Wireless Certificated RAIDUS authentication problems

stevepickard used Ask the Experts™
Hi all,

I'm having a problem getting our new wifi set up and running as desired, so hope someone has come across this before and can point out where I'm going wrong.  I'm fairly new to RADIUS but am pretty sure it's installed and setup correctly.

The end result should be that Domain configured computers (with certificate from our CA) will be able to log onto the WIFI if logged into by a domain user.  Everything else trying to connect will be blocked.

Our setup is as follows:
Windows VIsta/XP clients (using Vista as my test machine)
Netgear WFS709TP wireless management switch.
Windows Server 2008 Std with NPS installed.
Client/Server cert installed on both the Vista and the 2008 boxs

NPS is configured to talk to the Netgear as a valid Authenticator/Client, and is registered in AD.
It currently has 1 connection request policy of
NAS Port Type: Wireless - Other OR Wireless IEEE 802.11
and a single Network Policy of
NAS Port Type: Wireless - Other OR  Wireless IEE 802.11
Machine Groups: <domain>\Domain Computers
User Groups: <domain>\Domain Users OR <domain>\Domain Admins

Authentication method is PEAP with the server's certificate issued from the CA selected, and EAP-CHAPv2
Fast Reconnect is currently disabled for testing purposes.

The Netgear is configured with a visible SSID, WPA2-AES to authenticate against the RADIUS server. Which is configured for the NPS box.

The clients have matching wilreless settings, with Validate Server Certificate selected in the PEAP properties, and our root CA selected in the list.  Again fast reconnect, and also cache settings are disabled for testing purposes.

When trying to connect to the wireless it fails.
On the Network Policy and Access Services event log nothing is displayed
On the client's security log it shows:

A request was made to authenticate to a wireless network.

      Security ID:            <domain>\jjennings
      Account Name:            jjennings
      Account Domain:            <domain>
      Logon ID:            0x78782

Network Information:
      Name (SSID):            WirelessTest
      Interface GUID:            {4bb28eb9-c2dd-42b0-8dab-f1fd995997cb}
      Local MAC Address:      00:22:FA:3F:25:F2
      Peer MAC Address:      00:24:B2:46:FA:C0

Additional Information:
      Reason Code:            Explicit Eap failure received (0x50005)
      Error Code:            0x40420110

Which has been quite hard to try and track down what that error means in relation to my setup.

Another thought to mention is that the machine certificates are already being used for VPN access (but not against a radius server) so look to be working and recognised ok on the network.

Any thoughts or suggestions on what I may be doing wrong would be great, and if you need any more info then let me know too.

Thanks in advance!

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®


Looks like i've made a little bit of progress from trying random setting combinations.

Removing the Domain Computers entry from the NPS network policy now allows users\computers to connect, but I'm missing how the certificate checking works in this situation.
I've revoked an issued computer cert from the CA, but that computer can still connect to the wireless.

At the moment the only authentication allowed on the NPS is PEAP (EAP-MS CHAP v2) which as far as I understand checks both the client access certificate (PEAP) and domain\username+password (MSCHAPv2).

Or is this certificate checking the other way with the server presenting itself to the client?  And if so, what would I need to change so that the client's machine cert is checked before access is allowed?

Hope that makes sense.

Distinguished Expert 2018
You are missing a significant peice of the puzzle. When Windows boots, it will use a machine certificate to authenticate to the network for access the machine needs, such as to be able to even talk to the RADIUS server, apply machine-level group policies, etc. The fact that you get as far as you do means this peice is working.
When a user logs on to a machine, the machine's certificate is *NOT* used. To use WPA2-Enterprise, each *USER* must also have a certificate on the machine that NPS will check and approve. So when you attempt to log on as yourself, you have no certificate to offer NPS and thus the connection is refused.
You have three choices:
1) Deploy a full PKI infrastructure where users as well as computers have certificates or
2) Configure WPA2-PSK, which does away with certificates for users and computers. Since AD changes computer passwords regularly anyways and the are complex, this is actually quite safe and is my recommended solution. You don't need to revoke a certificate to remove access. Deleting a user account from AD will prevent the user from logging on via any machine, and deleting the computer from AD will delete that account and prevent the machine from logging onto the domain regardless of what user account is used (say if a laptop is stolen for instance.)
3) You can configure computer accounts to use certificates and user accounts to use passwords. This is no easy task, there is a delicate balance to b struck, and I'd strongly discourage thsi path. Either go all certs or none. Trying to do a split scenario takes someone who is comfortable with PKI already a,d based on your psots, I simply don't think this is a headache you want to take on. But it is worth listing as an option as technically it *can* be done.


Thanks for the suggestions there cqaliher.

I think i'll stick with the way it is working at the moment, seems tight enough security for our needs, and as you pointed out, anything more is going to be a headache.

It's cleared things up a little, and stopped me goind around in circles :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial