Solved

Win 7 default EAP settings

Posted on 2013-06-03
6
743 Views
Last Modified: 2013-07-18
We want to enable non domain member win 7 clients to connect to our wpa2-enterprise (radius) wifi network. We are using MS NPS as radius server. We have added MSCHAPv2 as EAP type but the eap authentication fails. Does anyone know which is the default EAP settings in win 7 and how to configure NPS to make it work out of the box? We are having the same problem with Iphones, the EAP fails.

The NPS server has a certificate issued from the local CA (ADCS). We have added the root certificate to trust root certificate issuers on both the iphone and win 7 client without luck.

Regards,
Jonas
0
Comment
Question by:jonha134
  • 2
  • 2
6 Comments
 
LVL 21

Expert Comment

by:Jakob Digranes
ID: 39216785
For starters, look at Audit Failures in NPS server. You can find them under Event Viewer - Security. Look for source Network Policy server. Or you can find it under Event viewer - Custom Views - Server Roles --- But there all is marked as informational, also the failed ones.

For Windows 7 - they tend to set the policy to user Machine Authentication or machine and/or user as default. Set this to user.

for iPads - look in Event Viewer for error.


You could also post NPS network access policy here.
0
 

Author Comment

by:jonha134
ID: 39218345
If i set policy to MSCHAPv2 (see ”setting1”):

Server:
Reason Code 23 An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

Client: (svchost_RASTLS)
[9200] 06-04 10:43:39:081: PeapReadConnectionData
[9200] 06-04 10:43:39:081: IsIdentityPrivacyInPeapConnPropValid
[9200] 06-04 10:43:39:081: PeapReadUserData
[9200] 06-04 10:43:39:081: No Credentails passed
[9200] 06-04 10:43:39:082: RasEapGetInfo
[9200] 06-04 10:43:39:082: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:39:082:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:39:082: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:39:082: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:39:082: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:39:082: PeapEapInfoInvokeIdentityUI API call failed with error code 703
[9200] 06-04 10:43:39:082: PeapGetIdentity returned the identity as (null)
[9200] 06-04 10:43:39:082: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:39:082:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:39:082: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:39:082: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:39:082: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:39:084: PeapReadConnectionData
[9200] 06-04 10:43:39:084: IsIdentityPrivacyInPeapConnPropValid
[9200] 06-04 10:43:39:084: PeapReadUserData
[9200] 06-04 10:43:39:084: No Credentails passed
[9200] 06-04 10:43:39:085: RasEapGetInfo
[9200] 06-04 10:43:39:085: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:39:085:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:39:085: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:39:085: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:39:085: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:39:086: PeapEapInfoInvokeIdentityUI API call failed with error code 703
[9200] 06-04 10:43:39:086: PeapGetIdentity returned the identity as (null)
[9200] 06-04 10:43:39:086: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:39:086:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:39:086: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:39:086: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:39:086: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:50:161: PeapReadConnectionData
[9200] 06-04 10:43:50:161: IsIdentityPrivacyInPeapConnPropValid
[9200] 06-04 10:43:50:161: PeapReadUserData
[9200] 06-04 10:43:50:161: No Credentails passed
[9200] 06-04 10:43:50:162: RasEapGetInfo
[9200] 06-04 10:43:50:162: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:50:163:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:50:163: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:50:163: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:50:163: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:50:164: PeapEapInfoInvokeIdentityUI API call failed with error code 703
[9200] 06-04 10:43:50:164: PeapGetIdentity returned the identity as (null)
[9200] 06-04 10:43:50:164: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:50:164:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:50:164: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:50:164: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:50:164: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:50:166: PeapReadConnectionData
[9200] 06-04 10:43:50:166: IsIdentityPrivacyInPeapConnPropValid
[9200] 06-04 10:43:50:166: PeapReadUserData
[9200] 06-04 10:43:50:166: No Credentails passed
[9200] 06-04 10:43:50:167: RasEapGetInfo
[9200] 06-04 10:43:50:167: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:50:167:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:50:167: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:50:167: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:50:167: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:50:168: PeapEapInfoInvokeIdentityUI API call failed with error code 703
[9200] 06-04 10:43:50:168: PeapGetIdentity returned the identity as (null)
[9200] 06-04 10:43:50:168: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:50:168:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:50:168: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:50:168: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:50:168: PEAP will accept the  All-purpose cert
[9200] 06-04 10:44:20:228: PeapReadConnectionData
[9200] 06-04 10:44:20:228: IsIdentityPrivacyInPeapConnPropValid
[9200] 06-04 10:44:20:228: PeapReadUserData
[9200] 06-04 10:44:20:228: No Credentails passed
[9200] 06-04 10:44:20:229: RasEapGetInfo
[9200] 06-04 10:44:20:229: EAP-TLS using All-purpose cert
[9200] 06-04 10:44:20:229:  Self Signed Certificates will not be selected.
[9200] 06-04 10:44:20:229: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:44:20:229: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:44:20:229: PEAP will accept the  All-purpose cert
[9200] 06-04 10:44:20:229: PeapEapInfoInvokeIdentityUI API call failed with error code 703
[9200] 06-04 10:44:20:229: PeapGetIdentity returned the identity as (null)
[9200] 06-04 10:44:20:229: EAP-TLS using All-purpose cert
[9200] 06-04 10:44:20:229:  Self Signed Certificates will not be selected.
[9200] 06-04 10:44:20:229: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:44:20:229: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:44:20:229: PEAP will accept the  All-purpose cert

