Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Unable to connect to Wireless using RADIUS

Posted on 2016-08-11
4
Medium Priority
?
57 Views
Last Modified: 2016-08-16
Hi there,

I am unable to connect any wireless device to my network because I am getting the following error in the Event Viewer on the RADIUS Server role logs

The certificate chain was issued by an authority that is not trusted


Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/08/2016 16:29:02
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MARAD001.corporate.local
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
      Security ID:                  CORPORATE\Nathan.Lindley
      Account Name:                  nathan.lindley
      Account Domain:                  CORPORATE
      Fully Qualified Account Name:      corporate.local/MONEYPLUS GROUP/Manchester/IS Operations/Nathan Lindley

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            52-D9-E7-A5-10-3A:test
      Calling Station Identifier:            A4-34-D9-67-FA-43

NAS:
      NAS IPv4 Address:            192.168.1.110
      NAS IPv6 Address:            -
      NAS Identifier:                  44d9e7a4103a
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  0

RADIUS Client:
      Client Friendly Name:            MPAP3 - IT Suite
      Client IP Address:                  192.168.1.110

Authentication Details:
      Connection Request Policy Name:      IT Suite
      Network Policy Name:            New
      Authentication Provider:            Windows
      Authentication Server:            MARAD001.corporate.local
      Authentication Type:            PEAP
      EAP Type:                  -
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  265
      Reason:                        The certificate chain was issued by an authority that is not trusted.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>6273</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-11T15:29:02.166850000Z" />
    <EventRecordID>5443</EventRecordID>
    <Correlation />
    <Execution ProcessID="460" ThreadID="72" />
    <Channel>Security</Channel>
    <Computer>MARAD001.corporate.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-432469759-3583970380-2158479170-10217</Data>
    <Data Name="SubjectUserName">nathan.lindley</Data>
    <Data Name="SubjectDomainName">CORPORATE</Data>
    <Data Name="FullyQualifiedSubjectUserName">corporate.local/MONEYPLUS GROUP/Manchester/IS Operations/Nathan Lindley</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">-</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">52-D9-E7-A5-10-3A:test</Data>
    <Data Name="CallingStationID">A4-34-D9-67-FA-43</Data>
    <Data Name="NASIPv4Address">192.168.1.110</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">44d9e7a4103a</Data>
    <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
    <Data Name="NASPort">0</Data>
    <Data Name="ClientName">MPAP3 - IT Suite</Data>
    <Data Name="ClientIPAddress">192.168.1.110</Data>
    <Data Name="ProxyPolicyName">IT Suite</Data>
    <Data Name="NetworkPolicyName">New</Data>
    <Data Name="AuthenticationProvider">Windows</Data>
    <Data Name="AuthenticationServer">MARAD001.corporate.local</Data>
    <Data Name="AuthenticationType">PEAP</Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">-</Data>
    <Data Name="ReasonCode">265</Data>
    <Data Name="Reason">The certificate chain was issued by an authority that is not trusted.</Data>
    <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
  </EventData>
</Event>


Any ideas where I am going wrong here?
0
Comment
Question by:Nathan Lindley
  • 2
  • 2
4 Comments
 
LVL 47

Expert Comment

by:Craig Beck
ID: 41752600
Pull out the sensitive info from the thread :-)

The NPS doesn't trust the cert you're providing as credentials.

Where did your client and NPS get their certificate from?
0
 

Author Comment

by:Nathan Lindley
ID: 41752624
Hi Craig,

good point, I dont seem to be able to find where to edit my question.

Anyway, my radius service is running on its own win 2012 server, separate to my DC.

I installed a certificate authority on the radius server, but from there on, i didn't know much about configuring it.

so any certificate config is probably incomplete on my part...and tips for me?

thanks
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 2000 total points
ID: 41753010
Really what you want to do is install NPS on a DC. That's Microsoft's recommended deployment approach. Then you could tie-in the CA with AD so you can issue certs to users and computers on the domain and use those certs as credentials to authenticate. That means the certs are trusted by users, computers and the NPS all at the same time.

Does that sound like what you need?
0
 

Author Comment

by:Nathan Lindley
ID: 41753481
Hi Craig,

I noticed, that if the computer is actually on the domain, then this trusts the certificate; then I can join the laptop to the wireless. (as long as the user logged in to the laptop is in the relevant security group to authenticate.)

The Microsoft recommended deployment sounds good, and maybe once I have done playing around with this to get to grips with it, I will set this up again on the DC.

We have two wireless networks broadcast from the same AP's, one network routes to a VLAN which uses a separate ADSL connection (for guests etc) ... and another network that uses our corporate VLAN, and gives domain network access.

I would like to be able to force domain laptops to use encrypted authentication (like single sign on) which, so far I have successfully configured...

but would also like to configure the policy so that, any laptops that are not in a security group, are forced on to our ADSL VLAN so they are routed out of our network.

Does this sound possible?

thanks
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
Measuring Server's processing rate with a simple powershell command. The differences in processing rate also was recorded in different use-cases, when a server in free and busy states.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question