EAP-TLS and Windows NPS

  • 2
  • Question
  • Updated 11 months ago
Hi all,

Hoping to get some help from the community as I'm out of ideas. I am in the process of setting EAP-TLS Wireless Authentication with my Aerohive devices using user certificates for authentication only. A guide I was using said to set up a Windows GPO for Wireless Network Profile to "Open with 802.1x" for the authentication but I got worried about security in this scenario and reached out to Aerohive support. They said that generally 802.1x set ups use WPA2 Enterprise 802.1x option instead of WEP 802.1x.

So I made the change to WPA2 Enterprise 802.1x and changed the Windows GPO to WPA2-Enterprise as well. Now my NPS server is not allowing users to connect and is giving these errors:

 Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.

User:
Security ID: EDITED
Account Name: EDITED
Account Domain: EDITED
Fully Qualified Account Name: EDITED

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: C4-13-E2-2F-17-67:TestAire
Calling Station Identifier: 00-28-F8-24-48-66

NAS:
NAS IPv4 Address: 192.168.10.241
NAS IPv6 Address: -
NAS Identifier: EDITED-001
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0

RADIUS Client:
Client Friendly Name: EDITED-001
Client IP Address: 192.168.10.241

Authentication Details:
Connection Request Policy Name: TestAir
Network Policy Name: TestAir
Authentication Provider: Windows
Authentication Server: ISV05RADIUS001.EDITED
Authentication Type: EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier: 31433030393843342D3030303030303030
Logging Results: Accounting information was not written to any data store.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.


Based on this error, it seems like NPS is trying to validate user credentials but all it should be doing is validating the certificate. I can't figure out why it is not working so any help would be appreciated.
Photo of Dara K

Dara K

  • 8 Posts
  • 1 Reply Like

Posted 12 months ago

  • 2
Photo of Eugene

Eugene

  • 13 Posts
  • 2 Reply Likes
I have seen this error before.  Check to ensure the AP VLAN is authorized to access the AD server.
Photo of Dara K

Dara K

  • 8 Posts
  • 1 Reply Like
Hi Gene,

The APs, NPS, and ADs are all on the same VLAN for communication. Also, before I made the security change, everything was working perfectly. No network changes were made.
Photo of Eugene

Eugene

  • 13 Posts
  • 2 Reply Likes
When we were using 802.1X we used server side certificates.  The exchange required the AP VLAN to have be authorized via the Radius\Server clients options under NPS settings.

You can add a IP range or each AP IP in the list.  Without it our authentication did not work.  
Example of location.
Photo of Dara K

Dara K

  • 8 Posts
  • 1 Reply Like
Oh, yes, all my APs are set up in that location. The NPS and APs aren't having problems communication as the APs are forwarding the authentication requests to the NPS. The issue is the NPS server thinks the request should have user credentials associated to it but it only has user certificates.
Photo of Marcel Heß

Marcel Heß

  • 27 Posts
  • 4 Reply Likes
Check if the certificate of the NPS Server has a FQDN in the CN.
Photo of Dara K

Dara K

  • 8 Posts
  • 1 Reply Like
It does. I have a 2 Tier PKI infrastructure. The Issuer CA gave the radius server a computer certificate and it is using that as its certificate.
Photo of Marcel Heß

Marcel Heß

  • 27 Posts
  • 4 Reply Likes
Have you double check that? Once I had a similar issue and it works after I had the fqdn in Server cerificate of the nps. Monday I could check my Solution. At the moment I am on the Go. Sry.
Photo of Dara K

Dara K

  • 8 Posts
  • 1 Reply Like
When you asked, I verified that it is ComputerName.Domain. I assume you are talking about the certificate that is used for the Network Policy under Authentication Methoads - EAP Types. I can wait till Monday. Thanks for the help.
Photo of Marcel Heß

Marcel Heß

  • 27 Posts
  • 4 Reply Likes
No prob. If you find a solution earlier, please let us know. Good luck!
Photo of Dara K

Dara K

  • 8 Posts
  • 1 Reply Like
Hey Marcel - Any chance you were able to look at your setup? Thanks
Photo of Marcel Heß

Marcel Heß

  • 27 Posts
  • 4 Reply Likes
In our case the PKI delivered a certificate to the NPS, were the Subject Name wasn't the FQDN. After we generate a Cert with the FQDN in the Subject Name, it works fine.

Maybe this link helps: https://technet.microsoft.com/en-us/library/cc731363(v=ws.11).aspx

sorry, for the delay and the very short answer.
Photo of Marcel Heß

Marcel Heß

  • 27 Posts
  • 4 Reply Likes
Hey Dara,

any updates about your problem? Did you solve it?
Photo of Marcel Heß

Marcel Heß

  • 27 Posts
  • 4 Reply Likes
Maybe, I found something interesting for you:

KB4025335 kills certificate based computer authentication
Photo of Dara K

Dara K

  • 8 Posts
  • 1 Reply Like
Wow, thank you soo much Marcel. The minute I removed this patch, everything started working again. Can't thank you enough. 

Hoping to re-install the patch and make the Registry change but need to figure out what it is exactly doing.

Thanks again,
Dara
Photo of Dara K

Dara K

  • 8 Posts
  • 1 Reply Like
Thanks Marcel, I'm out of the office till Monday but will try these out.
Photo of Marcel Heß

Marcel Heß

  • 27 Posts
  • 4 Reply Likes
My pleasure and thanks for sharing the feedback.