Nathan Lindley
asked on
Unable to connect to Wireless using RADIUS
Hi there,
I am unable to connect any wireless device to my network because I am getting the following error in the Event Viewer on the RADIUS Server role logs
Log Name: Security
Source: Microsoft-Windows-Security -Auditing
Date: 11/08/2016 16:29:02
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: MARAD001.corporate.local
Description:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: CORPORATE\Nathan.Lindley
Account Name: nathan.lindley
Account Domain: CORPORATE
Fully Qualified Account Name: corporate.local/MONEYPLUS GROUP/Manchester/IS Operations/Nathan Lindley
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 52-D9-E7-A5-10-3A:test
Calling Station Identifier: A4-34-D9-67-FA-43
NAS:
NAS IPv4 Address: 192.168.1.110
NAS IPv6 Address: -
NAS Identifier: 44d9e7a4103a
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: MPAP3 - IT Suite
Client IP Address: 192.168.1.110
Authentication Details:
Connection Request Policy Name: IT Suite
Network Policy Name: New
Authentication Provider: Windows
Authentication Server: MARAD001.corporate.local
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 265
Reason: The certificate chain was issued by an authority that is not trusted.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Se curity-Aud iting" Guid="{54849625-5478-4994- A5BA-3E3B0 328C30D}" />
<EventID>6273</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12552</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000 00</Keywor ds>
<TimeCreated SystemTime="2016-08-11T15: 29:02.1668 50000Z" />
<EventRecordID>5443</Event RecordID>
<Correlation />
<Execution ProcessID="460" ThreadID="72" />
<Channel>Security</Channel >
<Computer>MARAD001.corpora te.local</ Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1- 5-21-43246 9759-35839 70380-2158 479170-102 17</Data>
<Data Name="SubjectUserName">nat han.lindle y</Data>
<Data Name="SubjectDomainName">C ORPORATE</ Data>
<Data Name="FullyQualifiedSubjec tUserName" >corporate .local/MON EYPLUS GROUP/Manchester/IS Operations/Nathan Lindley</Data>
<Data Name="SubjectMachineSID">S -1-0-0</Da ta>
<Data Name="SubjectMachineName"> -</Data>
<Data Name="FullyQualifiedSubjec tMachineNa me">-</Dat a>
<Data Name="MachineInventory">-< /Data>
<Data Name="CalledStationID">52- D9-E7-A5-1 0-3A:test< /Data>
<Data Name="CallingStationID">A4 -34-D9-67- FA-43</Dat a>
<Data Name="NASIPv4Address">192. 168.1.110< /Data>
<Data Name="NASIPv6Address">-</D ata>
<Data Name="NASIdentifier">44d9e 7a4103a</D ata>
<Data Name="NASPortType">Wireles s - IEEE 802.11</Data>
<Data Name="NASPort">0</Data>
<Data Name="ClientName">MPAP3 - IT Suite</Data>
<Data Name="ClientIPAddress">192 .168.1.110 </Data>
<Data Name="ProxyPolicyName">IT Suite</Data>
<Data Name="NetworkPolicyName">N ew</Data>
<Data Name="AuthenticationProvid er">Window s</Data>
<Data Name="AuthenticationServer ">MARAD001 .corporate .local</Da ta>
<Data Name="AuthenticationType"> PEAP</Data >
<Data Name="EAPType">-</Data>
<Data Name="AccountSessionIdenti fier">-</D ata>
<Data Name="ReasonCode">265</Dat a>
<Data Name="Reason">The certificate chain was issued by an authority that is not trusted.</Data>
<Data Name="LoggingResult">Accou nting information was written to the local log file.</Data>
</EventData>
</Event>
Any ideas where I am going wrong here?
