Problem connecting with Windows 8.1 with RADIUS

  • 3
  • Question
  • Updated 5 years ago
  • Answered
Has anyone had a problem connecting with Windows 8.1 devices to RADIUS authenticated networks? We have 2 Microsoft Surface tablets, both of which are getting errors when authenticating since they upgraded to 8.1.

I am using a HiveAP (HiveOS 6.1r2.1359) as the RADIUS server to authenticate my clients with PEAP/MSCHAP v2 and using Active Directory as the authentication store. The definition of the network is being pushed out through Group Policy, as well as the certificate.

All other clients that use the network (Windows 7, iOS and Android) don't seem to be having any problems.

Anyone seen or heard of anything similar?

Shawn
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes

Posted 5 years ago

  • 3
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Can you get us a netsh ras trace on the client via the contents of the c:\windows\tracing directory so we can work out what is going wrong for you?

netsh ras set tracing * enable
{attempt authentication}
netsh ras set tracing * disable
{zip and upload somewhere}
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
I asked one of my coworkers who recently bought a Surface Pro device to try this out, and he wasn't able to reproduce the problem. Do you have Windows RT? Nick's advice will also help the rest of us figure out what went awry...
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
Nick, here is the trace you asked for:
http://sdrv.ms/17KnrCy

Also, these are both Surface Pros running Windows 8.1 pro.

Thanks,

Shawn
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I notice that the device is domain joined and user login session credentials are being used to attempt to authenticate. Is that what you intend? Sometimes authentication fails because different credentials are intended to be used to connect to the network to that used to log in to the device.

[836] 11-05 11:22:25:217: Use Winlogon credentials is set to Yes
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
That is what is intended. I'm having the users login with their domain accounts to the PCs, then it automatically authenticates them with those credentials to the wifi --> RADIUS --> Active Directory. It is super slick on the other devices and eliminates hassles for the users.

Shawn
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Can you get us an EAPOL trace from the air using a device in monitor mode? The RAS tracing does not seem to contain much of interest. (Wireshark under OS X or Linux or Network Monitor under Windows with a capable driver.)

Also, have you looked at Aerohive's Client Monitor?
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
Nick,

Sure. Do you have a link that can show me the easiest way to do the EAPOL trace?

I've never looked at the Client Monitor. Looking now.

Shawn
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
If you're using Windows, take a look at http://blogs.technet.com/b/netmon/arc...

If you can just capture what you see in the air from a third party device that is in range of the AP and client and save it in PCAP format, we can dig out what we need from it.

Also take a look at http://blogs.aerohive.com/blog/the-wi... for Client Monitor.
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
Here is some info from client monitor. Let me know if that helps.
http://sdrv.ms/17KswuB

I'll collect the EAPOL trace as well, but it'll be a bit for that.

Thanks for taking the time for this. It is appreciated.

Shawn
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The interesting lines in the log are:

11/05/2013 12:08:45 PM 6045BDE2534E 4018B1028D95 HiveAP02 DETAIL (59)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=138 length=364

11/05/2013 12:08:45 PM 6045BDE2534E 4018B1028D95 HiveAP02 DETAIL (60)Send message to RADIUS Server(192.168.11.150): code=1 (Access-Request) identifier=139 length=174, User-Name=CONSOLIDATED\srasmussen NAS-IP-Address=192.168.11.151 Called-Station-Id=40-18-B1-02-8D-95:CTC-Employee Calling-Station-Id=60-45-BD-E2-53-4E

11/05/2013 12:08:45 PM 6045BDE2534E 4018B1028D95 HiveAP02 DETAIL (61)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=139 length=64

11/05/2013 12:08:45 PM 6045BDE2534E 4018B1028D95 HiveAP02 DETAIL (61)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=139 length=64

11/05/2013 12:08:45 PM 6045BDE2534E 4018B1028D95 HiveAP02 BASIC (62)Sta(at if=wifi0.2) is de-authenticated because of notification of driver

It would be interesting to see all of what was in the air via a monitor mode capture in the EAPOL traffic.
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
I thought that was interesting as well. Here are my attempts to capture what you requested. Let me know if I didn't get what you need.

http://sdrv.ms/1b9S4yD
http://sdrv.ms/1b390ds

Thanks again.

Shawn
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The second link isn't working for me - I just get a spinning throbber in Firefox and Safari.

I cannot see any EAPOL in capture1.cap when I opened it in Wireshark.
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
Sorry about that. Let's try again.

http://sdrv.ms/1bWlCRU

Shawn
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I have just opened the second file in Wireshark and applied "eapol" as the filter. Nothing showed.

That means no 802.1X authentication attempt was made in the channel you were capuring in, assuming you were in range the client/AP.
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
OK, so I tried again with channel 157 instead. Here are the results.

http://sdrv.ms/175VZvn

Shawn
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Now that is more like it... I am just having a cursory/initial look at the capture now, the supplicant is responding abnormally...

