getting PEAP with EAP-MSCHAP v2 working on Windows 2008

[blin]

I'm a little new to the Domain Admins group so excuse me if I'm not familiar with all of the terms. My current problem is this.

I have a brand new Cisco WLC with all brand new WAPs. I'm trying to setup WPA2-Enterprise using PEAP. I started off by following step by step of this implementation: http://www.windowsnetworking.com/articl ... Part1.html

I think I'm extremely close to having this working, but I have not found a resolution yet. I've searched all over the internet and have still found no resolution.

I have created the cert, etc and installed it on clients. The WLC seems to be forwarding the information along correctly. Below is the security events that I see in the logs on the DC.

First:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4/21/2011 9:59:53 AM
Event ID: 5061
Task Category: System Integrity
Level: Information
Keywords: Audit Failure
User: N/A
Computer: XXXX.local
Description:
Cryptographic operation.

Subject:
Security ID: SYSTEM
Account Name: XXX
Account Domain: XXX
Logon ID: 0x3e7

Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: certificate-CA
Key Type: Machine key.



Then immediately following:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4/21/2011 9:53:58 AM
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: XXXXX.local
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: domain\user
Account Name: domain\user
Account Domain: domain
Fully Qualified Account Name: domain\user

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 10-8c-cf-10-f4-30:vbw-test
Calling Station Identifier: 18-3d-a2-00-6b-c8

NAS:
NAS IPv4 Address: 10.0.X.X
NAS IPv6 Address: -
NAS Identifier: WLC
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 13

RADIUS Client:
Client Friendly Name: WLC
Client IP Address: 10.0.X.X

Authentication Details:
Connection Request Policy Name: Secure Wireless Connections 2
Network Policy Name: Secure Wireless Connections 2
Authentication Provider: Windows
Authentication Server: DC.local
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.



Please help, I've been looking at this for hours and am completely out of options!

[blin]

I scanned the article you referenced and it is a little odd. For example, it isn’t necessary to install RRAS with routing unless you plan to use the server as a VPN server and a router. It also isn’t recommended to install a Root CA on your DC, but you might not have other options.

By the way, what OS is the client running?

Try this step: http://technet.microsoft.com/en-us/libr ... 4152(WS.10).aspx to install a certificate on NPS. Then, check your NPS connection request policy and make sure you have chosen this certificate to use with PEAP. If you have problems with this step, let me know.

The step below figure 11 in the article you referenced appears to be wrong. It says to request a new certificate and choose Domain Controller. You should choose Computer here. The important thing is that the certificate must have the server authentication purpose.

To troubleshoot this, the events you want to monitor are under Custom Views\Server Roles\Network Policy and Access Services. You already found one of them (event 6273) which says there is an Audit Failure.

The authentication details section of this event are important because they tell you that the client matched the connection request policy named “Secure Wireless Connections 2” and then matched the network policy named “Secure Wireless Connections 2.” This is important because it tells you which policies you need to review.

Also look at the reason code in the event. A list of reason codes is here: http://technet.microsoft.com/en-us/libr ... 7464(WS.10).aspx

Your reason code is 23. Unfortunately this reason code is associated with a few different kinds of problems, but let’s start by trying to get the correct certificate on your NPS server (the Computer certificate) and editing the PEAP settings so that this certificate is used for authentication as described in the link I gave you.

-Greg

[blin]

Thanks for the quick response. Unfortunately, I don't think I have a whole lot of other options than running the CA on the DC. Maybe because dcpromo has already been run on this machine, I don't get just the "Computer" box for the certificate enrollment process. These are my only options:

Directory Email Replication
Domain Controller
Domain Controller Authenication

I can click on "Show All Templates" box, but it has computer greyed out in there.

As far as the logs go in the Custom Views\Server Roles\Network Policy and Access Services goes, besides the 6273 error I'm getting, the only other thing that shows in there when I try to authenticate is:



Log Name: System
Source: NPS
Date: 4/21/2011 4:23:12 PM
Event ID: 4400
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: domain.local
Description:
A LDAP connection with domain controller domain.local for domain XXX is established.