Open in new window


If i set policy to MSCHAPv2 (see ”setting1”):

Server:
Reason Code: 22
Reason: The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

Client: (svchost_RASTLS)
[9980] 06-04 10:33:12:623: EapPeapBegin
[9980] 06-04 10:33:12:623: EapPeapBegin - flags(0x40080)
[9980] 06-04 10:33:12:623: PeapReadConnectionData
[9980] 06-04 10:33:12:623: IsIdentityPrivacyInPeapConnPropValid
[9980] 06-04 10:33:12:623: PeapReadUserData
[9980] 06-04 10:33:12:623: 
[9980] 06-04 10:33:12:623: EapTlsBegin(johaa)
[9980] 06-04 10:33:12:623: SetupMachineChangeNotification
[9980] 06-04 10:33:12:623: State change to Initial
[9980] 06-04 10:33:12:623: EapTlsBegin: Detected 8021X authentication
[9980] 06-04 10:33:12:623: EapTlsBegin: Detected PEAP authentication
[9980] 06-04 10:33:12:623: MaxTLSMessageLength is now 16384
[9980] 06-04 10:33:12:623: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[9980] 06-04 10:33:12:623: Force IgnoreRevocationOffline on client
[9980] 06-04 10:33:12:623: CRYPT_E_REVOCATION_OFFLINE will be ignored
[9980] 06-04 10:33:12:623: The root cert will not be checked for revocation
[9980] 06-04 10:33:12:623: The cert will be checked for revocation
[9980] 06-04 10:33:12:623: EapPeapBegin done
[9980] 06-04 10:33:12:623: EapPeapMakeMessage
[9980] 06-04 10:33:12:623: EapPeapCMakeMessage, flags(0x80500)
[9980] 06-04 10:33:12:623: Cloned PPP_EAP_PACKET packet
[9980] 06-04 10:33:12:623: PEAP:PEAP_STATE_INITIAL
[9980] 06-04 10:33:12:623: EapTlsCMakeMessage, state(0) flags (0x5060)
[9980] 06-04 10:33:12:623: EapTlsReset
[9980] 06-04 10:33:12:623: State change to Initial
[9980] 06-04 10:33:12:623: EapGetCredentials
[9980] 06-04 10:33:12:623: Flag is Client and Store is Current User
[9980] 06-04 10:33:12:623: GetCachedCredentials Flags = 0x5060
[9980] 06-04 10:33:12:623: FindNodeInCachedCredList, flags(0x5060), default cached creds(0), check thread token(1)
[9980] 06-04 10:33:12:623: No Cert Store.  Guest Access requested
[9980] 06-04 10:33:12:623: No Cert Name.  Guest access requested
[9980] 06-04 10:33:12:623: Will NOT validate server cert
[9980] 06-04 10:33:12:624: MakeReplyMessage
[9980] 06-04 10:33:12:624: SecurityContextFunction
[9980] 06-04 10:33:12:624: InitializeSecurityContext returned 0x90312
[9980] 06-04 10:33:12:624: State change to SentHello
[9980] 06-04 10:33:12:624: BuildPacket
[9980] 06-04 10:33:12:624: << Sending Response (Code: 2) packet: Id: 2, Length: 105, Type: 13, TLS blob length: 95. Flags: L
[9980] 06-04 10:33:12:624: EapPeapCMakeMessage done
[9980] 06-04 10:33:12:624: EapPeapMakeMessage done
[9980] 06-04 10:33:12:629: EapPeapMakeMessage
[9980] 06-04 10:33:12:629: EapPeapCMakeMessage, flags(0x80500)
[9980] 06-04 10:33:12:629: Cloned PPP_EAP_PACKET packet
