Problem with 802.1x wired & wireless
I'm trying to set up 802.1x for both wired and wireless networks. I've built a Windows Server 2008 R2 PKI and auto-enrolled user and computer certificates. My aim is to have both the computers and the users authenticate with the certificates. To do this, I have been defining the authentication setting as "Microsoft: Smart Card or other certificate". However, this appears to only be working with the computer certificates. If I try to authenticate with the user certificate, I get an EAP reason code 22 (The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.) If I modify the NPS authentication methods so that ALL possible permutations are allowed, the user can then connect BUT the log shows that the authentication method used is "Microsoft: Secured password (EAP-MSCHAP v2)". The order that I've got the methods defined in is: Microsoft: Smart Card or other certificate Microsoft: Protected EAP (Smart Card or other certificate) Microsoft: Protected EAP (Secured password) (Note that you can only add Protected EAP once - I've added the two EAP types within the properties) If I define a Group Policy to force authentication by certificate, the client complains that it needs a certificate ... and it clearly has one! I cannot see anything in the logs that helps me to understand why the certificate it has isn't being used.
September 6th, 2011 5:37am
I came across this thread: http://social.technet.microsoft.com/Forums/en-CA/winserversecurity/thread/0799e45b-7ffb-4d90-b373-b962afc1d69c and realised that I had created the user certificates with a Windows Server 2008 Enterprise template type. So I've now recreated the user certificate with a Windows Server 2003 Enterprise template type but it still authenticates using Secured Password :-(.
September 6th, 2011 6:30am
Hi, This issue is more server related, in order to get the answer effectively, it is recommended to submit a new question in Windows Server Forum. The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding. Regards, Sabrina TechNet Subscriber Support in forum If you have any feedback on our support, please contact firstname.lastname@example.org. This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
September 7th, 2011 1:01am
Hi Philip - Just FYI, EAP only provides one method of authentication per connection - in other words, you can connect with a user certificate or a computer certificate, but not both for one connection attempt. This type of dual authentication doesn't work. Do your client computers trust the CA that issued the NPS server's certificate? For clients to trust the NPS server, they must trust the server certificate that NPS provides to the clients during the authentication process. For the clients to trust the certificate, they must have the CA certificate in the Trusted Root Certification Authorities certificate store for the Local Computer. Hope that helps -James McIllece
September 8th, 2011 6:14pm