Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Problem with 802.1x authentication

Posted on 2011-10-21
11
Medium Priority
?
14,751 Views
Last Modified: 2014-04-22
I am currently working on getting 802.1X authentication to work in an wired test environment (for later deployment). However I am unable to get it to work.

My prerequsities:
2008 AD DS server with DNS, DCHP and NPS (as a Hyper-v client)
 Alcatel Omniswich 6850 as authenticating switch (NAS) with SW version Weview 6.4.2
 Authentication method: EAP-TLS
 Testclient: Win 7 32 bit

I am uising EAP-TLS and the neccessary certificates are in place on both server and client. I have done some testing without success but with various error codes.

I have narrowed it down to be a problem related to the authentication mechanism, not a connectivity issue.

Using the Wizard (“Configure 802.1x") to create Network and Connection Request policies with the following choices:

“Secure Wired (Ethernet) Connections”
Radius clients: 6850 (My Alcatel OmniSwitch 6850)
EAP TYPE: Microsoft: Smart-card or other certificate (Configure..: Certificate Issued to: [MyDomain]-CA)
Groups: No groups.
Traffic control configuration: Nothing.

The CRP and Network Policy created by the wizard have a single Condition: NAS Port Type = Ethernet

The Group policy for Wired Network Policies is configured as http://social.microsoft.com/Forums/getfile/4947/ (both user and computer certificate is available on the client)

With this setup, I get Event Id 6273:

CRP name: -
Network Policy: -
Reason: The RADIUS request did not match any configured CRP

What does that tell me? The NPS doesn’t think that the request comes from Ethernet Port Type? The NPS server is actually a Hyper–V guest on a host that is a server blade in a blade server. That means that the RADIUS request goes through a Switch Blade on the blade Server. Maybe it Isn´t Ethernet on the “inside” of the Switchblade? Suggestions?

Now, removing the NAS Port Type condition and replacing it with a date/time condition: “Always” for both CRP and Network Policy, the event 6273 changes: Now both CRP and Network policies match and the reason has changed to: An error occurred during the Network Policy Server use of the EAP. Check EAP log files for EAP errors. On the client a message from the taskbar tells me “A certificate is needed for this connection”.

In C:\windows\tracing on the win7 client I find the file svchost_RASTLS.LOG (is that the correct EAP log file?) A few lines from the file (this is using User Authentication):
[828] 10-21 11:23:49:032: EapTlsInitialize2
[828] 10-21 11:23:49:032: EAP-TLS using All-purpose cert
[828] 10-21 11:23:49:032:  Self Signed Certificates will not be selected.
[828] 10-21 11:23:49:032: EAP-TLS will accept the  All-purpose cert
[828] 10-21 11:23:49:032: EapTlsInitialize2: PEAP using All-purpose cert
[828] 10-21 11:23:49:032: PEAP will accept the  All-purpose cert
[828] 10-21 11:23:49:032: Creating connection xml from blob for eap type id = 13
[828] 10-21 11:23:49:032: RasEapCreateConnectionPropertiesXML, eap type id = 13
[828] 10-21 11:23:49:032: Creating document
[828] 10-21 11:23:49:032: Adding nodes
[828] 10-21 11:23:49:032: EapTls[Un]Initialize2
[828] 10-21 11:23:49:032: ClearCachedCredList.

Open in new window


Now changing the Wired policy to Computer only Authentication:

The Event 6273 is unchanged (policies matches, EAP error)

The svchost_RASTLS.log now looks like this:

