4008] 06-14 10:47:34:262: EAP-TLS will accept the  All-purpose cert
[4008] 06-14 10:47:34:262: EapTlsInitialize2: PEAP using All-purpose cert
[4008] 06-14 10:47:34:262: PEAP will accept the  All-purpose cert

Open in new window

setups.pdf
Distinguished Expert 2018

Commented:
Well, the next thing I see is that nowhere in your initial write-up do you mention how you plan on authenticating users. You are authenticating machine accounts by certificate and have set up your CA to auto-enroll workstation certificates, and I'm guessing that is working.
When a user logs in though, they may not have a certificate if you haven't set up user auto-enrollment. You also have configured PEAP which would imply that you might want to be using password based authentication on the user level, but I also see no indication that you've set that up.
So you need to make that decision and then implement a strategy as appropriate.

Author

Commented:
I'd like users to just "logon" to the computers as normal using their domain logons.  Configuring them for auto enrollment if needed is not a problem.

I do have a certificate for me on the machine that I requested from the CA.

However if I reboot the computer I can't ping it and I still get the error on my NPS logs that the user attemped to use an authentication method that is not enabled on the matching network policy.

In that event, the user shows as the machine  (that is literally just turning the machine on)

if I am logged in and try to connect, I get refusals on both the machine and on my user account (which there is a certificate for) with the same message.

Distinguished Expert 2018
Commented:
Okay, lets get the computer account working first then.  On your NPS server, if you look at your first network policy, you'll see that under conditions, you are looking for EAP or PAP or PEAP.  Remove those conditions.  We'll let NPS negotiate the actual authentication.
Now, go into the policy properties themselves and go to the contraints tab. In the top box, have only one thing in that box: Microsoft Protected EAP (PEAP)
Add it if you must, remove everything else. Then select it and hit the "edit" button to see the advanced properties.  In there you can choose the server certificate and what method is used *with* PEAP.  Choose certificate.
Back on the main screen where you added PEAP, uncheck all the boxes below under the "less secure methods" banner.
.....now, on the client, configure your wireless settings to match.  As an aside, I noticed you have WPA2-Enterprise listed with TKIP on your screen grab but I thought you mentioned your wireless access points were configured for AES.  That'll give you trouble as well.  So configure for WPA2-Enterprise, PEAP, and in the advanced configuration, certificates.
Reboot the client and see if any new NPS errors are getting thrown for machine authentication.

Author

Commented:
On the Access point - the access point I'm using supports WPA2-Enterprise with AES or TKIP, then it also has "Mixed".  Just for fun I tried earlier switching it to mixed and trying TKIP instead of AES to see if it made any difference.   I got the same errors in the NPS logs.

Once I made the changes you suggest to the the rules, reboot the client, I see it authenticate in the event logs and can ping the machine.   If I log onto the machine as me (where I had previously requested a certificate) all is good.

If I logon as another user, that has previously not logged onto the machine, it logs them in but then the wireless disconnects and won't reconnect - there is nothing in the server event log.   Within a few seconds of logging off, the wireless picks back up and pings resume.

So the first hurdle has been conqured, now it looks like I need to get auto-enrollment of user certificates going?
Distinguished Expert 2018
Commented:
Technically there is no such thing as user autoenrollment. But there are hoops you can jump through to get something very similar. In most cases though, I find that you can get away without user certificates altogether. See if this works:
On your NPS server, take your network policy and remove the users security group. That policy will *only* apply to workstations.
Create another policy that is a duplicate of the one above, but add *only* the user security group. In the PEAP authentication section, remove smart cards and add MS-CHAP v2. That will allow password authentication for users.
finally, on the clients, in the PEAP advanced settings, allow both certificates and MS-CHAP v2. Since NPS won't allow MS-CHAPv2 for computer accounts (because of the network policy above) and NPS won't allow certificate authentication for user accounts (because of the new policy we created) you get the net effect of the two authenticaton schemes being mutually exclusive, even though they are both selected on the client.
If everything is working smoothly, that should give you the desired effect without requiring nasty certificate management scenarios.

Author

Commented:
cgaliher -

Based on the above suggested changes, this is working great.  The pilot client seems to be going without any issues and I have a 2nd one that so far is working so the initial configuration challenges have been solved.

The wireless does not drop out when a user logs in, except if they ahve not logged on before, all they have to do is hit connect and it goes, when they log in again its fine.  This seems like something I can fix through configuration and also group policies.

My next challenge however will be to get the wireless configuration deployed using group policy objects; however the deployment of said policy I can hopefully do, and will need to be a thread on its own.

I appreciate your help with this!