Win 7 default EAP settings

We want to enable non domain member win 7 clients to connect to our wpa2-enterprise (radius) wifi network. We are using MS NPS as radius server. We have added MSCHAPv2 as EAP type but the eap authentication fails. Does anyone know which is the default EAP settings in win 7 and how to configure NPS to make it work out of the box? We are having the same problem with Iphones, the EAP fails.

The NPS server has a certificate issued from the local CA (ADCS). We have added the root certificate to trust root certificate issuers on both the iphone and win 7 client without luck.

Regards,
Jonas
jonha134Asked:
Who is Participating?
 
jonha134Connect With a Mentor Author Commented:
The problem was that I in the dropdown list of CA:s in the NPS settings had picked the wrong name, I choose the name of the CA while I really should pick the name of the server the CA is running on.
0
 
Jakob DigranesSenior ConsultantCommented:
For starters, look at Audit Failures in NPS server. You can find them under Event Viewer - Security. Look for source Network Policy server. Or you can find it under Event viewer - Custom Views - Server Roles --- But there all is marked as informational, also the failed ones.

For Windows 7 - they tend to set the policy to user Machine Authentication or machine and/or user as default. Set this to user.

for iPads - look in Event Viewer for error.


You could also post NPS network access policy here.
0
 
jonha134Author Commented:
If i set policy to MSCHAPv2 (see ”setting1”):

Server:
Reason Code 23 An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

Client: (svchost_RASTLS)
[9200] 06-04 10:43:39:081: PeapReadConnectionData
[9200] 06-04 10:43:39:081: IsIdentityPrivacyInPeapConnPropValid
[9200] 06-04 10:43:39:081: PeapReadUserData
[9200] 06-04 10:43:39:081: No Credentails passed
[9200] 06-04 10:43:39:082: RasEapGetInfo
[9200] 06-04 10:43:39:082: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:39:082:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:39:082: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:39:082: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:39:082: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:39:082: PeapEapInfoInvokeIdentityUI API call failed with error code 703
[9200] 06-04 10:43:39:082: PeapGetIdentity returned the identity as (null)
[9200] 06-04 10:43:39:082: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:39:082:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:39:082: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:39:082: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:39:082: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:39:084: PeapReadConnectionData
[9200] 06-04 10:43:39:084: IsIdentityPrivacyInPeapConnPropValid
[9200] 06-04 10:43:39:084: PeapReadUserData
[9200] 06-04 10:43:39:084: No Credentails passed
[9200] 06-04 10:43:39:085: RasEapGetInfo
[9200] 06-04 10:43:39:085: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:39:085:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:39:085: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:39:085: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:39:085: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:39:086: PeapEapInfoInvokeIdentityUI API call failed with error code 703
[9200] 06-04 10:43:39:086: PeapGetIdentity returned the identity as (null)
[9200] 06-04 10:43:39:086: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:39:086:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:39:086: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:39:086: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:39:086: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:50:161: PeapReadConnectionData
[9200] 06-04 10:43:50:161: IsIdentityPrivacyInPeapConnPropValid
[9200] 06-04 10:43:50:161: PeapReadUserData
[9200] 06-04 10:43:50:161: No Credentails passed
[9200] 06-04 10:43:50:162: RasEapGetInfo
[9200] 06-04 10:43:50:162: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:50:163:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:50:163: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:50:163: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:50:163: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:50:164: PeapEapInfoInvokeIdentityUI API call failed with error code 703
[9200] 06-04 10:43:50:164: PeapGetIdentity returned the identity as (null)
[9200] 06-04 10:43:50:164: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:50:164:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:50:164: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:50:164: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:50:164: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:50:166: PeapReadConnectionData
[9200] 06-04 10:43:50:166: IsIdentityPrivacyInPeapConnPropValid
[9200] 06-04 10:43:50:166: PeapReadUserData
[9200] 06-04 10:43:50:166: No Credentails passed
[9200] 06-04 10:43:50:167: RasEapGetInfo
[9200] 06-04 10:43:50:167: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:50:167:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:50:167: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:50:167: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:50:167: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:50:168: PeapEapInfoInvokeIdentityUI API call failed with error code 703
[9200] 06-04 10:43:50:168: PeapGetIdentity returned the identity as (null)
[9200] 06-04 10:43:50:168: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:50:168:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:50:168: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:50:168: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:50:168: PEAP will accept the  All-purpose cert
[9200] 06-04 10:44:20:228: PeapReadConnectionData
[9200] 06-04 10:44:20:228: IsIdentityPrivacyInPeapConnPropValid
[9200] 06-04 10:44:20:228: PeapReadUserData
[9200] 06-04 10:44:20:228: No Credentails passed
[9200] 06-04 10:44:20:229: RasEapGetInfo
[9200] 06-04 10:44:20:229: EAP-TLS using All-purpose cert
[9200] 06-04 10:44:20:229:  Self Signed Certificates will not be selected.
[9200] 06-04 10:44:20:229: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:44:20:229: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:44:20:229: PEAP will accept the  All-purpose cert
[9200] 06-04 10:44:20:229: PeapEapInfoInvokeIdentityUI API call failed with error code 703
[9200] 06-04 10:44:20:229: PeapGetIdentity returned the identity as (null)
[9200] 06-04 10:44:20:229: EAP-TLS using All-purpose cert
[9200] 06-04 10:44:20:229:  Self Signed Certificates will not be selected.
[9200] 06-04 10:44:20:229: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:44:20:229: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:44:20:229: PEAP will accept the  All-purpose cert