Let me know what you think I should try next.

Thanks for the help!

[blin]

We are going to get this problem solved for you.

First, I would be remiss if I didn't comment that installing a lot of services on a DC that aren't needed is a security risk and can be a performance issue. If I were you, I'd at least remove Routing and Remote Access since you aren't using this as a VPN server.

The reason that some of the certificates aren't available is because you don't have sufficient permissions. You can view these permissions on the Security tab of the template. You can see all templates by opening the Certificate Templates Console (certtmpl.msc).

I checked the Enhanced Key Usage (EKU) for the Domain Controller template and it is the same as the Computer certificate template, so it should be OK to use this. We don't need to worry about issuing a Computer certificate.

What logs do you see in Windows\System32\Logfiles?

I have found that the IAS Log Viewer tool is useful and does also read NPS logs, at least on Server 2008. I haven't tried it yet on 2008 R2.

-Greg

[blin]

Glad to hear that you think we might get this taken care of!

I did go ahead and take your good advice and uninstalled the Routing and Remote Access modules. Appreciate it.

I downloaded the IAS log viewer and it works well well with 2008 R2. It does show a good bit of detail in a good format, unfortunately all of the messages are pretty generic.

On both the Records and the Connect tabs I see at the same times rejected messages. I'll outline some of what the values are.

Records:
Packet-Type Access-Reject
NAS-Port-Type Async (Modem)
Authentication-Type 11
Reason-Code Unexpected error. Possible error in server or client configuration.

Connects:
Connect Request Unexpected error. Possible error in server or client configuration.
Connect Result Rejected
Server NasPort 13
Terminate Cause Unexpected error. Possible error in server or client configuration.
NAS Port Type Wireless - IEEE 802.11
Tunnel Type Virtual LANs (VLAN)

I feel this could be due to the configuration in the Network Policy and maybe not the cert. The Domain Controller Cert is originally what I was using. If you go into the Network Policy and click on the Settings tab, I have Framed Protocol - PPP and Service-Type - Framed. I think during the initial config, it mentioned setting up VLANs in this area. Could this be my problem???

You also asked previously what OS the client is running: Windows 7 Professional, and I've tried Windows XP as well.

Thanks for the help Greg, really appreciate it!

[blin]

I have several suggestion below,

From the NPS server side,

a. Click Start, type mmc in start search panel, add Certificate, choose computer account.
b. Please ensure the root CA certificate is stored in "Trusted Root Certification Authorities->certificate".
c. Please ensure the certificate with server authentication usage and private key is stored in "Personal->certificate".

From the client side,

a. Click Start, type mmc in start search panel, add Certificate, choose computer account.
b. Please ensure the root CA certificate is stored in "Trusted Root Certification Authorities->certificate".
c. Please ensure the certificate with client authentication usage and private key is stored in "Personal->certificate".

Moreover, if you interested to the EAP error, enable RRAS tracing log by running "netsh ras set tracing * enabled" on the NPS server and check errors in RSACHAP or RSATLS log under %systemroot%\tracing folder.

[blin]

You only need the client certificate described in step c if you are using PEAP EAP-TLS (client authentication with a certificate). The other choice is client authentication with a password (PEAP-MSCHAPv2). See http://support.microsoft.com/kb/814394 for some info about this. Which of these methods are you using? The link you provided indicates that you are using MSCHAP v2: http://www.windowsnetworking.com/img/up ... 230506.jpg.

Why do you say that the server certificates expire as soon as you create them? The link you provided gave advice to set the validity period for 20 years. If these certificates are indeed expiring then this may be the problem.

The export/import requirement on the client has to do with the ability of the client to authenticate against a trusted source. It has to do with the certificate path, which always starts with a Root CA. Your DC is Root CA if you followed the instructions in the original link you provided. Therefore, the client needs to have this CA listed in "Trusted Root Certification Authorities" see below:



The image above has the Personal\Certificates container highlighted, which is where the certificate would be stored for PEAP EAP-TLS (which I think you are not using). Immediately below this is the container where you should have your Root CA certificate. If you look through the certificates in "Trusted Root Certification Authorities" you must see one that is from your DC. If you don't see this, then the client will not trust NPS because it does not trust the server certificate.

