Solved

[RADIUS] Win7 asks multiple times for certificate

Posted on 2012-03-26
9
570 Views
Last Modified: 2012-06-27
Fellow Experts, I need help.

I've deployed the NPS and CA for a company.
I've chosen PEAP as the authentication with "Smart Card or Certificate" authentication type.

My laptop is not a member of the domain
The certificate for a user has been exported from the CA and then imported onto my notebook (along with the private key).
Went into Certificates Manager and set it only to "user authentication" type.
In the advanced settings of the wireless connection I've picked the 802.1X User Authentication.

As for the NPS - it's configured to accept PEAP authentication with certificates.

Now for the error...
As of now I've tried it only on Windows 7 computer. For some unknown reason it doesn't want to connect immediately. The window to choose a certificate shows up (with correct cert), I click OK and then it shows up again. The number of confirmations differ: sometimes I have to click only once, sometimes this window appears for five-six times in a row.

Don't know what could have happened. The problem is the only events in the event viewer are the ones after succesful health check and authentication.
0
Comment
Question by:marek1712
  • 6
  • 3
9 Comments
 
LVL 21

Expert Comment

by:Jakob Digranes
ID: 37765517
does this error show for all users, or only yours?

Make sure certificates has the correct purpose:

One such requirement is that the certificate is configured with one or more purposes in EKU extensions that correlate to the certificate use. For example, a certificate used for the authentication of a client to a server must be configured with the Client Authentication purpose. Similarly, a certificate used for the authentication of a server must be configured with the Server Authentication purpose. When certificates are used for authentication, the authenticator examines the client certificate, seeking the correct purpose object identifier in EKU extensions. For example, the object identifier for the Client Authentication purpose is 1.3.6.1.5.5.7.3.2. When a certificate is used for client computer authentication, this object identifier must be present in the EKU extensions of the certificate or authentication will fail.

http://technet.microsoft.com/en-us/library/cc772401%28WS.10%29.aspx
0
 
LVL 11

Author Comment

by:marek1712
ID: 37765702
I've checked the certification authority and this particular certificate has this extension (as well as safe e-mail and file encryption).
It's been imported into my laptop and I've checked only the Client Authentication property. And that's how it is now.
0
 
LVL 21

Expert Comment

by:Jakob Digranes
ID: 37767538
can you log in to NPS - win2008 (or IAS win 2003) server and look at Event Viewer Security logs and look for any failure audits for Network Policy server -- and post it here?
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 11

Author Comment

by:marek1712
ID: 37775393
Hmm, there are no failures. Only these two types of events: 6272 and 6278, which means everything is fine. But I still have to select the user certificate multiple times...
Little EDIT: it may be problem with a network adapter in my computer (Atheros AR9002) as my friend with his Intel 3945 and Windows XP doesn't have this problem.
I'm ordering new laptop for an employee and will see it then.  I'll post an update.
0
 
LVL 11

Author Comment

by:marek1712
ID: 37786721
My friend brought his computer with Windows 7 and the issue showed up on it too. Very strange. Intel 3945ABG network card.
As I've mentioned before - this doesn't affect Windows XP.
0
 
LVL 11

Author Comment

by:marek1712
ID: 37898609
I'm back after almost a month. It seems current AP is malfunctioning (TP-Link TL-WA5110G). Symptoms?:
- crashes from time to time (with WPA2/AES set). Not reachable with stable ping reply of 26ms
- low transfers with WPA2 - no more than 500kB/s
- multiple authentication requests with certificates for W7.
I have to thoroughly test the last part but I'm pretty sure the device is the culprit. My friend brought his TP-Link wireless router which serves as AP and after 5 tries - I've managed to connect instantly...
Will post an update after more research.
0
 
LVL 11

Accepted Solution

by:
marek1712 earned 0 total points
ID: 37928029
Problem solved - the AP is faulty. I've sent it to RMA - will see if it's model flaw or just single case.
Meanwhile TL-WR3420 router works as an AP without any problems...
0
 
LVL 21

Expert Comment

by:Jakob Digranes
ID: 37928052
fingers crossed :-)
0
 
LVL 11

Author Closing Comment

by:marek1712
ID: 37940814
Resolved issue myself.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question