Solved

Win 7 default EAP settings

Posted on 2013-06-03
6
762 Views
Last Modified: 2013-07-18
We want to enable non domain member win 7 clients to connect to our wpa2-enterprise (radius) wifi network. We are using MS NPS as radius server. We have added MSCHAPv2 as EAP type but the eap authentication fails. Does anyone know which is the default EAP settings in win 7 and how to configure NPS to make it work out of the box? We are having the same problem with Iphones, the EAP fails.

The NPS server has a certificate issued from the local CA (ADCS). We have added the root certificate to trust root certificate issuers on both the iphone and win 7 client without luck.

Regards,
Jonas
0
Comment
Question by:jonha134
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
6 Comments
 
LVL 21

Expert Comment

by:Jakob Digranes
ID: 39216785
For starters, look at Audit Failures in NPS server. You can find them under Event Viewer - Security. Look for source Network Policy server. Or you can find it under Event viewer - Custom Views - Server Roles --- But there all is marked as informational, also the failed ones.

For Windows 7 - they tend to set the policy to user Machine Authentication or machine and/or user as default. Set this to user.

for iPads - look in Event Viewer for error.


You could also post NPS network access policy here.
0
 

Author Comment

by:jonha134
ID: 39218345
If i set policy to MSCHAPv2 (see ”setting1”):

Server:
Reason Code 23 An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

Client: (svchost_RASTLS)
[9200] 06-04 10:43:39:081: PeapReadConnectionData
[9200] 06-04 10:43:39:081: IsIdentityPrivacyInPeapConnPropValid
[9200] 06-04 10:43:39:081: PeapReadUserData
[9200] 06-04 10:43:39:081: No Credentails passed
[9200] 06-04 10:43:39:082: RasEapGetInfo
[9200] 06-04 10:43:39:082: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:39:082:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:39:082: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:39:082: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:39:082: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:39:082: PeapEapInfoInvokeIdentityUI API call failed with error code 703
[9200] 06-04 10:43:39:082: PeapGetIdentity returned the identity as (null)
[9200] 06-04 10:43:39:082: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:39:082:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:39:082: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:39:082: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:39:082: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:39:084: PeapReadConnectionData
[9200] 06-04 10:43:39:084: IsIdentityPrivacyInPeapConnPropValid
[9200] 06-04 10:43:39:084: PeapReadUserData
[9200] 06-04 10:43:39:084: No Credentails passed
[9200] 06-04 10:43:39:085: RasEapGetInfo
[9200] 06-04 10:43:39:085: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:39:085:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:39:085: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:39:085: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:39:085: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:39:086: PeapEapInfoInvokeIdentityUI API call failed with error code 703
[9200] 06-04 10:43:39:086: PeapGetIdentity returned the identity as (null)
[9200] 06-04 10:43:39:086: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:39:086:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:39:086: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:39:086: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:39:086: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:50:161: PeapReadConnectionData
[9200] 06-04 10:43:50:161: IsIdentityPrivacyInPeapConnPropValid
[9200] 06-04 10:43:50:161: PeapReadUserData
[9200] 06-04 10:43:50:161: No Credentails passed
[9200] 06-04 10:43:50:162: RasEapGetInfo
[9200] 06-04 10:43:50:162: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:50:163:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:50:163: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:50:163: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:50:163: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:50:164: PeapEapInfoInvokeIdentityUI API call failed with error code 703
[9200] 06-04 10:43:50:164: PeapGetIdentity returned the identity as (null)
[9200] 06-04 10:43:50:164: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:50:164:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:50:164: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:50:164: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:50:164: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:50:166: PeapReadConnectionData
[9200] 06-04 10:43:50:166: IsIdentityPrivacyInPeapConnPropValid
[9200] 06-04 10:43:50:166: PeapReadUserData
[9200] 06-04 10:43:50:166: No Credentails passed
[9200] 06-04 10:43:50:167: RasEapGetInfo
[9200] 06-04 10:43:50:167: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:50:167:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:50:167: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:50:167: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:50:167: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:50:168: PeapEapInfoInvokeIdentityUI API call failed with error code 703
[9200] 06-04 10:43:50:168: PeapGetIdentity returned the identity as (null)
[9200] 06-04 10:43:50:168: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:50:168:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:50:168: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:50:168: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:50:168: PEAP will accept the  All-purpose cert
[9200] 06-04 10:44:20:228: PeapReadConnectionData
[9200] 06-04 10:44:20:228: IsIdentityPrivacyInPeapConnPropValid
[9200] 06-04 10:44:20:228: PeapReadUserData
[9200] 06-04 10:44:20:228: No Credentails passed
[9200] 06-04 10:44:20:229: RasEapGetInfo
[9200] 06-04 10:44:20:229: EAP-TLS using All-purpose cert
[9200] 06-04 10:44:20:229:  Self Signed Certificates will not be selected.
[9200] 06-04 10:44:20:229: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:44:20:229: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:44:20:229: PEAP will accept the  All-purpose cert
[9200] 06-04 10:44:20:229: PeapEapInfoInvokeIdentityUI API call failed with error code 703
[9200] 06-04 10:44:20:229: PeapGetIdentity returned the identity as (null)
[9200] 06-04 10:44:20:229: EAP-TLS using All-purpose cert
[9200] 06-04 10:44:20:229:  Self Signed Certificates will not be selected.
[9200] 06-04 10:44:20:229: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:44:20:229: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:44:20:229: PEAP will accept the  All-purpose cert