[9980] 06-04 10:33:12:629: PEAP:PEAP_STATE_TLS_INPROGRESS
[9980] 06-04 10:33:12:629: EapTlsCMakeMessage, state(2) flags (0x5000)
[9980] 06-04 10:33:12:629: MakeReplyMessage
[9980] 06-04 10:33:12:629: Reallocating input TLS blob buffer
[9980] 06-04 10:33:12:629: BuildPacket
[9980] 06-04 10:33:12:629: << Sending Response (Code: 2) packet: Id: 3, Length: 6, Type: 13, TLS blob length: 0. Flags: 
[9980] 06-04 10:33:12:629: EapPeapCMakeMessage done
[9980] 06-04 10:33:12:629: EapPeapMakeMessage done
[9980] 06-04 10:33:12:633: EapPeapMakeMessage
[9980] 06-04 10:33:12:633: EapPeapCMakeMessage, flags(0x80500)
[9980] 06-04 10:33:12:633: Cloned PPP_EAP_PACKET packet
[9980] 06-04 10:33:12:633: PEAP:PEAP_STATE_TLS_INPROGRESS
[9980] 06-04 10:33:12:633: EapTlsCMakeMessage, state(2) flags (0x5010)
[9980] 06-04 10:33:12:633: MakeReplyMessage
[9980] 06-04 10:33:12:634: SecurityContextFunction
[9980] 06-04 10:33:12:634: InitializeSecurityContext returned 0x90312
[9980] 06-04 10:33:12:634: State change to SentFinished
[9980] 06-04 10:33:12:634: BuildPacket
[9980] 06-04 10:33:12:634: << Sending Response (Code: 2) packet: Id: 4, Length: 343, Type: 13, TLS blob length: 333. Flags: L
[9980] 06-04 10:33:12:634: EapPeapCMakeMessage done
[9980] 06-04 10:33:12:634: EapPeapMakeMessage done
[9980] 06-04 10:33:12:638: EapPeapMakeMessage
[9980] 06-04 10:33:12:638: EapPeapCMakeMessage, flags(0x80500)
[9980] 06-04 10:33:12:638: Cloned PPP_EAP_PACKET packet
[9980] 06-04 10:33:12:638: PEAP:PEAP_STATE_TLS_INPROGRESS
[9980] 06-04 10:33:12:638: EapTlsCMakeMessage, state(3) flags (0x5000)
[9980] 06-04 10:33:12:638: Code 4 unexpected in state SentFinished
[9980] 06-04 10:33:12:638: EapPeapCMakeMessage done
[9980] 06-04 10:33:12:638: EapPeapMakeMessage done
[9980] 06-04 10:33:12:639: EapPeapEnd
[9980] 06-04 10:33:12:639: EapTlsEnd
[9980] 06-04 10:33:12:639: EapTlsEnd(johaa)
[9980] 06-04 10:33:12:639: EapPeapEnd done

Open in new window


What would be the next step?

/J
setting1.png
setting2.png
0
 
LVL 21

Expert Comment

by:Jakob Digranes
ID: 39218357
you should go with setting2 - that's where the mschapv2 is encapsulated in a secure tunnel, secured with NPS server certificate

The error message you get is that the client PC tries to authenticate using a different method than the one on the server.

For Windows 7 - look at this setup: http://www.itcom.itd.umich.edu/wireless/connect/win7.php
0
 

Accepted Solution

by:
jonha134 earned 0 total points
ID: 39264579
The problem was that I in the dropdown list of CA:s in the NPS settings had picked the wrong name, I choose the name of the CA while I really should pick the name of the server the CA is running on.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now