Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Unable to connect to Wireless using RADIUS

Posted on 2016-08-11
4
Medium Priority
?
52 Views
Last Modified: 2016-08-16
Hi there,

I am unable to connect any wireless device to my network because I am getting the following error in the Event Viewer on the RADIUS Server role logs

The certificate chain was issued by an authority that is not trusted


Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/08/2016 16:29:02
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MARAD001.corporate.local
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
      Security ID:                  CORPORATE\Nathan.Lindley
      Account Name:                  nathan.lindley
      Account Domain:                  CORPORATE
      Fully Qualified Account Name:      corporate.local/MONEYPLUS GROUP/Manchester/IS Operations/Nathan Lindley

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            52-D9-E7-A5-10-3A:test
      Calling Station Identifier:            A4-34-D9-67-FA-43

NAS:
      NAS IPv4 Address:            192.168.1.110
      NAS IPv6 Address:            -
      NAS Identifier:                  44d9e7a4103a
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  0

RADIUS Client:
      Client Friendly Name:            MPAP3 - IT Suite
      Client IP Address:                  192.168.1.110

Authentication Details:
      Connection Request Policy Name:      IT Suite
      Network Policy Name:            New
      Authentication Provider:            Windows
      Authentication Server:            MARAD001.corporate.local
      Authentication Type:            PEAP
      EAP Type:                  -
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  265
      Reason:                        The certificate chain was issued by an authority that is not trusted.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>6273</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-11T15:29:02.166850000Z" />
    <EventRecordID>5443</EventRecordID>
    <Correlation />
    <Execution ProcessID="460" ThreadID="72" />
    <Channel>Security</Channel>
    <Computer>MARAD001.corporate.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-432469759-3583970380-2158479170-10217</Data>
    <Data Name="SubjectUserName">nathan.lindley</Data>
    <Data Name="SubjectDomainName">CORPORATE</Data>
    <Data Name="FullyQualifiedSubjectUserName">corporate.local/MONEYPLUS GROUP/Manchester/IS Operations/Nathan Lindley</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">-</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">52-D9-E7-A5-10-3A:test</Data>
    <Data Name="CallingStationID">A4-34-D9-67-FA-43</Data>
    <Data Name="NASIPv4Address">192.168.1.110</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">44d9e7a4103a</Data>
    <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
    <Data Name="NASPort">0</Data>
    <Data Name="ClientName">MPAP3 - IT Suite</Data>
    <Data Name="ClientIPAddress">192.168.1.110</Data>
    <Data Name="ProxyPolicyName">IT Suite</Data>
    <Data Name="NetworkPolicyName">New</Data>
    <Data Name="AuthenticationProvider">Windows</Data>
    <Data Name="AuthenticationServer">MARAD001.corporate.local</Data>
    <Data Name="AuthenticationType">PEAP</Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">-</Data>
    <Data Name="ReasonCode">265</Data>
    <Data Name="Reason">The certificate chain was issued by an authority that is not trusted.</Data>
    <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
  </EventData>
</Event>


Any ideas where I am going wrong here?
0
Comment
Question by:Nathan Lindley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 47

Expert Comment

by:Craig Beck
ID: 41752600
Pull out the sensitive info from the thread :-)

The NPS doesn't trust the cert you're providing as credentials.

Where did your client and NPS get their certificate from?
0
 

Author Comment

by:Nathan Lindley
ID: 41752624
Hi Craig,

good point, I dont seem to be able to find where to edit my question.

Anyway, my radius service is running on its own win 2012 server, separate to my DC.

I installed a certificate authority on the radius server, but from there on, i didn't know much about configuring it.

so any certificate config is probably incomplete on my part...and tips for me?

thanks
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 2000 total points
ID: 41753010
Really what you want to do is install NPS on a DC. That's Microsoft's recommended deployment approach. Then you could tie-in the CA with AD so you can issue certs to users and computers on the domain and use those certs as credentials to authenticate. That means the certs are trusted by users, computers and the NPS all at the same time.

Does that sound like what you need?
0
 

Author Comment

by:Nathan Lindley
ID: 41753481
Hi Craig,

I noticed, that if the computer is actually on the domain, then this trusts the certificate; then I can join the laptop to the wireless. (as long as the user logged in to the laptop is in the relevant security group to authenticate.)

The Microsoft recommended deployment sounds good, and maybe once I have done playing around with this to get to grips with it, I will set this up again on the DC.

We have two wireless networks broadcast from the same AP's, one network routes to a VLAN which uses a separate ADSL connection (for guests etc) ... and another network that uses our corporate VLAN, and gives domain network access.

I would like to be able to force domain laptops to use encrypted authentication (like single sign on) which, so far I have successfully configured...

but would also like to configure the policy so that, any laptops that are not in a security group, are forced on to our ADSL VLAN so they are routed out of our network.

Does this sound possible?

thanks
0

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question