Open in new window


If i set policy to MSCHAPv2 (see ”setting1”):

Server:
Reason Code: 22
Reason: The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

Client: (svchost_RASTLS)
[9980] 06-04 10:33:12:623: EapPeapBegin
[9980] 06-04 10:33:12:623: EapPeapBegin - flags(0x40080)
[9980] 06-04 10:33:12:623: PeapReadConnectionData
[9980] 06-04 10:33:12:623: IsIdentityPrivacyInPeapConnPropValid
[9980] 06-04 10:33:12:623: PeapReadUserData
[9980] 06-04 10:33:12:623: 
[9980] 06-04 10:33:12:623: EapTlsBegin(johaa)
[9980] 06-04 10:33:12:623: SetupMachineChangeNotification
[9980] 06-04 10:33:12:623: State change to Initial
[9980] 06-04 10:33:12:623: EapTlsBegin: Detected 8021X authentication
[9980] 06-04 10:33:12:623: EapTlsBegin: Detected PEAP authentication
[9980] 06-04 10:33:12:623: MaxTLSMessageLength is now 16384
[9980] 06-04 10:33:12:623: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[9980] 06-04 10:33:12:623: Force IgnoreRevocationOffline on client
[9980] 06-04 10:33:12:623: CRYPT_E_REVOCATION_OFFLINE will be ignored
[9980] 06-04 10:33:12:623: The root cert will not be checked for revocation
[9980] 06-04 10:33:12:623: The cert will be checked for revocation
[9980] 06-04 10:33:12:623: EapPeapBegin done
[9980] 06-04 10:33:12:623: EapPeapMakeMessage
[9980] 06-04 10:33:12:623: EapPeapCMakeMessage, flags(0x80500)
[9980] 06-04 10:33:12:623: Cloned PPP_EAP_PACKET packet
[9980] 06-04 10:33:12:623: PEAP:PEAP_STATE_INITIAL
[9980] 06-04 10:33:12:623: EapTlsCMakeMessage, state(0) flags (0x5060)
[9980] 06-04 10:33:12:623: EapTlsReset
[9980] 06-04 10:33:12:623: State change to Initial
[9980] 06-04 10:33:12:623: EapGetCredentials
[9980] 06-04 10:33:12:623: Flag is Client and Store is Current User
[9980] 06-04 10:33:12:623: GetCachedCredentials Flags = 0x5060
[9980] 06-04 10:33:12:623: FindNodeInCachedCredList, flags(0x5060), default cached creds(0), check thread token(1)
[9980] 06-04 10:33:12:623: No Cert Store.  Guest Access requested
[9980] 06-04 10:33:12:623: No Cert Name.  Guest access requested
[9980] 06-04 10:33:12:623: Will NOT validate server cert
[9980] 06-04 10:33:12:624: MakeReplyMessage
[9980] 06-04 10:33:12:624: SecurityContextFunction
[9980] 06-04 10:33:12:624: InitializeSecurityContext returned 0x90312
[9980] 06-04 10:33:12:624: State change to SentHello
[9980] 06-04 10:33:12:624: BuildPacket
[9980] 06-04 10:33:12:624: << Sending Response (Code: 2) packet: Id: 2, Length: 105, Type: 13, TLS blob length: 95. Flags: L
[9980] 06-04 10:33:12:624: EapPeapCMakeMessage done
[9980] 06-04 10:33:12:624: EapPeapMakeMessage done
[9980] 06-04 10:33:12:629: EapPeapMakeMessage
[9980] 06-04 10:33:12:629: EapPeapCMakeMessage, flags(0x80500)
[9980] 06-04 10:33:12:629: Cloned PPP_EAP_PACKET packet