Have you tried configuring the surface with manually supplied credentials as a test?
That would be my next step in the troubleshooting process...
Have you also reviewed the EAP configuration for/in the Windows supplicant thoroughly?

My hunch is that the credentials for use in MS-CHAP-v2 (username/password) are not available to be supplied for some reason causing things to go wrong.

Are you able to test it with separately configured credentials?
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
OK, so I filtered out the group policy and I can connect to the network. It prompts me for my username and password. But I can successfully connect after that if I type in my username and password (if I check the box "Use my Windows user account," it will not connect). Although, if I enable preauthentication, it appears to work.

Here are the settings I have it working with if I apply it locally (no GPO):
PEAP Settings:
Verify the server's identity by validating the certificate
Trusted Root CA: HiveManager
Authentication Method: EAP-MSCHAP v2
Enable Fast Reconnect

EAP-MSCHAPv2 Properties:
Automatically use my Windows logon name and password and domain

802.1x Settings:
Authentication mode: User or Computer Authentication

802.11 settings:
Enable PMK caching

I've compared them to what is on the Windows 7 machines that are working and it appears to be the same.

If I set these same settings in a GPO, it will not connect.
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
Correction: It does NOT ask me for my username and password
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
With the GPO, I'm including the CA certificate from HMOL. I am getting these errors in the Windows System log when I connect via GPO (but not when connecting manually):

Log Name: System
Source: Schannel
Date: 11/6/2013 11:44:42 AM
Event ID: 36876
Task Category: None
Level: Error
Keywords:
User: domain\srasmussen
Computer: network-20.domain.local
Description:
The certificate received from the remote server has not validated correctly. The error code is 0x80092012. The SSL connection request has failed. The attached data contains the server certificate.
Event Xml:

36876
0
2
0
0
0x8000000000000000

4310

System
network-20.domain.local

0x80092012
LOTS OF HEX CHARACTERS

Log Name: System
Source: Schannel
Date: 11/6/2013 11:44:42 AM
Event ID: 36888
Task Category: None
Level: Error
Keywords:
User: domain\srasmussen
Computer: network-20.domain.local
Description:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 43. The Windows SChannel error state is 552.
Event Xml:

36888
0
2
0
0
0x8000000000000000

4309

System
network-20.domain.local

43
552
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
When we look in the EAPOL trace, we can see that you are using an Aerohive generated certificate (not ideal, but convenient).

Could it be there is something there that the supplicant in Windows 8.1 intrinsically doesn't like? Are you validating the certificate in any way?

Can you change to using a commercial one or one you generate from an internal CA?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
There is some interesting information on certificates here:

https://confluence.terena.org/display...

Take a look at Consideration 2: Recommended certificate properties

For example, could it be that Windows 8.1 is now more stingy about a CRL distribution point being present? A quick look at the certificate that Aerohive generated shows this extension to be missing.

This, apparently, will always make the certificate invalid for Windows Phone 8.
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
It sure seems like from the error I'm getting that certificate validation is the problem. What doesn't make sense to me is why it works fine if I don't deploy with GPO, but not with the GPO.

If I'm going to request a 3rd party certificate, I'm having trouble understanding the steps. If you're familiar, I'd appreciate guidance. Here's what I'm understanding so far:
1. Under Advanced Config, request a Server CSR. I'm not sure if I need to have an actual DNS FQDN for the Common Name or not. I'm assuming I can just leave the Subject Alternative Name fields blank.
2. I can complete the certificate request with my 3rd party CA (GoDaddy). I'm reading that I can just rename their file to .pem and it will work. I hope.
3. Import the certificate into HMOL.
4. I'm guessing I'll have to download and import the GoDaddy CA certificate as well.
5. Then, go to AAA Server Settings and set the CA Cert File and Server Cert File to the ones I just imported. What I'm really unsure of is how I will get the Server Key File. Is that going to be the same as the Server Cert File?

After that, I deploy it to the APs and it should just work, right? I think I'm going to have to schedule a maintenance window for this.

Shawn
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Yes, the certificate should be for a domain name that you own. The CA you choose needs to validate ownership.

Just follow GoDaddy's standard instructions for getting a Web certificate.

I have never used the built-in RADIUS server in HiveOS but you will want to ensure that you get the full chain to the root included.

You can use OpenSSL at the command line to convert the public and private key in to the forms you might need, if and where necessary.

A maintenance window is definitely advised... You will need to ensure that clients are in a position to be able to trust your new certificate so I would suggest making changes to the GPO first to trust both the old and new certificate, switching over to the new when a sensible time has elapsed to allow propagation.
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
I performed the maintenance last night and replaced this certificate. The Windows 8.1 client now connects to the network flawlessly with old GPO.

Thanks for the tips Nick.

I've also been having a problem with the 8.1 clients staying connected, but I think that is probably not related to this authentication issue, so I'm going to start a new thread.

Thanks again!

Shawn
Photo of Amanda

Amanda

  • 396 Posts
  • 25 Reply Likes
Thanks Nick for helping out Shawn on this. Glad the issue got resolved.