Armitage318
asked on
Network Policy server: cannot authenticate (error 22)
Hi, I am trying to configure Network Policy Server on a recently Domain Controller Windows 2019 (the other existent DC is Windows 2008, with a working NPS).
I believe I replicated every NPS configuration from DC Windows 2008 to the new one, but when I try to authenticate wireless devices (smarpthone, laptop) with AD credentials, it is not working.
I checked on NPS logs and I noticed this error:
This is my constraints menu (sorry, it is in italian)
Wireless AP is Cambium. I have other Wireless network (different SSID) that are correctly working with other Network Policy Server, so I assume Access Point configuration is OK.
Thank you!
I believe I replicated every NPS configuration from DC Windows 2008 to the new one, but when I try to authenticate wireless devices (smarpthone, laptop) with AD credentials, it is not working.
I checked on NPS logs and I noticed this error:
NPS Server Reason Code 22 The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server
This is my constraints menu (sorry, it is in italian)
Wireless AP is Cambium. I have other Wireless network (different SSID) that are correctly working with other Network Policy Server, so I assume Access Point configuration is OK.
Thank you!
Last Comment
Craig Beck
Have you installed a certificate on the new NPS server?
ASKER
I some one,
no, I don't.
My assumption is that by adding this DC to an existing AD forest, the certificate issued for our domain (already present on other DC) was already transferred to new one. If not, how can I proceed to deploy new certificate?
Will this affect my AD infrastructure or it will be "local" to that controller?
Thank you
no, I don't.
My assumption is that by adding this DC to an existing AD forest, the certificate issued for our domain (already present on other DC) was already transferred to new one. If not, how can I proceed to deploy new certificate?
Will this affect my AD infrastructure or it will be "local" to that controller?
Thank you
Sure you do not need pap based auth enabled?
Check the 2008 eap settings.
Check the 2008 eap settings.
The certificate won't be copied to the new DC. If you have a cert issued to the new DC via GPO you may be able to use that for EAP in NPS.
If you don't have a cert on the new DC and you issued a specific cert to the original DC for EAP you can export it with the private key and import into the new DC and assign it to the EAP process in NPS on the new DC.
PAP-based auth is not used by EAP, so unless you're doing PAP (which you won't for 802.1x) leave it disabled.
If you don't have a cert on the new DC and you issued a specific cert to the original DC for EAP you can export it with the private key and import into the new DC and assign it to the EAP process in NPS on the new DC.
PAP-based auth is not used by EAP, so unless you're doing PAP (which you won't for 802.1x) leave it disabled.
ASKER
Hi, I tried to edit EAP settings on original DC (the one that is already working), and I got this message (basically it says that certificate is not found!)
Also, if I search for accepted logins on that server, it seems that users are actually using EAP-MSCHAP instead of EAP:
Obviously on new server, settings are in same order: MSCHAP first, then EAP.
Also, if I search for accepted logins on that server, it seems that users are actually using EAP-MSCHAP instead of EAP:
Obviously on new server, settings are in same order: MSCHAP first, then EAP.
Certificato if it deals with certificate "some one" put his finger on the issue
ASKER
Hi, did you mean the certificate that is visible under IIS? There is only a certificate and it is emitted for WMSvc-servername, not company.local.
Is it that relevant? Should I export/import the certificate below to solve my problem? Thank you
Is it that relevant? Should I export/import the certificate below to solve my problem? Thank you
I think it is the Certificate that is assigned to the NPS service,
https://social.technet.microsoft.com/Forums/windowsserver/en-US/fa6f6de3-b715-452d-a68a-0ea4374167b7/radius-nps-server-and-certificate
Without a debug of what traffic is being sent and being receved on the NPS I am merely guestimating based on the errors you post.
Whether the certificate the client presents is invalid, or the NPS certificate is at issue, or the NPS is unable to validate the certificate being presented by the client, etc.
Look on the existing NPS and what is the certificate that it has?
you could look at the certificate of computer, and export a PFX...
Do you have an insternal Certificate Authority ?
https://social.technet.microsoft.com/Forums/windowsserver/en-US/fa6f6de3-b715-452d-a68a-0ea4374167b7/radius-nps-server-and-certificate
Without a debug of what traffic is being sent and being receved on the NPS I am merely guestimating based on the errors you post.
Whether the certificate the client presents is invalid, or the NPS certificate is at issue, or the NPS is unable to validate the certificate being presented by the client, etc.
Look on the existing NPS and what is the certificate that it has?
you could look at the certificate of computer, and export a PFX...
Do you have an insternal Certificate Authority ?
ASKER
Hi arnold, no, I don't have an internal CA.
So it seems I am going to create my FIRST certificate for EAP authentication.
My last doubt is: since I am using 2 NPS, should I create a certificate with a "generic" Common Name, eg. company.local?
Or should I create two certs:
server1.company.local
server2.company.local
and install them on each NPS respectively?
Thank you
So it seems I am going to create my FIRST certificate for EAP authentication.
My last doubt is: since I am using 2 NPS, should I create a certificate with a "generic" Common Name, eg. company.local?
Or should I create two certs:
server1.company.local
server2.company.local
and install them on each NPS respectively?
Thank you
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Hi, I think I figured out the EAP issue on this NPS server.
If I open mmc -> snap-in -> Certificates, I do see a Certificate issue for this server hostname; anyway it seems it is not "trusted":
My question is: should I generate a NEW SSL certificate, only for NPS, or is it a way to "trust" that certificate (already present on that machine)?
If I open mmc -> snap-in -> Certificates, I do see a Certificate issue for this server hostname; anyway it seems it is not "trusted":
My question is: should I generate a NEW SSL certificate, only for NPS, or is it a way to "trust" that certificate (already present on that machine)?
check what you have on the 2008 and match it.
Seems odd that you looking at the certificate on the system and it tells you it is untrusted.
What generated the Certificate? Look at the path of certification and see why it shows up as not-trsuted.
The certificate is only valid for the next couple of months.
Seems odd that you looking at the certificate on the system and it tells you it is untrusted.
What generated the Certificate? Look at the path of certification and see why it shows up as not-trsuted.
The certificate is only valid for the next couple of months.
ASKER
I installed role Active Directory Certificate Services (and Certification Authority Web Enrollment), I generated a NEW CA, and trusted the existent certificated issue to server1.company.local .
Now, in EAP settings, I do see that certificate listed.
WiFi authentication is working now.
So it was definitely an issue with certificate.
I followed that resource:
https://www.ictpower.it/sistemi-operativi/implementare-reti-wireless-sicure-con-802-1x-ed-eap-tls-con-windows-server-2016.htm
Now, in EAP settings, I do see that certificate listed.
WiFi authentication is working now.
So it was definitely an issue with certificate.
I followed that resource:
https://www.ictpower.it/sistemi-operativi/implementare-reti-wireless-sicure-con-802-1x-ed-eap-tls-con-windows-server-2016.htm
Windows OS
This topic area includes legacy versions of Windows prior to Windows 2000: Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions including Windows Mobile.
129K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
