EAP-TLS Authentication

Brandon Miller
Brandon Miller used Ask the Experts™
on
EAP-TLS Authentication, I have setup a Network Policy on our NPS server the requires Smartcard or other Certificate to authenticate. I have been attempting to test on a windows 7 laptop. I have gone to the CA and requested a user certificate. I have installed the certificate on my login personal store in MMC. However, when I set the WIFI profile on the Windows 7 laptop it keeps telling me I need to get a certificate.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
make sure your certificate template have client authentication as enhanced key usage.

Also make sure your wireless profile on windows 7 is set to use user certificate and not computer
Brandon MillerSystems Administrator

Author

Commented:
I have verified the certificate does have client authentication.

Below is the security event error from the PC.

Subject:
      Security ID:            username@domainname
      Account Name:            USERNAME
      Account Domain:            DOMAINANME
      Logon ID:            0xa0dcf

Network Information:
      Name (SSID):            EAP-TLS
      Interface GUID:            {f1d2f46b-8748-47ff-872f-02920fc14dbc}
      Local MAC Address:      70:F3:95:E1:75:8E
      Peer MAC Address:      B4:E9:B0:E5:2C:33

Additional Information:
      Reason Code:            Explicit Eap failure received (0x50005)
      Error Code:            0x40420110
      EAP Reason Code:      0x40420110
      EAP Root Cause String:      Network authentication failed due to a problem with the user account

Commented:
try looking at event viewer logs on NPS server (custom view - server roles - network policy server)
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Brandon MillerSystems Administrator

Author

Commented:
"NPSSERVER","IAS",09/20/2018,15:27:37,3,,"domain\username",,,,,,,,0,"ip","WLC_CT5508",,,,,,,5,"Secure Wireless Connections - Test",22,"311 1 IP 09/20/2018 16:50:50 4822",,,,"",,,,,"5ba3f371/mac/1729119",,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,

I dont see anything in the event viewer but I do see this in the logs.

Commented:
try this to enable logging on NPS
https://support.microsoft.com/en-ie/help/951005/the-network-policy-server-may-not-log-successful-authentication-events

also - this is security logs, so if you have 100 000s of audits, then your security logs are overwritten long before you can look at logs.
those raw logs are okay for troubleshooting of nothing hits the NPS service.

the certificate; you have the root certificate and all other certificates trusted on your computer, and NPS server?
Brandon MillerSystems Administrator

Author

Commented:
Checked the Certificates in MMC local computer and verified our RootCA and SubCA certificates are in there and also in the trusted root Auth folder. I checked and the network policy and access services are being logged in the event viewer but there are no events in there.

I did find this in the administrative events though at the same time I tried to connect.

"The SSL server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure."
2018-09-20-16_39_05-BOCCNPS1---Remot.png

Commented:
ah ...

did you see that message on your computer? Then you might be missing the private key.
open your user certificate, does it have this message on the front page:

You have a private key that corresponds to this certificate

also - when looking at certificate in user store - does it have a key on top of the certificate icon?
Brandon MillerSystems Administrator

Author

Commented:
I saw the message on the NPS server. I went back and checked both the pc and the nps server and they both have the key on their certificates.
Brandon MillerSystems Administrator

Author

Commented:
When I attempt to connect to the wifi now its shows there is an issue with my user account. I double checked the name mappings and have the exact same certificate mapped.

Commented:
look at certificate template - how do you populate subject name? look at this blog
https://www.network-node.com/blog/2015/12/24/server-2012-configuration-certificate-templates

expertsExchange.png
Brandon MillerSystems Administrator

Author

Commented:
I was using email name and UPN to build the info. I can try and change those right quick. I did notice that our PKI is still SHA1, so I am also going to try and update to SHA2 this week. I don't think Windows 10 allow me to use a SHA1 cert.
Systems Administrator
Commented:
Found my issue and fix. Link to fix: https://msitpros.com/?p=1647

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial