Solved

Unable to connect to Wireless using RADIUS

Posted on 2016-08-11
4
50 Views
Last Modified: 2016-08-16
Hi there,

I am unable to connect any wireless device to my network because I am getting the following error in the Event Viewer on the RADIUS Server role logs

The certificate chain was issued by an authority that is not trusted


Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/08/2016 16:29:02
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MARAD001.corporate.local
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
      Security ID:                  CORPORATE\Nathan.Lindley
      Account Name:                  nathan.lindley
      Account Domain:                  CORPORATE
      Fully Qualified Account Name:      corporate.local/MONEYPLUS GROUP/Manchester/IS Operations/Nathan Lindley

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            52-D9-E7-A5-10-3A:test
      Calling Station Identifier:            A4-34-D9-67-FA-43

NAS:
      NAS IPv4 Address:            192.168.1.110
      NAS IPv6 Address:            -
      NAS Identifier:                  44d9e7a4103a
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  0

RADIUS Client:
      Client Friendly Name:            MPAP3 - IT Suite
      Client IP Address:                  192.168.1.110

Authentication Details:
      Connection Request Policy Name:      IT Suite
      Network Policy Name:            New
      Authentication Provider:            Windows
      Authentication Server:            MARAD001.corporate.local
      Authentication Type:            PEAP
      EAP Type:                  -
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  265
      Reason:                        The certificate chain was issued by an authority that is not trusted.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>6273</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-11T15:29:02.166850000Z" />
    <EventRecordID>5443</EventRecordID>
    <Correlation />
    <Execution ProcessID="460" ThreadID="72" />
    <Channel>Security</Channel>
    <Computer>MARAD001.corporate.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-432469759-3583970380-2158479170-10217</Data>
    <Data Name="SubjectUserName">nathan.lindley</Data>
    <Data Name="SubjectDomainName">CORPORATE</Data>
    <Data Name="FullyQualifiedSubjectUserName">corporate.local/MONEYPLUS GROUP/Manchester/IS Operations/Nathan Lindley</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">-</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">52-D9-E7-A5-10-3A:test</Data>
    <Data Name="CallingStationID">A4-34-D9-67-FA-43</Data>
    <Data Name="NASIPv4Address">192.168.1.110</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">44d9e7a4103a</Data>
    <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
    <Data Name="NASPort">0</Data>
    <Data Name="ClientName">MPAP3 - IT Suite</Data>
    <Data Name="ClientIPAddress">192.168.1.110</Data>
    <Data Name="ProxyPolicyName">IT Suite</Data>
    <Data Name="NetworkPolicyName">New</Data>
    <Data Name="AuthenticationProvider">Windows</Data>
    <Data Name="AuthenticationServer">MARAD001.corporate.local</Data>
    <Data Name="AuthenticationType">PEAP</Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">-</Data>
    <Data Name="ReasonCode">265</Data>
    <Data Name="Reason">The certificate chain was issued by an authority that is not trusted.</Data>
    <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
  </EventData>
</Event>


Any ideas where I am going wrong here?
0
Comment
Question by:Nathan Lindley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 46

Expert Comment

by:Craig Beck
ID: 41752600
Pull out the sensitive info from the thread :-)

The NPS doesn't trust the cert you're providing as credentials.

Where did your client and NPS get their certificate from?
0
 

Author Comment

by:Nathan Lindley
ID: 41752624
Hi Craig,

good point, I dont seem to be able to find where to edit my question.

Anyway, my radius service is running on its own win 2012 server, separate to my DC.

I installed a certificate authority on the radius server, but from there on, i didn't know much about configuring it.

so any certificate config is probably incomplete on my part...and tips for me?

thanks
0
 
LVL 46

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 41753010
Really what you want to do is install NPS on a DC. That's Microsoft's recommended deployment approach. Then you could tie-in the CA with AD so you can issue certs to users and computers on the domain and use those certs as credentials to authenticate. That means the certs are trusted by users, computers and the NPS all at the same time.

Does that sound like what you need?
0
 

Author Comment

by:Nathan Lindley
ID: 41753481
Hi Craig,

I noticed, that if the computer is actually on the domain, then this trusts the certificate; then I can join the laptop to the wireless. (as long as the user logged in to the laptop is in the relevant security group to authenticate.)

The Microsoft recommended deployment sounds good, and maybe once I have done playing around with this to get to grips with it, I will set this up again on the DC.

We have two wireless networks broadcast from the same AP's, one network routes to a VLAN which uses a separate ADSL connection (for guests etc) ... and another network that uses our corporate VLAN, and gives domain network access.

I would like to be able to force domain laptops to use encrypted authentication (like single sign on) which, so far I have successfully configured...

but would also like to configure the policy so that, any laptops that are not in a security group, are forced on to our ADSL VLAN so they are routed out of our network.

Does this sound possible?

thanks
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
For Sennheiser, comfort, quality and security are high priority areas. This paper addresses the security of Bluetooth technology and the supplementary security that Sennheiser’s Contact Center and Office (CC&O) headsets provide.  
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question