Hi! I have the next scenario: PKI Infrastructure: 1 Offline Standalone Root CA (Server A) and 1 Enterprise Subordinate CA (ServerB). Both with Windows Server 2008 R2 Enterprise. ServerB is the one that I use to give certificates. Servidor NPS-RADIUS (ServerC): Windows Server 2008 R2, the certificate of this server was issued by ServerB using the template Workstation. Access Point (AP-RADIUS): Configured as a RADIUS client on ServerC. The authentication method that I'm using, is: EAP-TLS; for my clients (domain computers) I'm issuing certificates, either Workstation or User certificate. Both templates are version 1 (Windows 2000). For non-domain computers I created a manual certificate request using certreq, a special manually created template, etc (http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5) Now my non-domain computer has a valid certificate (also downloaded the CA certificate chain from http://ServerB/certsrv/), now NPS server and non-domain computer trust each other. When I connect to the Access with RADIUS, it prompts me for a user/pwd (maybe because I have 2 rules, one that has the condition of 'Domain Users' and another one that asks for 'Domain Computers'). Here I added another rule in NPS named 'Only certificates': Under Network Policies: Condition: NAS port - Wireless IEEE 802.11 Policy enabled, grant network access. Restrictions: authentication methods: EAP types: smart card or another certificate - (EAP-TLS) Processing order: 2 (the 1st policy auths domain computers with EAP-TLS, and the 3rd, domain users) Note: On Network Request Policy section, I don't have enabled 'Invalidate configuration of network authentication policy' on the 'Use Windows Authentication for all users' (sorry I'm translating from spanish). But, when I connect again from the non-domain computer, it still prompts me for user/pwd. Even if I type the data, it denies me the access. When I check the log on the NPS-RADIUS server, on the event viewer I find: motive code: 22 Motive: client can't be authenticated because the server can't process the EAP type. The question is: it shouldn't be asking me for credentials, right? also in the event, it shows me that it is using the Network policy that I defined recently.

please paste the event log. You'd better ask in http://social.technet.microsoft.com/Forums/en-US/winserverNAP/threads

Here's the event log (sorry I'm translating): ______ The Network Policy Server denied access to a user Please contact ... User: Security id: <domain>\<user> Account name: <user> Domain Account: <domain> Complete account name: <domain/OUs.../user> Client Computer: Security id: NULL SID Account name: - Complete account name: - Caller station ID: <MAC Address> Caller station ID who calls: <MAC Address> NAS: IPv4 Address NAS: <IP> IPv6 Address NAS: - NAS Identifier: <AP ID> NAS port type: Wireless - IEEE 802.11 NAS port: 9 RADIUS client: Descriptive client's name: <name> IP client's adress <IP> Details of the authentication: Connection request policy name: Use Windows authentication for all users Network policy name: Only certificates Authentication provider: Windows Authentication Server: <NPS Server> Authentication type: EAP EAP type: - Session account ID: - Results of the registry: Account information was written to the local registry file. Motive code: 22 Motive: client can't be authenticated because the server can't process the EAP type. ____________

I'm switching between the auth methods used in the network policy 'Only certificates' to see how it behaves. With: EAP-TLS - Prompts for credentials and Doesn't connect PEAP-TLS - Prompts for credentials, then comes a warning (described below) with 2 options: Finish and connect, and doesn't connect when I hit connect. EAP-MS-CHAPv2 - Prompts for credentials and Doesn't connect PEAP-MS-CHAPv2 - Prompts for credentials, then comes a warning (described below) with 2 options: Finish and connect, when I hit connect, It connects. Warning: The server "NPSServer (ServerC)" presented a valid certificate issued by "RootCA (ServerA)", but "RootCA (ServerA)" is not configured as a valid trust anchor for this profile. Further, the server "NPSServer (ServerC)" is not configured as a valid NPS server to connect to for this profile. Is it normal for the client to be prompted for credentials when using EAP-TLS or PEAP-TLS? I'm not specifying another authentication method on the 'Only certificates' Network policy. I only want to authenticate users by using certificates. It seems like a certificate validation problem.

There are two issues: 1: Client prompts for credentials regardless of NPS configuration 2: Client is prompted to accept certificate of the NPS server. Issue 1: NPS does not dictate to the client what type of authentication it is configured for. The client is prompting for a password, because the client is configured for PEAP-MS-CHAPv2. Configure the client for Smartcard or other certificate. Issue 2: The client prompts to accept the servers certificate because, being a non-domain member, it does not have the servers root ca in the NTAuth store. You can either maually put the root ca cert in the NTauth store via the following command: certutil -enterprise -addstore NTAuth CA_CertFilename.cer (see KB295663) or you can disable the option to validate server certificate on the client Ketan Thakkar | Microsoft Online Community Support

Hi again. For the issue 1: I created a wireless profile with the following settings: WPA2-Enterprise and TKIP. Then I edited some settings on this profile: 1. Security tab -> choose and authentication method -> Microsoft: Smartcard or another certificate (EAP-TLS) 2. Security tab -> Disable 'Remember my credentials for this connection...' For the issue 2: It is strange because the Root CA and the Intermediate CA certificates were imported on the certificate store (Enterprise Root Certification Authorities) of my client before the connection test. But now it is not prompting with the warning of the Valid certificate issue. Now, I want to understand the logic of how NPS authenticates/gives permissions to the clients. After clicking on the SSID of the network with RADIUS-WPA2-Enterprise-EAP-TLS, the client is denied access. Is this correct? The client tries to connect, the NPS first use the Connection request policy -> Use Windows authentication for all users, and then, if the client acomplish the policy requirements, then the NPS server applies, in order, the policies in Network Policies. If my appreciation is correct, I think that the problem is that NPS is trying to find a computer account but it will never going to find it, because it is a non-domain computer. This is the log: ----------------- The Network Policy Server denied access to a user Please contact ... User: Security id: NULL SID Account name: host/<non-domain-computer> Domain Account: <domain> ---- Why attachs my domain? Complete account name: <domain>\host/<non-domain-computer> Client Computer: Security id: NULL SID Account name: - Complete account name: - OS version: - Caller station ID: <MAC Address> Caller station ID who calls: <MAC Address> NAS: IPv4 Address NAS: <IP> IPv6 Address NAS: - NAS Identifier: <AP ID> NAS port type: Wireless - IEEE 802.11 NAS port: 9 RADIUS client: Descriptive client's name: <name> IP client's adress <IP> Details of the authentication: Connection request policy name: Use Windows authentication for all users Network policy name: - Authentication provider: Windows Authentication Server: <NPS Server> Authentication type: EAP EAP type: - Session account ID: - Results of the registry: Account information was written to the local registry file. Motive code: 8 Motive: The user account specified doesn't exist ----------------- I notous another detail: The network policy is not being applied, it seems that it gets stuck when applying the Network Request Policy.