Solved

[RADIUS] Win7 asks multiple times for certificate

Posted on 2012-03-26
9
575 Views
Last Modified: 2012-06-27
Fellow Experts, I need help.

I've deployed the NPS and CA for a company.
I've chosen PEAP as the authentication with "Smart Card or Certificate" authentication type.

My laptop is not a member of the domain
The certificate for a user has been exported from the CA and then imported onto my notebook (along with the private key).
Went into Certificates Manager and set it only to "user authentication" type.
In the advanced settings of the wireless connection I've picked the 802.1X User Authentication.

As for the NPS - it's configured to accept PEAP authentication with certificates.

Now for the error...
As of now I've tried it only on Windows 7 computer. For some unknown reason it doesn't want to connect immediately. The window to choose a certificate shows up (with correct cert), I click OK and then it shows up again. The number of confirmations differ: sometimes I have to click only once, sometimes this window appears for five-six times in a row.

Don't know what could have happened. The problem is the only events in the event viewer are the ones after succesful health check and authentication.
0
Comment
Question by:marek1712
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
9 Comments
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 37765517
does this error show for all users, or only yours?

Make sure certificates has the correct purpose:

One such requirement is that the certificate is configured with one or more purposes in EKU extensions that correlate to the certificate use. For example, a certificate used for the authentication of a client to a server must be configured with the Client Authentication purpose. Similarly, a certificate used for the authentication of a server must be configured with the Server Authentication purpose. When certificates are used for authentication, the authenticator examines the client certificate, seeking the correct purpose object identifier in EKU extensions. For example, the object identifier for the Client Authentication purpose is 1.3.6.1.5.5.7.3.2. When a certificate is used for client computer authentication, this object identifier must be present in the EKU extensions of the certificate or authentication will fail.

http://technet.microsoft.com/en-us/library/cc772401%28WS.10%29.aspx
0
 
LVL 11

Author Comment

by:marek1712
ID: 37765702
I've checked the certification authority and this particular certificate has this extension (as well as safe e-mail and file encryption).
It's been imported into my laptop and I've checked only the Client Authentication property. And that's how it is now.
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 37767538
can you log in to NPS - win2008 (or IAS win 2003) server and look at Event Viewer Security logs and look for any failure audits for Network Policy server -- and post it here?
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 11

Author Comment

by:marek1712
ID: 37775393
Hmm, there are no failures. Only these two types of events: 6272 and 6278, which means everything is fine. But I still have to select the user certificate multiple times...
Little EDIT: it may be problem with a network adapter in my computer (Atheros AR9002) as my friend with his Intel 3945 and Windows XP doesn't have this problem.
I'm ordering new laptop for an employee and will see it then.  I'll post an update.
0
 
LVL 11

Author Comment

by:marek1712
ID: 37786721
My friend brought his computer with Windows 7 and the issue showed up on it too. Very strange. Intel 3945ABG network card.
As I've mentioned before - this doesn't affect Windows XP.
0
 
LVL 11

Author Comment

by:marek1712
ID: 37898609
I'm back after almost a month. It seems current AP is malfunctioning (TP-Link TL-WA5110G). Symptoms?:
- crashes from time to time (with WPA2/AES set). Not reachable with stable ping reply of 26ms
- low transfers with WPA2 - no more than 500kB/s
- multiple authentication requests with certificates for W7.
I have to thoroughly test the last part but I'm pretty sure the device is the culprit. My friend brought his TP-Link wireless router which serves as AP and after 5 tries - I've managed to connect instantly...
Will post an update after more research.
0
 
LVL 11

Accepted Solution

by:
marek1712 earned 0 total points
ID: 37928029
Problem solved - the AP is faulty. I've sent it to RMA - will see if it's model flaw or just single case.
Meanwhile TL-WR3420 router works as an AP without any problems...
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 37928052
fingers crossed :-)
0
 
LVL 11

Author Closing Comment

by:marek1712
ID: 37940814
Resolved issue myself.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question