Solved

Win 7 default EAP settings

Posted on 2013-06-03
6
734 Views
Last Modified: 2013-07-18
We want to enable non domain member win 7 clients to connect to our wpa2-enterprise (radius) wifi network. We are using MS NPS as radius server. We have added MSCHAPv2 as EAP type but the eap authentication fails. Does anyone know which is the default EAP settings in win 7 and how to configure NPS to make it work out of the box? We are having the same problem with Iphones, the EAP fails.

The NPS server has a certificate issued from the local CA (ADCS). We have added the root certificate to trust root certificate issuers on both the iphone and win 7 client without luck.

Regards,
Jonas
0
Comment
Question by:jonha134
  • 2
  • 2
6 Comments
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 39216785
For starters, look at Audit Failures in NPS server. You can find them under Event Viewer - Security. Look for source Network Policy server. Or you can find it under Event viewer - Custom Views - Server Roles --- But there all is marked as informational, also the failed ones.

For Windows 7 - they tend to set the policy to user Machine Authentication or machine and/or user as default. Set this to user.

for iPads - look in Event Viewer for error.


You could also post NPS network access policy here.
0
 

Author Comment

by:jonha134
ID: 39218345
If i set policy to MSCHAPv2 (see ”setting1”):

Server:
Reason Code 23 An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

Client: (svchost_RASTLS)
[9200] 06-04 10:43:39:081: PeapReadConnectionData
[9200] 06-04 10:43:39:081: IsIdentityPrivacyInPeapConnPropValid
[9200] 06-04 10:43:39:081: PeapReadUserData
[9200] 06-04 10:43:39:081: No Credentails passed
[9200] 06-04 10:43:39:082: RasEapGetInfo
[9200] 06-04 10:43:39:082: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:39:082:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:39:082: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:39:082: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:39:082: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:39:082: PeapEapInfoInvokeIdentityUI API call failed with error code 703
[9200] 06-04 10:43:39:082: PeapGetIdentity returned the identity as (null)
[9200] 06-04 10:43:39:082: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:39:082:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:39:082: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:39:082: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:39:082: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:39:084: PeapReadConnectionData
[9200] 06-04 10:43:39:084: IsIdentityPrivacyInPeapConnPropValid
[9200] 06-04 10:43:39:084: PeapReadUserData
[9200] 06-04 10:43:39:084: No Credentails passed
[9200] 06-04 10:43:39:085: RasEapGetInfo
[9200] 06-04 10:43:39:085: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:39:085:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:39:085: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:39:085: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:39:085: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:39:086: PeapEapInfoInvokeIdentityUI API call failed with error code 703
[9200] 06-04 10:43:39:086: PeapGetIdentity returned the identity as (null)
[9200] 06-04 10:43:39:086: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:39:086:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:39:086: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:39:086: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:39:086: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:50:161: PeapReadConnectionData
[9200] 06-04 10:43:50:161: IsIdentityPrivacyInPeapConnPropValid
[9200] 06-04 10:43:50:161: PeapReadUserData
[9200] 06-04 10:43:50:161: No Credentails passed
[9200] 06-04 10:43:50:162: RasEapGetInfo
[9200] 06-04 10:43:50:162: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:50:163:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:50:163: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:50:163: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:50:163: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:50:164: PeapEapInfoInvokeIdentityUI API call failed with error code 703
[9200] 06-04 10:43:50:164: PeapGetIdentity returned the identity as (null)
[9200] 06-04 10:43:50:164: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:50:164:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:50:164: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:50:164: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:50:164: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:50:166: PeapReadConnectionData
[9200] 06-04 10:43:50:166: IsIdentityPrivacyInPeapConnPropValid
[9200] 06-04 10:43:50:166: PeapReadUserData
[9200] 06-04 10:43:50:166: No Credentails passed
[9200] 06-04 10:43:50:167: RasEapGetInfo
[9200] 06-04 10:43:50:167: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:50:167:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:50:167: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:50:167: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:50:167: PEAP will accept the  All-purpose cert
[9200] 06-04 10:43:50:168: PeapEapInfoInvokeIdentityUI API call failed with error code 703
[9200] 06-04 10:43:50:168: PeapGetIdentity returned the identity as (null)
[9200] 06-04 10:43:50:168: EAP-TLS using All-purpose cert
[9200] 06-04 10:43:50:168:  Self Signed Certificates will not be selected.
[9200] 06-04 10:43:50:168: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:43:50:168: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:43:50:168: PEAP will accept the  All-purpose cert
[9200] 06-04 10:44:20:228: PeapReadConnectionData
[9200] 06-04 10:44:20:228: IsIdentityPrivacyInPeapConnPropValid
[9200] 06-04 10:44:20:228: PeapReadUserData
[9200] 06-04 10:44:20:228: No Credentails passed
[9200] 06-04 10:44:20:229: RasEapGetInfo
[9200] 06-04 10:44:20:229: EAP-TLS using All-purpose cert
[9200] 06-04 10:44:20:229:  Self Signed Certificates will not be selected.
[9200] 06-04 10:44:20:229: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:44:20:229: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:44:20:229: PEAP will accept the  All-purpose cert
[9200] 06-04 10:44:20:229: PeapEapInfoInvokeIdentityUI API call failed with error code 703
[9200] 06-04 10:44:20:229: PeapGetIdentity returned the identity as (null)
[9200] 06-04 10:44:20:229: EAP-TLS using All-purpose cert
[9200] 06-04 10:44:20:229:  Self Signed Certificates will not be selected.
[9200] 06-04 10:44:20:229: EAP-TLS will accept the  All-purpose cert
[9200] 06-04 10:44:20:229: EapTlsInitialize2: PEAP using All-purpose cert
[9200] 06-04 10:44:20:229: PEAP will accept the  All-purpose cert