[1952] 10-21 11:34:32:916: EapTlsBegin(host/JONAS-M6300-W7.SL2008.com)
[1952] 10-21 11:34:32:916: SetupMachineChangeNotification
[1952] 10-21 11:34:32:916: State change to Initial
[1952] 10-21 11:34:32:916: EapTlsBegin: Detected 8021X authentication
[1952] 10-21 11:34:32:916: MaxTLSMessageLength is now 16384
[1952] 10-21 11:34:32:916: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[1952] 10-21 11:34:32:916: Force IgnoreRevocationOffline on client
[1952] 10-21 11:34:32:916: CRYPT_E_REVOCATION_OFFLINE will be ignored
[1952] 10-21 11:34:32:916: The root cert will not be checked for revocation
[1952] 10-21 11:34:32:916: The cert will be checked for revocation
[1952] 10-21 11:34:32:916: 
[1952] 10-21 11:34:32:916: EapTlsMakeMessage(host/jonas-m6300-w7.sl2008.com)
[1952] 10-21 11:34:32:916: >> Received Request (Code: 1) packet: Id: 1, Length: 6, Type: 13, TLS blob length: 0. Flags: S
[1952] 10-21 11:34:32:916: EapTlsCMakeMessage, state(0) flags (0x1460)
[1952] 10-21 11:34:32:916: EapTlsReset
[1952] 10-21 11:34:32:916: State change to Initial
[1952] 10-21 11:34:32:916: EapGetCredentials
[1952] 10-21 11:34:32:916: Flag is Machine Auth and Store is local Machine
[1952] 10-21 11:34:32:916: GetCachedCredentials Flags = 0x1460
[1952] 10-21 11:34:32:916: FindNodeInCachedCredList, flags(0x1460), default cached creds(0), check thread token(0)
[1952] 10-21 11:34:32:916: CertGetNameString for CERT_NAME_SIMPLE_DISPLAY_TYPE failed.
[1952] 10-21 11:34:32:916: Will NOT validate server cert
[1952] 10-21 11:34:32:916: MakeReplyMessage
[1952] 10-21 11:34:32:916: SecurityContextFunction
[1952] 10-21 11:34:32:916: InitializeSecurityContext returned 0x90312
[1952] 10-21 11:34:32:916: State change to SentHello
[1952] 10-21 11:34:32:916: BuildPacket
[1952] 10-21 11:34:32:916: << Sending Response (Code: 2) packet: Id: 1, Length: 134, Type: 13, TLS blob length: 124. Flags: L
[1952] 10-21 11:34:32:932: 
[1952] 10-21 11:34:32:932: EapTlsMakeMessage(host/jonas-m6300-w7.sl2008.com)
[1952] 10-21 11:34:32:932: >> Received Request (Code: 1) packet: Id: 2, Length: 1388, Type: 13, TLS blob length: 1378. Flags: L
[1952] 10-21 11:34:32:932: EapTlsCMakeMessage, state(2) flags (0x1400)
[1952] 10-21 11:34:32:932: MakeReplyMessage
[1952] 10-21 11:34:32:932: Reallocating input TLS blob buffer
[1952] 10-21 11:34:32:932: SecurityContextFunction
[1952] 10-21 11:34:32:979: InitializeSecurityContext returned 0x90312
[1952] 10-21 11:34:32:979: State change to SentFinished
[1952] 10-21 11:34:32:979: BuildPacket
[1952] 10-21 11:34:32:979: << Sending Response (Code: 2) packet: Id: 2, Length: 1492, Type: 13, TLS blob length: 1952. Flags: LM
[1952] 10-21 11:34:32:994: 
[1952] 10-21 11:34:32:994: EapTlsMakeMessage(host/jonas-m6300-w7.sl2008.com)
[1952] 10-21 11:34:32:994: >> Received Request (Code: 1) packet: Id: 3, Length: 6, Type: 13, TLS blob length: 0. Flags: 
[1952] 10-21 11:34:32:994: EapTlsCMakeMessage, state(3) flags (0x1400)
[1952] 10-21 11:34:32:994: BuildPacket
[1952] 10-21 11:34:32:994: << Sending Response (Code: 2) packet: Id: 3, Length: 476, Type: 13, TLS blob length: 0. Flags: 
[1952] 10-21 11:34:33:041:

[1952] 10-21 11:34:33:041: EapTlsMakeMessage(host/jonas-m6300-w7.sl2008.com)
[1952] 10-21 11:34:33:041: >> Received Failure (Code: 4) packet: Id: 3, Length: 4, Type: 0, TLS blob length: 0. Flags: 
[1952] 10-21 11:34:33:041: EapTlsCMakeMessage, state(3) flags (0x1400)
[1952] 10-21 11:34:33:041: Code 4 unexpected in state SentFinished
[1952] 10-21 11:34:33:041: EapTlsEnd
[1952] 10-21 11:34:33:041: EapTlsEnd(host/jonas-m6300-w7.sl2008.com)

Open in new window


Now changing the policy to User or computer authentication:

The event 6273 is unchanged. The taskbar on the client tells me “A certificate is needed for this connection”.