I am unable to connect any wireless device to my network because I am getting the following error in the Event Viewer on the RADIUS Server role logs
The certificate chain was issued by an authority that is not trusted
Log Name: Security
Source: Microsoft-Windows-Security
Date: 11/08/2016 16:29:02
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: MARAD001.corporate.local
Description:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: CORPORATE\Nathan.Lindley
Account Name: nathan.lindley
Account Domain: CORPORATE
Fully Qualified Account Name: corporate.local/MONEYPLUS GROUP/Manchester/IS Operations/Nathan Lindley
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 52-D9-E7-A5-10-3A:test
Calling Station Identifier: A4-34-D9-67-FA-43
NAS:
NAS IPv4 Address: 192.168.1.110
NAS IPv6 Address: -
NAS Identifier: 44d9e7a4103a
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: MPAP3 - IT Suite
Client IP Address: 192.168.1.110
Authentication Details:
Connection Request Policy Name: IT Suite
Network Policy Name: New
Authentication Provider: Windows
Authentication Server: MARAD001.corporate.local
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 265
Reason: The certificate chain was issued by an authority that is not trusted.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Se
<EventID>6273</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12552</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000
<TimeCreated SystemTime="2016-08-11T15:
<EventRecordID>5443</Event
<Correlation />
<Execution ProcessID="460" ThreadID="72" />
<Channel>Security</Channel
<Computer>MARAD001.corpora
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-
<Data Name="SubjectUserName">nat
<Data Name="SubjectDomainName">C
<Data Name="FullyQualifiedSubjec
<Data Name="SubjectMachineSID">S
<Data Name="SubjectMachineName">
<Data Name="FullyQualifiedSubjec
<Data Name="MachineInventory">-<
<Data Name="CalledStationID">52-
<Data Name="CallingStationID">A4
<Data Name="NASIPv4Address">192.
<Data Name="NASIPv6Address">-</D
<Data Name="NASIdentifier">44d9e
<Data Name="NASPortType">Wireles
<Data Name="NASPort">0</Data>
<Data Name="ClientName">MPAP3 - IT Suite</Data>
<Data Name="ClientIPAddress">192
<Data Name="ProxyPolicyName">IT Suite</Data>
<Data Name="NetworkPolicyName">N
<Data Name="AuthenticationProvid
<Data Name="AuthenticationServer
<Data Name="AuthenticationType">
<Data Name="EAPType">-</Data>
<Data Name="AccountSessionIdenti
<Data Name="ReasonCode">265</Dat
<Data Name="Reason">The certificate chain was issued by an authority that is not trusted.</Data>
<Data Name="LoggingResult">Accou
</EventData>
</Event>
Any ideas where I am going wrong here?
ASKER
Hi Craig,
good point, I dont seem to be able to find where to edit my question.
Anyway, my radius service is running on its own win 2012 server, separate to my DC.
I installed a certificate authority on the radius server, but from there on, i didn't know much about configuring it.
so any certificate config is probably incomplete on my part...and tips for me?
thanks
good point, I dont seem to be able to find where to edit my question.
Anyway, my radius service is running on its own win 2012 server, separate to my DC.
I installed a certificate authority on the radius server, but from there on, i didn't know much about configuring it.
so any certificate config is probably incomplete on my part...and tips for me?
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Craig,
I noticed, that if the computer is actually on the domain, then this trusts the certificate; then I can join the laptop to the wireless. (as long as the user logged in to the laptop is in the relevant security group to authenticate.)
The Microsoft recommended deployment sounds good, and maybe once I have done playing around with this to get to grips with it, I will set this up again on the DC.
We have two wireless networks broadcast from the same AP's, one network routes to a VLAN which uses a separate ADSL connection (for guests etc) ... and another network that uses our corporate VLAN, and gives domain network access.
I would like to be able to force domain laptops to use encrypted authentication (like single sign on) which, so far I have successfully configured...
but would also like to configure the policy so that, any laptops that are not in a security group, are forced on to our ADSL VLAN so they are routed out of our network.
Does this sound possible?
thanks
I noticed, that if the computer is actually on the domain, then this trusts the certificate; then I can join the laptop to the wireless. (as long as the user logged in to the laptop is in the relevant security group to authenticate.)
The Microsoft recommended deployment sounds good, and maybe once I have done playing around with this to get to grips with it, I will set this up again on the DC.
We have two wireless networks broadcast from the same AP's, one network routes to a VLAN which uses a separate ADSL connection (for guests etc) ... and another network that uses our corporate VLAN, and gives domain network access.
I would like to be able to force domain laptops to use encrypted authentication (like single sign on) which, so far I have successfully configured...
but would also like to configure the policy so that, any laptops that are not in a security group, are forced on to our ADSL VLAN so they are routed out of our network.
Does this sound possible?
thanks
The NPS doesn't trust the cert you're providing as credentials.
Where did your client and NPS get their certificate from?