Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Singel AP, no controller, EAP authentication problem

Posted on 2012-08-16
8
Medium Priority
?
2,888 Views
Last Modified: 2012-12-11
I've setup my Windows 2008R2 domain controller according to this document:
http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/

I have a singel AP which I've setup to authenticate with the NPS.

The certificates from the CA are distributed to all of my Windows 7 clients.

When I try to connect I see the attempt AP. On the client I get an EAP-TLS authentication box where I can enter a username/password. Even if I enter the correct one, I can't connect.

On the NPS server I get the following message in the application log:

EventID: 1006
Source: EapHost
Info: Negotiation failed. Requested EAP methods not available

I've tried the following EAP types:
Microsoft: Smart Card or other certificate
Microsoft: Protected EAP
Microsoft Secured password (EAP-MSCHAP v2)

neither works.

Does anyone know what I'm doing wrong?
0
Comment
Question by:computication
  • 5
  • 2
8 Comments
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 38303802
looks like your client certificate doesn't have the correct OID;
User certificates must contain the Client Authentication EKU (the 1.3.6.1.5.5.7.3.2 object identifier).

Please post screen shots of NPS policy and client wireless profile
0
 
LVL 3

Author Comment

by:computication
ID: 38304689
The client certificate contains the identifier you mentioned.

I've attached screenshot of the settings.
Server-WifiSecure.JPG
Client-PEAPsettings.JPG
Client-WifiSettings.JPG
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 38304785
remove check marks for MsChap and MsChapv2 and higjhlight PEAP and choose edit. What inner authentication method have you chosen?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 3

Author Comment

by:computication
ID: 38304859
Thank you for the help.

I've disabled them, no result, and I've attached the PEAP properties window.
Server-PEAP-properties.JPG
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 38306711
In the Client-PEAPsettings.jpg screenshot you have the 'Validate Server Certificate' box checked, but you don't have a CA checked.  Untick the 'Validate Server Certificate' box and try again.
0
 
LVL 3

Author Comment

by:computication
ID: 38311084
Tried, same result. I've turned on the NPS tracking. in the IASSAM.log I get the following error:
[5320] 08-20 11:32:16:504: Successfully retrieved session (77) for user DALWEG48\MARTIJNP$.
[5320] 08-20 11:32:16:504: Processing output from EAP: action:2
[5320] 08-20 11:32:16:504: Translating attributes returned by EAPHost.
[5320] 08-20 11:32:16:504: EAP authentication failed.
[5320] 08-20 11:32:16:504: No AUTHENTICATION extensions, continuing
[5320] 08-20 11:32:16:504: No AUTHORIZATION extensions, continuing
[5320] 08-20 11:32:16:504: Inserting outbound EAP-Message of length 4.
0
 
LVL 3

Accepted Solution

by:
computication earned 0 total points
ID: 38324104
There is some sort of corruption on the server where I installed NPS. I just finished installing NPS on a new server, put in the basic configuration and it works.

 

I'll just move the NPS to a different server.

 

Thank you for all your help.

 

Kind regards,

 

Martijn
0
 
LVL 3

Author Closing Comment

by:computication
ID: 38678718
installed service on other server and that resolved it.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Suggested Courses

805 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question