We help IT Professionals succeed at work.

EAP-TLS Authentication

594 Views
1 Endorsement
Last Modified: 2018-10-09
EAP-TLS Authentication, I have setup a Network Policy on our NPS server the requires Smartcard or other Certificate to authenticate. I have been attempting to test on a windows 7 laptop. I have gone to the CA and requested a user certificate. I have installed the certificate on my login personal store in MMC. However, when I set the WIFI profile on the Windows 7 laptop it keeps telling me I need to get a certificate.
Comment
Watch Question

Jakob DigranesSenior advisor
CERTIFIED EXPERT

Commented:
make sure your certificate template have client authentication as enhanced key usage.

Also make sure your wireless profile on windows 7 is set to use user certificate and not computer
Brandon MillerSystems Administrator

Author

Commented:
I have verified the certificate does have client authentication.

Below is the security event error from the PC.

Subject:
      Security ID:            username@domainname
      Account Name:            USERNAME
      Account Domain:            DOMAINANME
      Logon ID:            0xa0dcf

Network Information:
      Name (SSID):            EAP-TLS
      Interface GUID:            {f1d2f46b-8748-47ff-872f-02920fc14dbc}
      Local MAC Address:      70:F3:95:E1:75:8E
      Peer MAC Address:      B4:E9:B0:E5:2C:33

Additional Information:
      Reason Code:            Explicit Eap failure received (0x50005)
      Error Code:            0x40420110
      EAP Reason Code:      0x40420110
      EAP Root Cause String:      Network authentication failed due to a problem with the user account
Jakob DigranesSenior advisor
CERTIFIED EXPERT

Commented:
try looking at event viewer logs on NPS server (custom view - server roles - network policy server)
Brandon MillerSystems Administrator

Author

Commented:
"NPSSERVER","IAS",09/20/2018,15:27:37,3,,"domain\username",,,,,,,,0,"ip","WLC_CT5508",,,,,,,5,"Secure Wireless Connections - Test",22,"311 1 IP 09/20/2018 16:50:50 4822",,,,"",,,,,"5ba3f371/mac/1729119",,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,

I dont see anything in the event viewer but I do see this in the logs.
Jakob DigranesSenior advisor
CERTIFIED EXPERT

Commented:
try this to enable logging on NPS
https://support.microsoft.com/en-ie/help/951005/the-network-policy-server-may-not-log-successful-authentication-events

also - this is security logs, so if you have 100 000s of audits, then your security logs are overwritten long before you can look at logs.
those raw logs are okay for troubleshooting of nothing hits the NPS service.

the certificate; you have the root certificate and all other certificates trusted on your computer, and NPS server?
Brandon MillerSystems Administrator

Author

Commented:
Checked the Certificates in MMC local computer and verified our RootCA and SubCA certificates are in there and also in the trusted root Auth folder. I checked and the network policy and access services are being logged in the event viewer but there are no events in there.

I did find this in the administrative events though at the same time I tried to connect.

"The SSL server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure."
2018-09-20-16_39_05-BOCCNPS1---Remot.png
Jakob DigranesSenior advisor
CERTIFIED EXPERT

Commented:
ah ...

did you see that message on your computer? Then you might be missing the private key.
open your user certificate, does it have this message on the front page:

You have a private key that corresponds to this certificate

also - when looking at certificate in user store - does it have a key on top of the certificate icon?
Brandon MillerSystems Administrator

Author

Commented:
I saw the message on the NPS server. I went back and checked both the pc and the nps server and they both have the key on their certificates.
Brandon MillerSystems Administrator

Author

Commented:
When I attempt to connect to the wifi now its shows there is an issue with my user account. I double checked the name mappings and have the exact same certificate mapped.
Jakob DigranesSenior advisor
CERTIFIED EXPERT

Commented:
look at certificate template - how do you populate subject name? look at this blog
https://www.network-node.com/blog/2015/12/24/server-2012-configuration-certificate-templates

expertsExchange.png
Brandon MillerSystems Administrator

Author

Commented:
I was using email name and UPN to build the info. I can try and change those right quick. I did notice that our PKI is still SHA1, so I am also going to try and update to SHA2 this week. I don't think Windows 10 allow me to use a SHA1 cert.
Systems Administrator
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.