Solved

[RADIUS] Win7 asks multiple times for certificate

Posted on 2012-03-26
9
571 Views
Last Modified: 2012-06-27
Fellow Experts, I need help.

I've deployed the NPS and CA for a company.
I've chosen PEAP as the authentication with "Smart Card or Certificate" authentication type.

My laptop is not a member of the domain
The certificate for a user has been exported from the CA and then imported onto my notebook (along with the private key).
Went into Certificates Manager and set it only to "user authentication" type.
In the advanced settings of the wireless connection I've picked the 802.1X User Authentication.

As for the NPS - it's configured to accept PEAP authentication with certificates.

Now for the error...
As of now I've tried it only on Windows 7 computer. For some unknown reason it doesn't want to connect immediately. The window to choose a certificate shows up (with correct cert), I click OK and then it shows up again. The number of confirmations differ: sometimes I have to click only once, sometimes this window appears for five-six times in a row.

Don't know what could have happened. The problem is the only events in the event viewer are the ones after succesful health check and authentication.
0
Comment
Question by:marek1712
  • 6
  • 3
9 Comments
 
LVL 21

Expert Comment

by:Jakob Digranes
ID: 37765517
does this error show for all users, or only yours?

Make sure certificates has the correct purpose:

One such requirement is that the certificate is configured with one or more purposes in EKU extensions that correlate to the certificate use. For example, a certificate used for the authentication of a client to a server must be configured with the Client Authentication purpose. Similarly, a certificate used for the authentication of a server must be configured with the Server Authentication purpose. When certificates are used for authentication, the authenticator examines the client certificate, seeking the correct purpose object identifier in EKU extensions. For example, the object identifier for the Client Authentication purpose is 1.3.6.1.5.5.7.3.2. When a certificate is used for client computer authentication, this object identifier must be present in the EKU extensions of the certificate or authentication will fail.

http://technet.microsoft.com/en-us/library/cc772401%28WS.10%29.aspx
0
 
LVL 11

Author Comment

by:marek1712
ID: 37765702
I've checked the certification authority and this particular certificate has this extension (as well as safe e-mail and file encryption).
It's been imported into my laptop and I've checked only the Client Authentication property. And that's how it is now.
0
 
LVL 21

Expert Comment

by:Jakob Digranes
ID: 37767538
can you log in to NPS - win2008 (or IAS win 2003) server and look at Event Viewer Security logs and look for any failure audits for Network Policy server -- and post it here?
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 11

Author Comment

by:marek1712
ID: 37775393
Hmm, there are no failures. Only these two types of events: 6272 and 6278, which means everything is fine. But I still have to select the user certificate multiple times...
Little EDIT: it may be problem with a network adapter in my computer (Atheros AR9002) as my friend with his Intel 3945 and Windows XP doesn't have this problem.
I'm ordering new laptop for an employee and will see it then.  I'll post an update.
0
 
LVL 11

Author Comment

by:marek1712
ID: 37786721
My friend brought his computer with Windows 7 and the issue showed up on it too. Very strange. Intel 3945ABG network card.
As I've mentioned before - this doesn't affect Windows XP.
0
 
LVL 11

Author Comment

by:marek1712
ID: 37898609
I'm back after almost a month. It seems current AP is malfunctioning (TP-Link TL-WA5110G). Symptoms?:
- crashes from time to time (with WPA2/AES set). Not reachable with stable ping reply of 26ms
- low transfers with WPA2 - no more than 500kB/s
- multiple authentication requests with certificates for W7.
I have to thoroughly test the last part but I'm pretty sure the device is the culprit. My friend brought his TP-Link wireless router which serves as AP and after 5 tries - I've managed to connect instantly...
Will post an update after more research.
0
 
LVL 11

Accepted Solution

by:
marek1712 earned 0 total points
ID: 37928029
Problem solved - the AP is faulty. I've sent it to RMA - will see if it's model flaw or just single case.
Meanwhile TL-WR3420 router works as an AP without any problems...
0
 
LVL 21

Expert Comment

by:Jakob Digranes
ID: 37928052
fingers crossed :-)
0
 
LVL 11

Author Closing Comment

by:marek1712
ID: 37940814
Resolved issue myself.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question