Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1297
  • Last Modified:

Internal wireless network clients rejected due to invalid server certificate

All of a sudden my clients could not connect to our internal wireless network.  The wireless configuration authenticates the server certificate so when I uncheck this under Wireless Properties, Security, Settings - "Valid Server Certificate" - they connect fine.
I discovered a 36881 event as folows "The certificate received from the remote server has either expired or is not yet valid. The SSL connection request has failed. The attached data contains the server certificate."

When I check the Certifcate Authority on my server, I do not see where this expired certificate is, in fact I do not even see where my certificates are!

Any help would be greatly received.
0
fuzzyfreak
Asked:
fuzzyfreak
  • 7
  • 2
1 Solution
 
Joseph NyaemaIT ConsultantCommented:
What AP are you using (Name and model)?  Also what date and time is set on the AP (time differenct with DC/CA?)?
0
 
fuzzyfreakAuthor Commented:
Thanks for your response but this does not relate to the AP as it is trying to authenticate with a server certificate.
I appear to have at least discovered the outdated certificate on my machine through MMC\certificates\computer account\intermediate...\certificates but on restarting my computer, this does not appear to have updated - do I need to create a new certificate on the server?
0
 
fuzzyfreakAuthor Commented:
I am getting rather confused by this.  Where is it looking for a valid certificate?  I have tried exporting a cert from my server - a few exist and they are all valid. On import I have tried automatic and trusted root certification authority, but Group Policy should install the valid one anyway, however, so long as my wireless connection validates the certificate.....hmmm, now it won't work at all.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
fuzzyfreakAuthor Commented:
Anyone?
0
 
Joseph NyaemaIT ConsultantCommented:
You are not giving much detail, so I will work with assumptions.

For one, you are not going to the right folder to see the computer certificates on your server.  Should be under
Certificates (Local Computer)\Personal\Certificates

I assume the server you are looking at is your NPS Server.
Open the NPS Console and navigate to
NPS\Policies\Connection Request Policies
Right Click on NAP 802.1x (Wireless) or whatever name you have given the policy and click on properties.
Click on the Settings Tab then select Authentication Methods
Then select the EAP type your using (Microsoft: Protected EAP (PEAP) etc) and click Edit
From here you can view or select the SSL Certificate you want to use

With the two consoles you can view the expired certifcates, renew and select one you want to use.
0
 
fuzzyfreakAuthor Commented:
Thanks for the response and thanks for pointing out the location of my certificates.  They are all still in date, none have expired.
Your assumption is correct, this is my NPS server but I have been working on NPS\Policies\Network Policies - I am not sure how this differs from the Connection Request Policies but even making changes to that makes no difference.  I have now tried every possible combination yet I cannot connect.
I will post some further information which might help diagnose the issue.
0
 
fuzzyfreakAuthor Commented:
It seemed that all of a sudden, we could not connect to our 5Ghz network internal network.

I checked and assumed this was because of a Windows Server

Update referring to SHA512 (http://support.microsoft.com/kb/2973337)

I uninstalled this update and rebooted the server but this

did not help.

Next I noticed that because NPS authenticates with

certificates, the certificate on my machine was out of date, I deleted this and

manually reimported the certificate (thought his updates on reboot anyway via

GP) but this did not help.

I discovered an option where I could uncheck the

server certificate validation – at first this worked and got me on but this has

since stopped working.

I then made a copy of the policy and firstly removed the

constraints but this still did not connect.

So I added in all authentication methods but this

makes no difference –

I get the following Event on the server –

security: failure - 2014/07/16 13:50:06 -

Microsoft-Windows-Security-Auditing (6273) - n/a

 "Network Policy Server denied access to a user.

Contact the Network Policy Server

administrator for more information. User: Security ID: %1

Account Name: %2 Account

Domain: %3 Fully Qualified Account Name: %4 Client Machine:

Security ID: %5

Account Name: %6 Fully Qualified Account Name: %7

OS-Version: %8 Called Station

Identifier: %9 Calling Station Identifier: %10 NAS: NAS IPv4

Address: %11 NAS

IPv6 Address: %12 NAS Identifier: %13 NAS Port-Type: %14 NAS

Port: %15 RADIUS

Client: Client Friendly Name: %16 Client IP Address: %17

Authentication Details:

Connection Request Policy Name: %18 Network Policy Name: %19

Authentication Provider:

%20 Authentication Server: %21 Authentication Type: %22 EAP

Type: %23

Account Session Identifier: %24 Logging Results: %27 Reason

Code: %25 Reason: %26"

And the following in the NPS log –

data_type="4">07/16/2014

12:51:32.198servername

data_type="1">IAS

data_type="1">311 1 192.168.2.252 07/15/2014 17:11:01

4251

data_type="1">Virtual Private Network (VPN)

Connections

data_type="3">192.168.2.23

data_type="0">0

data_type="1">WAPNAME

data_type="1">Secure Wireless

Connections

data_type="0">1

data_type="1">domain\username

data_type="1">domain\username

data_type="0">5

data_type="0">3

data_type="0">66

This differs depending on the change of authentication but

in a nutshell NPS is denying access and I can’t figure out why.
0
 
fuzzyfreakAuthor Commented:
This issue was down to incorrect certificate binding on my NPS server.
0
 
fuzzyfreakAuthor Commented:
I had to contact MS in the end.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now