Ths svchost_RASTLS.LOG logs the following lines before any user has logged on:

[1948] 10-21 11:47:25:962: EapTlsBegin(host/JONAS-M6300-W7.SL2008.com)
[1948] 10-21 11:47:25:962: SetupMachineChangeNotification
[1948] 10-21 11:47:25:962: State change to Initial
[1948] 10-21 11:47:25:962: EapTlsBegin: Detected 8021X authentication
[1948] 10-21 11:47:25:962: MaxTLSMessageLength is now 16384
[1948] 10-21 11:47:25:962: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[1948] 10-21 11:47:25:962: Force IgnoreRevocationOffline on client
[1948] 10-21 11:47:25:962: CRYPT_E_REVOCATION_OFFLINE will be ignored
[1948] 10-21 11:47:25:962: The root cert will not be checked for revocation
[1948] 10-21 11:47:25:962: The cert will be checked for revocation
[1948] 10-21 11:47:25:962: 
[1948] 10-21 11:47:25:962: EapTlsMakeMessage(host/jonas-m6300-w7.sl2008.com)
[1948] 10-21 11:47:25:962: >> Received Request (Code: 1) packet: Id: 1, Length: 6, Type: 13, TLS blob length: 0. Flags: S
[1948] 10-21 11:47:25:962: EapTlsCMakeMessage, state(0) flags (0x1460)
[1948] 10-21 11:47:25:962: EapTlsReset
[1948] 10-21 11:47:25:962: State change to Initial
[1948] 10-21 11:47:25:962: EapGetCredentials
[1948] 10-21 11:47:25:962: Flag is Machine Auth and Store is local Machine
[1948] 10-21 11:47:25:962: GetCachedCredentials Flags = 0x1460
[1948] 10-21 11:47:25:962: FindNodeInCachedCredList, flags(0x1460), default cached creds(0), check thread token(0)
[1948] 10-21 11:47:25:962: CertGetNameString for CERT_NAME_SIMPLE_DISPLAY_TYPE failed.
[1948] 10-21 11:47:25:962: Will NOT validate server cert
[1948] 10-21 11:47:25:962: MakeReplyMessage
[1948] 10-21 11:47:25:962: SecurityContextFunction
[1948] 10-21 11:47:25:977: InitializeSecurityContext returned 0x90312
[1948] 10-21 11:47:25:977: State change to SentHello
[1948] 10-21 11:47:25:977: BuildPacket
[1948] 10-21 11:47:25:977: << Sending Response (Code: 2) packet: Id: 1, Length: 134, Type: 13, TLS blob length: 124. Flags: L
[1948] 10-21 11:47:25:993: 
[1948] 10-21 11:47:25:993: EapTlsMakeMessage(host/jonas-m6300-w7.sl2008.com)
[1948] 10-21 11:47:25:993: >> Received Request (Code: 1) packet: Id: 2, Length: 1388, Type: 13, TLS blob length: 1378. Flags: L
[1948] 10-21 11:47:25:993: EapTlsCMakeMessage, state(2) flags (0x1400)
[1948] 10-21 11:47:25:993: MakeReplyMessage
[1948] 10-21 11:47:25:993: Reallocating input TLS blob buffer
[1948] 10-21 11:47:25:993: SecurityContextFunction
[1948] 10-21 11:47:26:040: InitializeSecurityContext returned 0x90312
[1948] 10-21 11:47:26:040: State change to SentFinished
[1948] 10-21 11:47:26:040: BuildPacket
[1948] 10-21 11:47:26:040: << Sending Response (Code: 2) packet: Id: 2, Length: 1492, Type: 13, TLS blob length: 1952. Flags: LM
[1948] 10-21 11:47:26:055: 
[1948] 10-21 11:47:26:055: EapTlsMakeMessage(host/jonas-m6300-w7.sl2008.com)
[1948] 10-21 11:47:26:055: >> Received Request (Code: 1) packet: Id: 3, Length: 6, Type: 13,
TLS blob length: 0. Flags: 
[1948] 10-21 11:47:26:055: EapTlsCMakeMessage, state(3) flags (0x1400)
[1948] 10-21 11:47:26:055: BuildPacket
[1948] 10-21 11:47:26:055: << Sending Response (Code: 2) packet: Id: 3, Length: 476, Type: 13, TLS blob length: 0. Flags: 
[1948] 10-21 11:47:26:087: 
[1948] 10-21 11:47:26:087: EapTlsMakeMessage(host/jonas-m6300-w7.sl2008.com)
[1948] 10-21 11:47:26:087: >> Received Failure (Code: 4) packet: Id: 3, Length: 4, Type: 0, TLS blob length: 0. Flags: 
[1948] 10-21 11:47:26:087: EapTlsCMakeMessage, state(3) flags (0x1400)
[1948] 10-21 11:47:26:087: Code 4 unexpected in state SentFinished
[1948] 10-21 11:47:26:087: EapTlsEnd
[1948] 10-21 11:47:26:087: EapTlsEnd(host/jonas-m6300-w7.sl2008.com)

