EAP-TLS Authentication

EAP-TLS Authentication, I have setup a Network Policy on our NPS server the requires Smartcard or other Certificate to authenticate. I have been attempting to test on a windows 7 laptop. I have gone to the CA and requested a user certificate. I have installed the certificate on my login personal store in MMC. However, when I set the WIFI profile on the Windows 7 laptop it keeps telling me I need to get a certificate.
Brandon MillerSystems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jakob DigranesSenior ConsultantCommented:
make sure your certificate template have client authentication as enhanced key usage.

Also make sure your wireless profile on windows 7 is set to use user certificate and not computer
0
Brandon MillerSystems AdministratorAuthor Commented:
I have verified the certificate does have client authentication.

Below is the security event error from the PC.

Subject:
      Security ID:            username@domainname
      Account Name:            USERNAME
      Account Domain:            DOMAINANME
      Logon ID:            0xa0dcf

Network Information:
      Name (SSID):            EAP-TLS
      Interface GUID:            {f1d2f46b-8748-47ff-872f-02920fc14dbc}
      Local MAC Address:      70:F3:95:E1:75:8E
      Peer MAC Address:      B4:E9:B0:E5:2C:33

Additional Information:
      Reason Code:            Explicit Eap failure received (0x50005)
      Error Code:            0x40420110
      EAP Reason Code:      0x40420110
      EAP Root Cause String:      Network authentication failed due to a problem with the user account
0
Jakob DigranesSenior ConsultantCommented:
try looking at event viewer logs on NPS server (custom view - server roles - network policy server)
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Brandon MillerSystems AdministratorAuthor Commented:
"NPSSERVER","IAS",09/20/2018,15:27:37,3,,"domain\username",,,,,,,,0,"ip","WLC_CT5508",,,,,,,5,"Secure Wireless Connections - Test",22,"311 1 IP 09/20/2018 16:50:50 4822",,,,"",,,,,"5ba3f371/mac/1729119",,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,

I dont see anything in the event viewer but I do see this in the logs.
0
Jakob DigranesSenior ConsultantCommented:
try this to enable logging on NPS
https://support.microsoft.com/en-ie/help/951005/the-network-policy-server-may-not-log-successful-authentication-events

also - this is security logs, so if you have 100 000s of audits, then your security logs are overwritten long before you can look at logs.
those raw logs are okay for troubleshooting of nothing hits the NPS service.

the certificate; you have the root certificate and all other certificates trusted on your computer, and NPS server?
0
Brandon MillerSystems AdministratorAuthor Commented:
Checked the Certificates in MMC local computer and verified our RootCA and SubCA certificates are in there and also in the trusted root Auth folder. I checked and the network policy and access services are being logged in the event viewer but there are no events in there.

I did find this in the administrative events though at the same time I tried to connect.

"The SSL server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure."
2018-09-20-16_39_05-BOCCNPS1---Remot.png
0
Jakob DigranesSenior ConsultantCommented:
ah ...

did you see that message on your computer? Then you might be missing the private key.
open your user certificate, does it have this message on the front page:

You have a private key that corresponds to this certificate

also - when looking at certificate in user store - does it have a key on top of the certificate icon?
0
Brandon MillerSystems AdministratorAuthor Commented:
I saw the message on the NPS server. I went back and checked both the pc and the nps server and they both have the key on their certificates.
0
Brandon MillerSystems AdministratorAuthor Commented:
When I attempt to connect to the wifi now its shows there is an issue with my user account. I double checked the name mappings and have the exact same certificate mapped.
0
Jakob DigranesSenior ConsultantCommented:
look at certificate template - how do you populate subject name? look at this blog
https://www.network-node.com/blog/2015/12/24/server-2012-configuration-certificate-templates

expertsExchange.png
0
Brandon MillerSystems AdministratorAuthor Commented:
I was using email name and UPN to build the info. I can try and change those right quick. I did notice that our PKI is still SHA1, so I am also going to try and update to SHA2 this week. I don't think Windows 10 allow me to use a SHA1 cert.
0
Brandon MillerSystems AdministratorAuthor Commented:
Found my issue and fix. Link to fix: https://msitpros.com/?p=1647
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.