Open in new window


If i set policy to MSCHAPv2 (see ”setting1”):

Server:
Reason Code: 22
Reason: The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

Client: (svchost_RASTLS)
[9980] 06-04 10:33:12:623: EapPeapBegin
[9980] 06-04 10:33:12:623: EapPeapBegin - flags(0x40080)
[9980] 06-04 10:33:12:623: PeapReadConnectionData
[9980] 06-04 10:33:12:623: IsIdentityPrivacyInPeapConnPropValid
[9980] 06-04 10:33:12:623: PeapReadUserData
[9980] 06-04 10:33:12:623: 
[9980] 06-04 10:33:12:623: EapTlsBegin(johaa)
[9980] 06-04 10:33:12:623: SetupMachineChangeNotification
[9980] 06-04 10:33:12:623: State change to Initial
[9980] 06-04 10:33:12:623: EapTlsBegin: Detected 8021X authentication
[9980] 06-04 10:33:12:623: EapTlsBegin: Detected PEAP authentication
[9980] 06-04 10:33:12:623: MaxTLSMessageLength is now 16384
[9980] 06-04 10:33:12:623: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[9980] 06-04 10:33:12:623: Force IgnoreRevocationOffline on client
[9980] 06-04 10:33:12:623: CRYPT_E_REVOCATION_OFFLINE will be ignored
[9980] 06-04 10:33:12:623: The root cert will not be checked for revocation
[9980] 06-04 10:33:12:623: The cert will be checked for revocation
[9980] 06-04 10:33:12:623: EapPeapBegin done
[9980] 06-04 10:33:12:623: EapPeapMakeMessage
[9980] 06-04 10:33:12:623: EapPeapCMakeMessage, flags(0x80500)
[9980] 06-04 10:33:12:623: Cloned PPP_EAP_PACKET packet
[9980] 06-04 10:33:12:623: PEAP:PEAP_STATE_INITIAL
[9980] 06-04 10:33:12:623: EapTlsCMakeMessage, state(0) flags (0x5060)
[9980] 06-04 10:33:12:623: EapTlsReset
[9980] 06-04 10:33:12:623: State change to Initial
[9980] 06-04 10:33:12:623: EapGetCredentials
[9980] 06-04 10:33:12:623: Flag is Client and Store is Current User
[9980] 06-04 10:33:12:623: GetCachedCredentials Flags = 0x5060
[9980] 06-04 10:33:12:623: FindNodeInCachedCredList, flags(0x5060), default cached creds(0), check thread token(1)
[9980] 06-04 10:33:12:623: No Cert Store.  Guest Access requested
[9980] 06-04 10:33:12:623: No Cert Name.  Guest access requested
[9980] 06-04 10:33:12:623: Will NOT validate server cert
[9980] 06-04 10:33:12:624: MakeReplyMessage
[9980] 06-04 10:33:12:624: SecurityContextFunction
[9980] 06-04 10:33:12:624: InitializeSecurityContext returned 0x90312
[9980] 06-04 10:33:12:624: State change to SentHello
[9980] 06-04 10:33:12:624: BuildPacket
[9980] 06-04 10:33:12:624: << Sending Response (Code: 2) packet: Id: 2, Length: 105, Type: 13, TLS blob length: 95. Flags: L
[9980] 06-04 10:33:12:624: EapPeapCMakeMessage done
[9980] 06-04 10:33:12:624: EapPeapMakeMessage done