Open in new window


After a user has logged on (with cert available on the client):

[848] 10-21 11:53:53:282: EAP-TLS using All-purpose cert
[848] 10-21 11:53:53:282:  Self Signed Certificates will not be selected.
[848] 10-21 11:53:53:282: EAP-TLS will accept the  All-purpose cert
[848] 10-21 11:53:53:282: EapTlsInitialize2: PEAP using All-purpose cert
[848] 10-21 11:53:53:282: PEAP will accept the  All-purpose cert
[848] 10-21 11:53:53:282: EapTlsInvokeIdentityUI
[848] 10-21 11:53:53:282: GetCertInfo flags: 0x40082
[848] 10-21 11:53:53:282: FCheckUsage: All-Purpose: 1
[848] 10-21 11:53:53:282: DwGetEKUUsage
[848] 10-21 11:53:53:282: Number of EKUs on the cert are 3
[848] 10-21 11:53:53:282: FCheckSCardCertAndCanOpenSilentContext
[848] 10-21 11:53:53:282: DwGetEKUUsage
[848] 10-21 11:53:53:282: Number of EKUs on the cert are 3
[848] 10-21 11:53:53:282: FCheckUsage: All-Purpose: 1
[848] 10-21 11:53:53:282: Acquiring Context for Container Name: le-SMART-labUser-56172dc1-b01b-4dff-9552-77e3a55b1457, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
[848] 10-21 11:53:53:282: CryptAcquireContext failed. This CSP cannot be opened in silent mode. 
skipping cert.Err: 0x80090014
[848] 10-21 11:53:53:282: No Certs were found in the Certificate Store.  (A cert was needed for the following purpose: UserAuth)  Aborting search for certificates.
[848] 10-21 11:53:53:282: EAP-TLS using All-purpose cert
[848] 10-21 11:53:53:282:  Self Signed Certificates will not be selected.
[848] 10-21 11:53:53:282: EAP-TLS will accept the  All-purpose cert
[848] 10-21 11:53:53:282: EapTlsInitialize2: PEAP using All-purpose cert
[848] 10-21 11:53:53:282: PEAP will accept the  All-purpose cert

Open in new window


To summarize, depending on authentication I get three different types of issues. Where should I start?

The entire svchost_EAPTLS.LOG is available here: http://www.jonashaglund.se/Homepage/Download-File/f/104569/h/c20e4a1c3cdf7fbd529465421c3942b3/svchost_RASTLS

Please, my concerns are marked with bold.

Regards,

Jonas
0
Comment
Question by:jonha134
  • 6
  • 5
11 Comments
 
LVL 4

Expert Comment

by:iwaxx
ID: 37010898
Hello Jonas,

Gonna be hard to troubleshoot remotely, but I would start with your client certificate.
You seem to change between User/Computer authentication, but your certificate is not stored at the same place depending your choice.

* How was your certificate generated ? Are you sure about it ?
You must have:
*  a certificate for your client (at the right place, see that after),
* The CA certificate installed on the client
* a certificate on your radius server, all created by the same Certificate Authority.
* The CA certificate installed on the server

That makes 3 different certificates to be sure that there are at the right place.

* Where is your client certificate installed ?
Normally, depending your choice of User/Computer, you go in :
* Start -> Run -> mmc.exe
* File -> Add/Remove snap-in -> Add -> Certificates -> Choose your account: There are three different stores, but in your case two interesting: User & Computer account
* Open them both by redoing the whole operation.

Depending your tests in User or Computer stores, your certificate must be in the folder "Personnal" of the corresponding store.
Plus, the CA certificate must be in the "Trusted Root CA", or "Intermediate".

You can check that the CA certificate is well installed by double-clicking your certificate in "Personnal" folder and checking the whole chain.

Don't know if it's help you, but it's good to know that there are two different locations for installing certificate, and it's a check to be sure of your certificate installation before going further.

