Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

[RADIUS] Win7 asks multiple times for certificate

Posted on 2012-03-26
9
Medium Priority
?
578 Views
Last Modified: 2012-06-27
Fellow Experts, I need help.

I've deployed the NPS and CA for a company.
I've chosen PEAP as the authentication with "Smart Card or Certificate" authentication type.

My laptop is not a member of the domain
The certificate for a user has been exported from the CA and then imported onto my notebook (along with the private key).
Went into Certificates Manager and set it only to "user authentication" type.
In the advanced settings of the wireless connection I've picked the 802.1X User Authentication.

As for the NPS - it's configured to accept PEAP authentication with certificates.

Now for the error...
As of now I've tried it only on Windows 7 computer. For some unknown reason it doesn't want to connect immediately. The window to choose a certificate shows up (with correct cert), I click OK and then it shows up again. The number of confirmations differ: sometimes I have to click only once, sometimes this window appears for five-six times in a row.

Don't know what could have happened. The problem is the only events in the event viewer are the ones after succesful health check and authentication.
0
Comment
Question by:marek1712
  • 6
  • 3
9 Comments
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 37765517
does this error show for all users, or only yours?

Make sure certificates has the correct purpose:

One such requirement is that the certificate is configured with one or more purposes in EKU extensions that correlate to the certificate use. For example, a certificate used for the authentication of a client to a server must be configured with the Client Authentication purpose. Similarly, a certificate used for the authentication of a server must be configured with the Server Authentication purpose. When certificates are used for authentication, the authenticator examines the client certificate, seeking the correct purpose object identifier in EKU extensions. For example, the object identifier for the Client Authentication purpose is 1.3.6.1.5.5.7.3.2. When a certificate is used for client computer authentication, this object identifier must be present in the EKU extensions of the certificate or authentication will fail.

http://technet.microsoft.com/en-us/library/cc772401%28WS.10%29.aspx
0
 
LVL 11

Author Comment

by:marek1712
ID: 37765702
I've checked the certification authority and this particular certificate has this extension (as well as safe e-mail and file encryption).
It's been imported into my laptop and I've checked only the Client Authentication property. And that's how it is now.
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 37767538
can you log in to NPS - win2008 (or IAS win 2003) server and look at Event Viewer Security logs and look for any failure audits for Network Policy server -- and post it here?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 11

Author Comment

by:marek1712
ID: 37775393
Hmm, there are no failures. Only these two types of events: 6272 and 6278, which means everything is fine. But I still have to select the user certificate multiple times...
Little EDIT: it may be problem with a network adapter in my computer (Atheros AR9002) as my friend with his Intel 3945 and Windows XP doesn't have this problem.
I'm ordering new laptop for an employee and will see it then.  I'll post an update.
0
 
LVL 11

Author Comment

by:marek1712
ID: 37786721
My friend brought his computer with Windows 7 and the issue showed up on it too. Very strange. Intel 3945ABG network card.
As I've mentioned before - this doesn't affect Windows XP.
0
 
LVL 11

Author Comment

by:marek1712
ID: 37898609
I'm back after almost a month. It seems current AP is malfunctioning (TP-Link TL-WA5110G). Symptoms?:
- crashes from time to time (with WPA2/AES set). Not reachable with stable ping reply of 26ms
- low transfers with WPA2 - no more than 500kB/s
- multiple authentication requests with certificates for W7.
I have to thoroughly test the last part but I'm pretty sure the device is the culprit. My friend brought his TP-Link wireless router which serves as AP and after 5 tries - I've managed to connect instantly...
Will post an update after more research.
0
 
LVL 11

Accepted Solution

by:
marek1712 earned 0 total points
ID: 37928029
Problem solved - the AP is faulty. I've sent it to RMA - will see if it's model flaw or just single case.
Meanwhile TL-WR3420 router works as an AP without any problems...
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 37928052
fingers crossed :-)
0
 
LVL 11

Author Closing Comment

by:marek1712
ID: 37940814
Resolved issue myself.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
An article on effective troubleshooting
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question