[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1925
  • Last Modified:

Cisco OfficeExtend schannel error Windows 7

I have an OfficeExtend AP sitting here at my house, I can connect to my company's WPA-enterprise network (using RADIUS) on my Android no problems. I can connect to my company's unsecured  on my Windows 7 pc no problem. However, when I try to connect to the WPA-enterprise SSID on my Win7 pc, i get two schannel errors:

Log Name:      System
Source:        Schannel
Date:          8/15/2012 9:36:48 PM
Event ID:      36888
Task Category: None
Level:         Error
Keywords:      
User:          WIN7-PC\dude
Computer:      WIN7-PC
Description:
The following fatal alert was generated: 48. The internal error state is 552.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
    <EventID>36888</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2012-08-16T03:36:48.061245800Z" />
    <EventRecordID>77477</EventRecordID>
    <Correlation />
    <Execution ProcessID="620" ThreadID="5984" />
    <Channel>System</Channel>
    <Computer>WIN7-PC</Computer>
    <Security UserID="S-1-5-21-1148625709-2572256514-36235233-1001" />
  </System>
  <EventData>
    <Data Name="AlertDesc">48</Data>
    <Data Name="ErrorState">552</Data>
  </EventData>
</Event>

AND

Log Name:      System
Source:        Schannel
Date:          8/15/2012 9:36:48 PM
Event ID:      36882
Task Category: None
Level:         Error
Keywords:      
User:          WIN7-PC\dude
Computer:      WIN7-PC
Description:
The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
    <EventID>36882</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2012-08-16T03:36:48.061245800Z" />
    <EventRecordID>77478</EventRecordID>
    <Correlation />
    <Execution ProcessID="620" ThreadID="5984" />
    <Channel>System</Channel>
    <Computer>WIN7-PC</Computer>
    <Security UserID="S-1-5-21-1148625709-2572256514-36235233-1001" />
  </System>
  <EventData>
    <Binary>3082020F3082017CA0030201020210412088C45651E19D41AD60DA5B6E212E300906052B0E03021D05003018311630140603550403130D31302E3132372E31302E313837301E170D3132303731333036303030305A170D3135303731333036303030305A3018311630140603550403130D31302E3132372E31302E31383730819F300D06092A864886F70D010101050003818D0030818902818100955485AD2CEF3EC81429C2DD1767210FD2CB0E8BA88BDABBA31FDE389A084404786FE16AB83DBCDFD53AE872F2C8946E11281808DB3BEF2009BD5EE8666038F9FC25817C078C7EC303D3C5ED8EA0460E2CD100222F02312ED074A44B0F1F3E2B1F808EFEAAC732A5A5F5F241DB2318EFB0EA7ADF1ED05D9EAB87918703CE9C490203010001A362306030130603551D25040C300A06082B0601050507030130490603551D010442304080109D2DF9FB94110DF22B2DDD434788682BA11A3018311630140603550403130D31302E3132372E31302E3138378210412088C45651E19D41AD60DA5B6E212E300906052B0E03021D0500038181001D1E97B311DD50A0C6D68EBDD353B2DD6518013475510C458AC42FA722AFF16692707C80A3456A64377A93DEBFB00EC9CD5B54156ED63F7BCAF7B1D6EF88E35A806FC58FBC6449B946418531464B0382B1B185E8B74FE5921BBA5E40D2F01BF56D4FD822BA9492E3C646CEF166BE700AA1E85B1E989F42225C6B52BAD687196F</Binary>
  </EventData>
</Event>

HELP!!!

thanks,
0
AHEC
Asked:
AHEC
  • 5
  • 4
1 Solution
 
Craig BeckCommented:
The certificate on the RADIUS server is probably assigned by an internal CA, or is self-signed.  That means your Windows7 PC at home doesn't trust the issuing CA by default.

You need to install the root certificate on your Win7 PC in the Trusted Root Certification Authorities store and try again.

This will probably also mean that your Win7 PC will need a computer certificate to be issued to it from that CA.
0
 
AHECAuthor Commented:
hmmm...

does it make sense that it would happen only to a computer that is using the OfficeExtend AP? When I am in the office, other win7 computers join the same SSID using the same RADIUS server just fine.

I have no idea where the certificate is on the RADIUS server or how to install / transfer or whatever....can you give some instructions for that?
0
 
Craig BeckCommented:
The Win7 PC you use at home - do you use that same PC in the office?
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
AHECAuthor Commented:
no, i have not tried that laptop in the office...its too big to carry around :).

I will take a small win7 laptop from work to home and test tonight though.
0
 
Craig BeckCommented:
That's a good plan! :-)

You'll need someone from IT to put a certificate on your PC/Laptop at home if you want to connect it to the corporate SSID.

Usually though a separate WLAN is created for use with non-company PCs/Laptops as issuing a certificate to such devices may breach the IT security policy.
0
 
AHECAuthor Commented:
You are saying the Cert that i need to export and install on the laptop comes from the Radius server?
0
 
Craig BeckCommented:
No, there will be a Certificate Authority on the corporate network which probably issued a certificate to the RADIUS server so it could process EAP logons, or the RADIUS server used a self-signed certificate for this purpose.

At a minimum you'll need a computer or user certificate on the PC/Laptop at home which has been issued by that Certificate Authority, or if the RADIUS uses a self-signed certificate you'll need to import that into your PC/Laptop.

My guess is that your RADIUS has a CA-issued certificate, not a self-signed.  You should ask IT to install a computer or user certificate on your home PC/Laptop and also a copy of the root certificate so you can trust the cert which is presented to you by the RADIUS server.  However, as I said earlier, that might breach the IT security policy so it might not be possible to do that if your PC/Laptop is not on the corporate domain.
0
 
AHECAuthor Commented:
This was my bad, when configuring the ssid settings on the PC at home I was putting an _ (underscore) in the SSID...stupid mistake. After taking that out...worked fine.

thanks for your comments though.
0
 
AHECAuthor Commented:
Sorry I wanted to award partial points for your efforts, but doesn't look like I can.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now