EAP problem with 802.1x and MS NPS
Posted: 27 Oct 2011 04:52
I have been struggling with this for weeks, banging my head to the wall, so all suggestions are welcome!!
I want to be able to authenticate users before giving them network access using 802.1x and EAP-TLS.
Authentication server: Server 2008 R2 with MS NPS
NAS: 6850
Client: Win 7
6850 is configured as follows:
aaa radius-server SL2008 192.168.1.1 auth-port 1812 key ****
aaa authentication 802.1x SL2008
vlan port mobile 1/7 bdpu ignore enable
vlan port 1/7 802.1x enable
The NPS network policy and CRP is configured as follows:
Authentication: Smart-card or other certificate
Condition: Always (date/time condition)
The win 7 client is configured as follows:
Smart-card or other certificate, user or comp authentication. No cert validation
Both user and comp certificate is locally available on the client.
The authentication fails.
The event log tells me this:
Both Network policy and CRP match; Reason code 23, An error occurred during the Network Policy Server use of the Extensible Authenitcation Protocol (EAP). Check EAP log files for EAP errors.
Wireshark on the server tell me:
For each authentication attempt the server replies with three “access-challenges”. The client respons with a new access-request. After three access-challenges the server sends an access-reject.
The access-request contains the username amongst other data. The access-challenge does not contain the username.
Wireshark also tells me that every access-challenge packet has a IPv4 checksum problem
The log file on the client “svchost_RASTLS.LOG” tells me
Unexpcected “Code 4” (that means EAP failure)
otherwise everythings looks fine in the log file
Questions:
What could I try to further narrow the issue down?
Can the IPv4 checkum problem be related to the issue?
Can the lack of user name in the access¬-challenge cause the eap to fail?
Are there any RADIUS attributes that the 6850 expects from the RADIUS server (NPS)?
Any suggestions are greatly appreciated!
Regards.
Jonas
I want to be able to authenticate users before giving them network access using 802.1x and EAP-TLS.
Authentication server: Server 2008 R2 with MS NPS
NAS: 6850
Client: Win 7
6850 is configured as follows:
aaa radius-server SL2008 192.168.1.1 auth-port 1812 key ****
aaa authentication 802.1x SL2008
vlan port mobile 1/7 bdpu ignore enable
vlan port 1/7 802.1x enable
The NPS network policy and CRP is configured as follows:
Authentication: Smart-card or other certificate
Condition: Always (date/time condition)
The win 7 client is configured as follows:
Smart-card or other certificate, user or comp authentication. No cert validation
Both user and comp certificate is locally available on the client.
The authentication fails.
The event log tells me this:
Both Network policy and CRP match; Reason code 23, An error occurred during the Network Policy Server use of the Extensible Authenitcation Protocol (EAP). Check EAP log files for EAP errors.
Wireshark on the server tell me:
For each authentication attempt the server replies with three “access-challenges”. The client respons with a new access-request. After three access-challenges the server sends an access-reject.
The access-request contains the username amongst other data. The access-challenge does not contain the username.
Wireshark also tells me that every access-challenge packet has a IPv4 checksum problem
The log file on the client “svchost_RASTLS.LOG” tells me
Unexpcected “Code 4” (that means EAP failure)
otherwise everythings looks fine in the log file
Questions:
What could I try to further narrow the issue down?
Can the IPv4 checkum problem be related to the issue?
Can the lack of user name in the access¬-challenge cause the eap to fail?
Are there any RADIUS attributes that the 6850 expects from the RADIUS server (NPS)?
Any suggestions are greatly appreciated!
Regards.
Jonas