[9980] 06-04 10:33:12:629: PEAP:PEAP_STATE_TLS_INPROGRESS
[9980] 06-04 10:33:12:629: EapTlsCMakeMessage, state(2) flags (0x5000)
[9980] 06-04 10:33:12:629: MakeReplyMessage
[9980] 06-04 10:33:12:629: Reallocating input TLS blob buffer
[9980] 06-04 10:33:12:629: BuildPacket
[9980] 06-04 10:33:12:629: << Sending Response (Code: 2) packet: Id: 3, Length: 6, Type: 13, TLS blob length: 0. Flags: 
[9980] 06-04 10:33:12:629: EapPeapCMakeMessage done
[9980] 06-04 10:33:12:629: EapPeapMakeMessage done
[9980] 06-04 10:33:12:633: EapPeapMakeMessage
[9980] 06-04 10:33:12:633: EapPeapCMakeMessage, flags(0x80500)
[9980] 06-04 10:33:12:633: Cloned PPP_EAP_PACKET packet
[9980] 06-04 10:33:12:633: PEAP:PEAP_STATE_TLS_INPROGRESS
[9980] 06-04 10:33:12:633: EapTlsCMakeMessage, state(2) flags (0x5010)
[9980] 06-04 10:33:12:633: MakeReplyMessage
[9980] 06-04 10:33:12:634: SecurityContextFunction
[9980] 06-04 10:33:12:634: InitializeSecurityContext returned 0x90312
[9980] 06-04 10:33:12:634: State change to SentFinished
[9980] 06-04 10:33:12:634: BuildPacket
[9980] 06-04 10:33:12:634: << Sending Response (Code: 2) packet: Id: 4, Length: 343, Type: 13, TLS blob length: 333. Flags: L
[9980] 06-04 10:33:12:634: EapPeapCMakeMessage done
[9980] 06-04 10:33:12:634: EapPeapMakeMessage done
[9980] 06-04 10:33:12:638: EapPeapMakeMessage
[9980] 06-04 10:33:12:638: EapPeapCMakeMessage, flags(0x80500)
[9980] 06-04 10:33:12:638: Cloned PPP_EAP_PACKET packet
[9980] 06-04 10:33:12:638: PEAP:PEAP_STATE_TLS_INPROGRESS
[9980] 06-04 10:33:12:638: EapTlsCMakeMessage, state(3) flags (0x5000)
[9980] 06-04 10:33:12:638: Code 4 unexpected in state SentFinished
[9980] 06-04 10:33:12:638: EapPeapCMakeMessage done
[9980] 06-04 10:33:12:638: EapPeapMakeMessage done
[9980] 06-04 10:33:12:639: EapPeapEnd
[9980] 06-04 10:33:12:639: EapTlsEnd
[9980] 06-04 10:33:12:639: EapTlsEnd(johaa)
[9980] 06-04 10:33:12:639: EapPeapEnd done

Open in new window


What would be the next step?

/J
setting1.png
setting2.png
0
 
LVL 21

Expert Comment

by:Jakob Digranes
ID: 39218357
you should go with setting2 - that's where the mschapv2 is encapsulated in a secure tunnel, secured with NPS server certificate

The error message you get is that the client PC tries to authenticate using a different method than the one on the server.

For Windows 7 - look at this setup: http://www.itcom.itd.umich.edu/wireless/connect/win7.php
0
 

Accepted Solution

by:
jonha134 earned 0 total points
ID: 39264579
The problem was that I in the dropdown list of CA:s in the NPS settings had picked the wrong name, I choose the name of the CA while I really should pick the name of the server the CA is running on.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question