-Greg

[blin]

I almost forgot to answer your other question.

You don't need RRAS installed to use RAS tracing with NPS.

See http://blogs.technet.com/b/rrasblog/arc ... 37481.aspx for some information about this.

I still like to use the command netsh ras set tracing * en although I see you can also use netsh ras diagnostics set rastracing * en

Be sure to disable afterward (netsh ras set tracing * dis).

-Greg

[blin]

You can install another certificate fairly easily if you want to extend the validity period. It looks like the original problem is that there was something wrong with the server certificate.

A couple things you should know:

1. It isn't necessary to have the client settings configured to validate the server certificate. This is just for better security.

2. In the link I gave before (http://support.microsoft.com/kb/814394), there are some requirements for the server certificate. One of the requirements close to the bottom of the page says "For wireless clients, the Subject Alternative Name (SubjectAltName) extension contains the server's fully qualified domain name (FQDN)." This may be why one of the certificates you installed isn't working.

Load up the certificates mmc snap-in for the Computer account on your DC and look at the certificates in the Personal\Certificates container. Double-click the certificates and then click the Details tab. This displays information about the certificate such as the subject alternative name, the enhanced key usage, and the valid from/to dates.

You can delete certificates here if you aren't using them. You might want to re-issue a certificate and then delete the old one.

To re-issue a certificate, first you should review the template for the certificate. Type certtmpl.msc at a command line (click Start, Run, certtmpl.msc, enter) to open the certificate templates console. If you installed an Enterprise CA then you can create and modify templates. The instructions you used did say to create an Enterprise CA, so you should be able to do this.

Try this:

1. In the Certificate Templates Console, under Template Display Name, find Computer. Right-click it, click Duplicate Template, and then click OK.

2. In Properties of New Template, on the General tab, under Template display name, type a name for your new template. You can use something like Wireless Server Auth. While you are on the General tab, you can also set a validity period. By default it will be 1 year. Change this if you wish, but read this first: http://www.expta.com/2010/08/how-to-cre ... onger.html - if you try to create a validity period longer than 2 years it won't work without some tweaking.

3. Click the Security tab. Here is where you need to add permission for you to enroll. Click Authenticated Users and place a check in Allow for Enroll.

3a. (Added a step here). Click the Subject Name tab, choose Build from this Active Directory information, and then choose Common name from the drop-down list.

4. Click OK and now you'll see the new certificate at the bottom of the list. There is just one more thing to do now to enable the CA to actually issue this certificate.

5. Close the certificate templates console. Click Start, Run, certsrv.msc, enter. This will open the local Certification Authority console.

6. Click Certificate Templates and have a look at the list. This is all the templates that this CA can currently issue if the user and computer has permission to enroll.

7. Now right-click the Certificate Templates folder, point to New, then click Certificate Template to Issue. Scroll down the list and find the new template you created. The name I suggested was Wireless Server Auth but you might have picked something else. Highlight this template and then click OK. Now you should see that it is added to the list of Certificate Templates.

8. While you are in this console, click on the Issued Certificates container. You should see a list here of all the certificates that this CA has issued. You can also view Pending Requests (for certificates that require approval before being issued) and Failed Requests (there was a problem issuing the cert).

9. Now go back to the local computer certificate console (Start, Run, mmc, enter, File... Add/Remove Snap-in, Certificates, Add, Computer account, Next, Local computer Finish, OK). Right-click the container under Personal\Certificates, point to All Tasks, Request New Certificate, Next, Next. You should now see the Wireless Server Auth certificate. Choose it and click Enroll. At this point you should now see another certificate in the list. You can tell which one is the one you just issued by looking at the details tab and viewing Certificate Template Information.

10. Now go back to PEAP properties in the Network Policy and choose this certificate.

-Greg