Avatar of Brandon Miller
Brandon Miller
Flag for United States of America asked on

EAP-TLS Authentication

EAP-TLS Authentication, I have setup a Network Policy on our NPS server the requires Smartcard or other Certificate to authenticate. I have been attempting to test on a windows 7 laptop. I have gone to the CA and requested a user certificate. I have installed the certificate on my login personal store in MMC. However, when I set the WIFI profile on the Windows 7 laptop it keeps telling me I need to get a certificate.
Windows OS* TLSNetworkingWindows 7

Avatar of undefined
Last Comment
Brandon Miller

8/22/2022 - Mon
Jakob Digranes

make sure your certificate template have client authentication as enhanced key usage.

Also make sure your wireless profile on windows 7 is set to use user certificate and not computer
Brandon Miller

ASKER
I have verified the certificate does have client authentication.

Below is the security event error from the PC.

Subject:
      Security ID:            username@domainname
      Account Name:            USERNAME
      Account Domain:            DOMAINANME
      Logon ID:            0xa0dcf

Network Information:
      Name (SSID):            EAP-TLS
      Interface GUID:            {f1d2f46b-8748-47ff-872f-02920fc14dbc}
      Local MAC Address:      70:F3:95:E1:75:8E
      Peer MAC Address:      B4:E9:B0:E5:2C:33

Additional Information:
      Reason Code:            Explicit Eap failure received (0x50005)
      Error Code:            0x40420110
      EAP Reason Code:      0x40420110
      EAP Root Cause String:      Network authentication failed due to a problem with the user account
Jakob Digranes

try looking at event viewer logs on NPS server (custom view - server roles - network policy server)
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Brandon Miller

ASKER
"NPSSERVER","IAS",09/20/2018,15:27:37,3,,"domain\username",,,,,,,,0,"ip","WLC_CT5508",,,,,,,5,"Secure Wireless Connections - Test",22,"311 1 IP 09/20/2018 16:50:50 4822",,,,"",,,,,"5ba3f371/mac/1729119",,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,

I dont see anything in the event viewer but I do see this in the logs.
Jakob Digranes

try this to enable logging on NPS
https://support.microsoft.com/en-ie/help/951005/the-network-policy-server-may-not-log-successful-authentication-events

also - this is security logs, so if you have 100 000s of audits, then your security logs are overwritten long before you can look at logs.
those raw logs are okay for troubleshooting of nothing hits the NPS service.

the certificate; you have the root certificate and all other certificates trusted on your computer, and NPS server?
Brandon Miller

ASKER
Checked the Certificates in MMC local computer and verified our RootCA and SubCA certificates are in there and also in the trusted root Auth folder. I checked and the network policy and access services are being logged in the event viewer but there are no events in there.

I did find this in the administrative events though at the same time I tried to connect.

"The SSL server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure."
2018-09-20-16_39_05-BOCCNPS1---Remot.png
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Jakob Digranes

ah ...

did you see that message on your computer? Then you might be missing the private key.
open your user certificate, does it have this message on the front page:

You have a private key that corresponds to this certificate

also - when looking at certificate in user store - does it have a key on top of the certificate icon?
Brandon Miller

ASKER
I saw the message on the NPS server. I went back and checked both the pc and the nps server and they both have the key on their certificates.
Brandon Miller

ASKER
When I attempt to connect to the wifi now its shows there is an issue with my user account. I double checked the name mappings and have the exact same certificate mapped.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Jakob Digranes

look at certificate template - how do you populate subject name? look at this blog
https://www.network-node.com/blog/2015/12/24/server-2012-configuration-certificate-templates

expertsExchange.png
Brandon Miller

ASKER
I was using email name and UPN to build the info. I can try and change those right quick. I did notice that our PKI is still SHA1, so I am also going to try and update to SHA2 this week. I don't think Windows 10 allow me to use a SHA1 cert.
ASKER CERTIFIED SOLUTION
Brandon Miller

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question