Open in new window


If i set policy to MSCHAPv2 (see ”setting1”):

Server:
Reason Code: 22
Reason: The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

Client: (svchost_RASTLS)
[9980] 06-04 10:33:12:623: EapPeapBegin
[9980] 06-04 10:33:12:623: EapPeapBegin - flags(0x40080)
[9980] 06-04 10:33:12:623: PeapReadConnectionData
[9980] 06-04 10:33:12:623: IsIdentityPrivacyInPeapConnPropValid
[9980] 06-04 10:33:12:623: PeapReadUserData
[9980] 06-04 10:33:12:623: 
[9980] 06-04 10:33:12:623: EapTlsBegin(johaa)
[9980] 06-04 10:33:12:623: SetupMachineChangeNotification
[9980] 06-04 10:33:12:623: State change to Initial
[9980] 06-04 10:33:12:623: EapTlsBegin: Detected 8021X authentication
[9980] 06-04 10:33:12:623: EapTlsBegin: Detected PEAP authentication
[9980] 06-04 10:33:12:623: MaxTLSMessageLength is now 16384
[9980] 06-04 10:33:12:623: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[9980] 06-04 10:33:12:623: Force IgnoreRevocationOffline on client
[9980] 06-04 10:33:12:623: CRYPT_E_REVOCATION_OFFLINE will be ignored
[9980] 06-04 10:33:12:623: The root cert will not be checked for revocation
[9980] 06-04 10:33:12:623: The cert will be checked for revocation
[9980] 06-04 10:33:12:623: EapPeapBegin done
[9980] 06-04 10:33:12:623: EapPeapMakeMessage
[9980] 06-04 10:33:12:623: EapPeapCMakeMessage, flags(0x80500)
[9980] 06-04 10:33:12:623: Cloned PPP_EAP_PACKET packet
[9980] 06-04 10:33:12:623: PEAP:PEAP_STATE_INITIAL
[9980] 06-04 10:33:12:623: EapTlsCMakeMessage, state(0) flags (0x5060)
[9980] 06-04 10:33:12:623: EapTlsReset
[9980] 06-04 10:33:12:623: State change to Initial
[9980] 06-04 10:33:12:623: EapGetCredentials
[9980] 06-04 10:33:12:623: Flag is Client and Store is Current User
[9980] 06-04 10:33:12:623: GetCachedCredentials Flags = 0x5060
[9980] 06-04 10:33:12:623: FindNodeInCachedCredList, flags(0x5060), default cached creds(0), check thread token(1)
[9980] 06-04 10:33:12:623: No Cert Store.  Guest Access requested
[9980] 06-04 10:33:12:623: No Cert Name.  Guest access requested
[9980] 06-04 10:33:12:623: Will NOT validate server cert
[9980] 06-04 10:33:12:624: MakeReplyMessage
[9980] 06-04 10:33:12:624: SecurityContextFunction
[9980] 06-04 10:33:12:624: InitializeSecurityContext returned 0x90312
[9980] 06-04 10:33:12:624: State change to SentHello
[9980] 06-04 10:33:12:624: BuildPacket
[9980] 06-04 10:33:12:624: << Sending Response (Code: 2) packet: Id: 2, Length: 105, Type: 13, TLS blob length: 95. Flags: L
[9980] 06-04 10:33:12:624: EapPeapCMakeMessage done
[9980] 06-04 10:33:12:624: EapPeapMakeMessage done
[9980] 06-04 10:33:12:629: EapPeapMakeMessage
[9980] 06-04 10:33:12:629: EapPeapCMakeMessage, flags(0x80500)
[9980] 06-04 10:33:12:629: Cloned PPP_EAP_PACKET packet
