Solved

Unable to connect to Wireless using RADIUS

Posted on 2016-08-11
4
34 Views
Last Modified: 2016-08-16
Hi there,

I am unable to connect any wireless device to my network because I am getting the following error in the Event Viewer on the RADIUS Server role logs

The certificate chain was issued by an authority that is not trusted


Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/08/2016 16:29:02
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MARAD001.corporate.local
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
      Security ID:                  CORPORATE\Nathan.Lindley
      Account Name:                  nathan.lindley
      Account Domain:                  CORPORATE
      Fully Qualified Account Name:      corporate.local/MONEYPLUS GROUP/Manchester/IS Operations/Nathan Lindley

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            52-D9-E7-A5-10-3A:test
      Calling Station Identifier:            A4-34-D9-67-FA-43

NAS:
      NAS IPv4 Address:            192.168.1.110
      NAS IPv6 Address:            -
      NAS Identifier:                  44d9e7a4103a
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  0

RADIUS Client:
      Client Friendly Name:            MPAP3 - IT Suite
      Client IP Address:                  192.168.1.110

Authentication Details:
      Connection Request Policy Name:      IT Suite
      Network Policy Name:            New
      Authentication Provider:            Windows
      Authentication Server:            MARAD001.corporate.local
      Authentication Type:            PEAP
      EAP Type:                  -
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  265
      Reason:                        The certificate chain was issued by an authority that is not trusted.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>6273</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-11T15:29:02.166850000Z" />
    <EventRecordID>5443</EventRecordID>
    <Correlation />
    <Execution ProcessID="460" ThreadID="72" />
    <Channel>Security</Channel>
    <Computer>MARAD001.corporate.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-432469759-3583970380-2158479170-10217</Data>
    <Data Name="SubjectUserName">nathan.lindley</Data>
    <Data Name="SubjectDomainName">CORPORATE</Data>
    <Data Name="FullyQualifiedSubjectUserName">corporate.local/MONEYPLUS GROUP/Manchester/IS Operations/Nathan Lindley</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">-</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">52-D9-E7-A5-10-3A:test</Data>
    <Data Name="CallingStationID">A4-34-D9-67-FA-43</Data>
    <Data Name="NASIPv4Address">192.168.1.110</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">44d9e7a4103a</Data>
    <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
    <Data Name="NASPort">0</Data>
    <Data Name="ClientName">MPAP3 - IT Suite</Data>
    <Data Name="ClientIPAddress">192.168.1.110</Data>
    <Data Name="ProxyPolicyName">IT Suite</Data>
    <Data Name="NetworkPolicyName">New</Data>
    <Data Name="AuthenticationProvider">Windows</Data>
    <Data Name="AuthenticationServer">MARAD001.corporate.local</Data>
    <Data Name="AuthenticationType">PEAP</Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">-</Data>
    <Data Name="ReasonCode">265</Data>
    <Data Name="Reason">The certificate chain was issued by an authority that is not trusted.</Data>
    <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
  </EventData>
</Event>


Any ideas where I am going wrong here?
0
Comment
Question by:Nathan Lindley
  • 2
  • 2
4 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41752600
Pull out the sensitive info from the thread :-)

The NPS doesn't trust the cert you're providing as credentials.

Where did your client and NPS get their certificate from?
0
 

Author Comment

by:Nathan Lindley
ID: 41752624
Hi Craig,

good point, I dont seem to be able to find where to edit my question.

Anyway, my radius service is running on its own win 2012 server, separate to my DC.

I installed a certificate authority on the radius server, but from there on, i didn't know much about configuring it.

so any certificate config is probably incomplete on my part...and tips for me?

thanks
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 41753010
Really what you want to do is install NPS on a DC. That's Microsoft's recommended deployment approach. Then you could tie-in the CA with AD so you can issue certs to users and computers on the domain and use those certs as credentials to authenticate. That means the certs are trusted by users, computers and the NPS all at the same time.

Does that sound like what you need?
0
 

Author Comment

by:Nathan Lindley
ID: 41753481
Hi Craig,

I noticed, that if the computer is actually on the domain, then this trusts the certificate; then I can join the laptop to the wireless. (as long as the user logged in to the laptop is in the relevant security group to authenticate.)

The Microsoft recommended deployment sounds good, and maybe once I have done playing around with this to get to grips with it, I will set this up again on the DC.

We have two wireless networks broadcast from the same AP's, one network routes to a VLAN which uses a separate ADSL connection (for guests etc) ... and another network that uses our corporate VLAN, and gives domain network access.

I would like to be able to force domain laptops to use encrypted authentication (like single sign on) which, so far I have successfully configured...

but would also like to configure the policy so that, any laptops that are not in a security group, are forced on to our ADSL VLAN so they are routed out of our network.

Does this sound possible?

thanks
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now