Unable to get 802.1x working with MS NPS
Posted: 26 Oct 2011 11:59
I want to use 802.1x to authenticate clients (Win 7) using EAP-TLS before allowing network access.
I have been struggling with this for weeks!! Please help
Setup
Radius Server: Server 2008 R2 with NPS
NAS: Omniswitch 6850
Client: Win 7
The Switch is setup like this:
aaa radius-server funk host 192.168.1.1 auth-port 1812 key test
aaa authentication 802.1x funk
vlan port mobile 1/7 bdpu ignore enable
vlan port 1/7 802.1x enable
(the IP interface of the switch is 192.168.1.2)
The Win 7 client is setup like this:
smart-card or other certificate, use a certificate on this computer (simple certificate selection)
no server cert validation
User or computer authentication
The authentication settings matches the configured network policy in NPS
Both user and computer certificate is available locally on the client.
However the authentication fails.
The event id in NPS looks like this:
Wireshark (on the server) tells me for each attempt the pattern looks like this (over and over again)
Access-request
access-challenge
Access-request
access-challenge
Access-request
access-reject
Every access-challenge packet is marked red because of a IPv4 incorrect checksum
The svchost_RASTLS log file on the win7 client tells me this:
Received failure (code 4)
Suggestions?
I read somewhere that the access-challenge should include the user name under AVP, however it doesn't? Can that be a problem?
Can the IPv4 checksum be related to the code 4?
Is it possible to configure the 6850 to log the radius trafic/events?
Must the NPS include some RADIUS attributes? Which?
I have been struggling with this for weeks!! Please help
Setup
Radius Server: Server 2008 R2 with NPS
NAS: Omniswitch 6850
Client: Win 7
The Switch is setup like this:
aaa radius-server funk host 192.168.1.1 auth-port 1812 key test
aaa authentication 802.1x funk
vlan port mobile 1/7 bdpu ignore enable
vlan port 1/7 802.1x enable
(the IP interface of the switch is 192.168.1.2)
The Win 7 client is setup like this:
smart-card or other certificate, use a certificate on this computer (simple certificate selection)
no server cert validation
User or computer authentication
The authentication settings matches the configured network policy in NPS
Both user and computer certificate is available locally on the client.
However the authentication fails.
The event id in NPS looks like this:
Code: Select all
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2011-10-26 15:31:08
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: WIN-NHPP443U13S.SL2008-2.com
Description:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: SL2008-2\JONAS-M6300-W7$
Account Name: host/JONAS-M6300-W7.SL2008-2.com
Account Domain: SL2008-2
Fully Qualified Account Name: SL2008-2\JONAS-M6300-W7$
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: 0015c53760bb
NAS:
NAS IPv4 Address: 192.168.1.2
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: 1752134516
NAS Port: 1007
RADIUS Client:
Client Friendly Name: 6850
Client IP Address: 192.168.1.2
Authentication Details:
Connection Request Policy Name: Secure Wired (Ethernet) Connections
Network Policy Name: Secure Wired (Ethernet) Connections
Authentication Provider: Windows
Authentication Server: WIN-NHPP443U13S.SL2008-2.com
Authentication Type: EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
Wireshark (on the server) tells me for each attempt the pattern looks like this (over and over again)
Access-request
access-challenge
Access-request
access-challenge
Access-request
access-reject
Every access-challenge packet is marked red because of a IPv4 incorrect checksum
The svchost_RASTLS log file on the win7 client tells me this:
Received failure (code 4)
Suggestions?
I read somewhere that the access-challenge should include the user name under AVP, however it doesn't? Can that be a problem?
Can the IPv4 checksum be related to the code 4?
Is it possible to configure the 6850 to log the radius trafic/events?
Must the NPS include some RADIUS attributes? Which?