[9980] 06-04 10:33:12:629: PEAP:PEAP_STATE_TLS_INPROGRESS
[9980] 06-04 10:33:12:629: EapTlsCMakeMessage, state(2) flags (0x5000)
[9980] 06-04 10:33:12:629: MakeReplyMessage
[9980] 06-04 10:33:12:629: Reallocating input TLS blob buffer
[9980] 06-04 10:33:12:629: BuildPacket
[9980] 06-04 10:33:12:629: << Sending Response (Code: 2) packet: Id: 3, Length: 6, Type: 13, TLS blob length: 0. Flags: 
[9980] 06-04 10:33:12:629: EapPeapCMakeMessage done
[9980] 06-04 10:33:12:629: EapPeapMakeMessage done
[9980] 06-04 10:33:12:633: EapPeapMakeMessage
[9980] 06-04 10:33:12:633: EapPeapCMakeMessage, flags(0x80500)
[9980] 06-04 10:33:12:633: Cloned PPP_EAP_PACKET packet
[9980] 06-04 10:33:12:633: PEAP:PEAP_STATE_TLS_INPROGRESS
[9980] 06-04 10:33:12:633: EapTlsCMakeMessage, state(2) flags (0x5010)
[9980] 06-04 10:33:12:633: MakeReplyMessage
[9980] 06-04 10:33:12:634: SecurityContextFunction
[9980] 06-04 10:33:12:634: InitializeSecurityContext returned 0x90312
[9980] 06-04 10:33:12:634: State change to SentFinished
[9980] 06-04 10:33:12:634: BuildPacket
[9980] 06-04 10:33:12:634: << Sending Response (Code: 2) packet: Id: 4, Length: 343, Type: 13, TLS blob length: 333. Flags: L
[9980] 06-04 10:33:12:634: EapPeapCMakeMessage done
[9980] 06-04 10:33:12:634: EapPeapMakeMessage done
[9980] 06-04 10:33:12:638: EapPeapMakeMessage
[9980] 06-04 10:33:12:638: EapPeapCMakeMessage, flags(0x80500)
[9980] 06-04 10:33:12:638: Cloned PPP_EAP_PACKET packet
[9980] 06-04 10:33:12:638: PEAP:PEAP_STATE_TLS_INPROGRESS
[9980] 06-04 10:33:12:638: EapTlsCMakeMessage, state(3) flags (0x5000)
[9980] 06-04 10:33:12:638: Code 4 unexpected in state SentFinished
[9980] 06-04 10:33:12:638: EapPeapCMakeMessage done
[9980] 06-04 10:33:12:638: EapPeapMakeMessage done
[9980] 06-04 10:33:12:639: EapPeapEnd
[9980] 06-04 10:33:12:639: EapTlsEnd
[9980] 06-04 10:33:12:639: EapTlsEnd(johaa)
[9980] 06-04 10:33:12:639: EapPeapEnd done

Open in new window


What would be the next step?

/J
setting1.png
setting2.png
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 39218357
you should go with setting2 - that's where the mschapv2 is encapsulated in a secure tunnel, secured with NPS server certificate

The error message you get is that the client PC tries to authenticate using a different method than the one on the server.

For Windows 7 - look at this setup: http://www.itcom.itd.umich.edu/wireless/connect/win7.php
0
 

Accepted Solution

by:
jonha134 earned 0 total points
ID: 39264579
The problem was that I in the dropdown list of CA:s in the NPS settings had picked the wrong name, I choose the name of the CA while I really should pick the name of the server the CA is running on.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now