After for the choice between user/computer, it must be done !
* If it's only a pure certificate authentication, EAP-TLS, it must be a computer authentication. That will allow your computer to be authenticated on the network before the user logon at boot startup.
* At the end of your logs, you seems to have make tests with PEAP, which is user password and corresponds to a user authentication, I don't know what's your goal...

You may have both user/computer authentication, but does it worth the price ?

Good luck
0
 

Author Comment

by:jonha134
ID: 37017005
Hello iwaxx and thank you for your advice.

I believe that my certificates are in place as expected. I have made som screenshots (attached) from the Certificate MMC, could you please have a look and see if it looks alright? Please comment if you need more information to confirm that the certificates are in place correctly?

I would also appreciate if you could verify that the PKI settings for the GPO are correct: http://social.microsoft.com/Forums/getfile/4947/



 CA-cert-on-CA CA-cert-on-client Computer-certificate-on-client Issued-Certificates-on-CA User-Certificate-on-client
0
 
LVL 4

Expert Comment

by:iwaxx
ID: 37017113
Hi Jonas,

Certificates installation seems to be ok.

* Are you pushing client configuration of 802.1X by GPO systematically ?
I would suggest to bypass the GPO, and configure the authentication of your wired interface directly on your windows7 device.
Depending your AD (2003, 2008), you may avoid some problem. You have other problems to check first.
In windows 7, I've checked, configuration is nearly the same.

* Maybe silly advice, but on your client, the service "Wired Autoconfig" must started to use 802.1X authentication. If not, you would even not be able the see the "Authentication" tab of your interface.

* On the client, (not the GPO) I would uncheck "Connect to these servers: Jonas2008ADserver.SL2008.com" (and maybe even "Validate server certificate" at first).
You have other problem to look on first, you don't want to add more problem with obscure validation...

*  I would definitely uncheck "Enable single-sign on": For me, it relies to password authentication, and it has nothing to deal with certicates authentication, it may definitely interfear.

* I think on windows 7, you don't have the "enforce advanced 802.1X settings", I don't know if it's default config to be checked -> leave it by default.

* After choose, computer or user method, and I would take network captures to see the EAP exchange, first the server certificate must be sent, then you must send your client certificate (you'll be able to check which one is sent), and then logs may help.

* Check your omniswitch configuration with the network capture: trafic from client to switch, and switch to server must be consistent.

Again, hard to troubleshoot remotely, won't be able to help you more, maybe by reading your network capture ...
But I'm opened to a small trip in Sweden !

Good luck.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:jonha134
ID: 37017399
Thanks again for helpful advice!

I have now tried manual config without GPO. With the followin results:

Win 7 - Computer authenticaion (and all other settings as you suggested)
Event 6273: an error occurred during the network policy server use of the extensible authentication protocol eap
EAP log file:
[2576] 08-24 16:55:39:980: >> Received Failure (Code: 4) packet: Id: 3, Length: 4, Type: 0, TLS blob length: 0. Flags:
[2576] 08-24 16:55:39:980: EapTlsCMakeMessage, state(3) flags (0x1400)
[2576] 08-24 16:55:39:980: Code 4 unexpected in state SentFinished
[2576] 08-24 16:55:39:980: EapTlsEnd

Win 7 - (any other auth mode)
Event 6273: an error occurred during the network policy server use of the extensible authentication protocol eap
EAP log file:
[848] 10-21 11:53:53:282: Acquiring Context for Container Name: le-SMART-labUser-56172dc1-b01b-4dff-9552-77e3a55b1457, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
[848] 10-21 11:53:53:282: CryptAcquireContext failed. This CSP cannot be opened in silent mode.
skipping cert.Err: 0x80090014
[848] 10-21 11:53:53:282: No Certs were found in the Certificate Store.  (A cert was needed for the following purpose: UserAuth)  Aborting search for certificates.

Win XP sp3 (not possible to choose auth mode)
Event 6273: The client could not be authenticated because the Extensible
Authentication Protocol (EAP) Type cannot be processed by the server.
EAP log file:
[3716] 13:46:56:874: FCheckTimeValidity
[3716] 13:46:56:874: Cert do have CDP but do not have AIA OCSP extension
[3716] 13:46:56:874: Add Selected Cert to List

In the mean time I will try to grab some network traffic.
0
 

Author Comment

by:jonha134
ID: 37017705
Have now captured som traffic (simultaneous from client and server. However I can't really see any useful information.