[9980] 06-04 10:33:12:629: EapPeapMakeMessage
[9980] 06-04 10:33:12:629: EapPeapCMakeMessage, flags(0x80500)
[9980] 06-04 10:33:12:629: Cloned PPP_EAP_PACKET packet
[9980] 06-04 10:33:12:629: PEAP:PEAP_STATE_TLS_INPROGRESS
[9980] 06-04 10:33:12:629: EapTlsCMakeMessage, state(2) flags (0x5000)
[9980] 06-04 10:33:12:629: MakeReplyMessage
[9980] 06-04 10:33:12:629: Reallocating input TLS blob buffer
[9980] 06-04 10:33:12:629: BuildPacket
[9980] 06-04 10:33:12:629: << Sending Response (Code: 2) packet: Id: 3, Length: 6, Type: 13, TLS blob length: 0. Flags: 
[9980] 06-04 10:33:12:629: EapPeapCMakeMessage done
[9980] 06-04 10:33:12:629: EapPeapMakeMessage done
[9980] 06-04 10:33:12:633: EapPeapMakeMessage
[9980] 06-04 10:33:12:633: EapPeapCMakeMessage, flags(0x80500)
[9980] 06-04 10:33:12:633: Cloned PPP_EAP_PACKET packet
[9980] 06-04 10:33:12:633: PEAP:PEAP_STATE_TLS_INPROGRESS
[9980] 06-04 10:33:12:633: EapTlsCMakeMessage, state(2) flags (0x5010)
[9980] 06-04 10:33:12:633: MakeReplyMessage
[9980] 06-04 10:33:12:634: SecurityContextFunction
[9980] 06-04 10:33:12:634: InitializeSecurityContext returned 0x90312
[9980] 06-04 10:33:12:634: State change to SentFinished
[9980] 06-04 10:33:12:634: BuildPacket
[9980] 06-04 10:33:12:634: << Sending Response (Code: 2) packet: Id: 4, Length: 343, Type: 13, TLS blob length: 333. Flags: L
[9980] 06-04 10:33:12:634: EapPeapCMakeMessage done
[9980] 06-04 10:33:12:634: EapPeapMakeMessage done
[9980] 06-04 10:33:12:638: EapPeapMakeMessage
[9980] 06-04 10:33:12:638: EapPeapCMakeMessage, flags(0x80500)
[9980] 06-04 10:33:12:638: Cloned PPP_EAP_PACKET packet
[9980] 06-04 10:33:12:638: PEAP:PEAP_STATE_TLS_INPROGRESS
[9980] 06-04 10:33:12:638: EapTlsCMakeMessage, state(3) flags (0x5000)
[9980] 06-04 10:33:12:638: Code 4 unexpected in state SentFinished
[9980] 06-04 10:33:12:638: EapPeapCMakeMessage done
[9980] 06-04 10:33:12:638: EapPeapMakeMessage done
[9980] 06-04 10:33:12:639: EapPeapEnd
[9980] 06-04 10:33:12:639: EapTlsEnd
[9980] 06-04 10:33:12:639: EapTlsEnd(johaa)
[9980] 06-04 10:33:12:639: EapPeapEnd done

Open in new window


What would be the next step?

/J
setting1.png
setting2.png
0
 
Jakob DigranesSenior ConsultantCommented:
you should go with setting2 - that's where the mschapv2 is encapsulated in a secure tunnel, secured with NPS server certificate

The error message you get is that the client PC tries to authenticate using a different method than the one on the server.

For Windows 7 - look at this setup: http://www.itcom.itd.umich.edu/wireless/connect/win7.php
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.