Changed the file extension from pcap to txt to be able to upload. Client-WireshareCapture.txt Server-WiresharkCapture.txt
0
 
LVL 4

Expert Comment

by:iwaxx
ID: 37018904
Hmmmm, Win7 - Computer Authentication seems to work the best.

* Good thing: The whole chain client-switch-radius seems to be ok, there's a good translation of EAPOL packet to RADIUS packets.

* One strange thing I noticed in the packets, that is confirmed in the logs: the client certificate sent doesn't seems to have a subject name ...
Although in your print screen "Computer-certificate-on-client", it "seems" to be ok, in the packet #15 of the client trace, the field Certificate -> signedCertificate -> subject is empty ...

We see that the server certificate is correct in packet #10:
Certificate -> signedCertificate -> subject : id-at-commonName=SL2008-CA

-> In packet #15, we only see a reference to "JONAS-M6300-W7" in the extension as a SubjectAlternativeName.
-> And in packet #6 as an EAP identity.

* There's not that much explanations about the failure, if it's due to the lack of SubjectName.
Do you have other logs that the EAP file ? Like a RADIUS file or one specific to TLS method.

While reading the capture file, the lack of SubjectName surprised me, but I'm not sure if it's mandatory or not.
And when rereading your logs, there's a reference to that:
"CertGetNameString for CERT_NAME_SIMPLE_DISPLAY_TYPE failed."

According to that page, it's relied to how to get information from certificate:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa376086(v=vs.85).aspx

And in this page, it's clearly written that there will be a problem with blank SubjectName and NPS:
http://technet.microsoft.com/en-us/library/cc731363.aspx 

-------------------------------------

* Check your certificate, it's strange because I think you created it automatically from your PKI, so I think the CommonName (or SubjectName or SubjectCommonName I don't know how it's named) is correct.
Maybe there's a mix between SubjectAlternativeName and SubjectName ...
So recheck it.

* Maybe create one certificate manually with openSSL Just to see the difference, and just to check to network capture. The authentication will fail cause it won't match the server certificate.

* But it may not be the problem at all! so we need to be sure of the RADIUS failure (Code 4) -> A log file must explain that ...

If you don't find any logs (thanks Microsoft), I would suggest to turn on freeRADIUS which will definitely be more verbose.
I don't know what's your priority and the time you've got on this.

* For the two other modes (W7 other, winxp), no idea I woud google the errors. But as long as you don't have any network traffic, configuration if not ok ...
0
 

Author Comment

by:jonha134
ID: 37030150
Thank you again iwaxx!

Managed to get the subject name (used the default Computer cert template instead of my custom one. Now the cert error from the RASTLS log file on the client has disapperad. However I am not seeing any changes in the network traffic or the NPS event. The NPS log file didn't contain any useful information.

However, in the wireshark capture from the server, it tells me it has sent three "access-challenge" messages. Does that indicate that the switch or client has failed to respond to those challenges? I also notice that those three particular packets have a incorrect IPv4 checksum. Can this be related to the issue? Maybe the switch drops the backet due to incorrect checksum?

As i mentioned earlier, that server is a Hyper-V guest and the Hyper-V host is installed on a server blade on our server blad which also means that there are a switch blade in between. Could that setup affect the radius traffic?
0
 
LVL 4

Expert Comment

by:iwaxx
ID: 37046191
When you analyze the packets on the client, are these Radius access-challenges transformed in EAP packets by the switch ?
That will give you information about eventual packet loss and if the failure comes from bad or lack of information from the client, or from the server.
0
 

Accepted Solution

by:
jonha134 earned 0 total points
ID: 37062166
Finally it works!

In the Network Policy in NPS, under "Smart Card or other certificate Properties" there is a dropdown. Earlier (99.5 % sure of this) there were only one choice available ("SL2008-CA), i.e. the name of the CA. Now, for some reason,there are two choices, except for SL2008-CA there were a different option: "[servername].SL2008.com". With that setting, it works.

Can something have changes that made the second option available? What does the setting mean?

Regads and thanks for all the help!

Jonas
0
 

Author Closing Comment

by:jonha134
ID: 37089701
Quite "simple" and straight forward solution.
0
 
LVL 4

Expert Comment

by:iwaxx
ID: 37062217
What about using your custom template instead of the default one ?
I mean sending a certificate without the CommonName ?
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses
Course of the Month20 days, 16 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question