Issue with setting up certificate authentication for wifi

Hello All,

How my environment is setup:

I am currently trying to implement certificate based authentication for wifi. I have a domain controller (rfhc-DC1) I have a radius server (rfhc-radius) the radius server also has active directory certificate services installed to hand out certs. The wireless controller is a cisco 5700 wireless controller. Oh and the certificate is a self-made one.

I have setup another ssid with radius, except its mschap v2 username and password auth. (it works fine)

Problem:

So I setup active directory certificate services and went through the process on the radius server. The pics uploaded is how I set it up. SO the radius server hands out the certificates fine. The wifi does not connect. Then I get this error message in event viewer on the radius server. Now I have played with every kind of setting possible. The only way it works is if I do ad authentication. Please help.

  Network Policy Server denied access to a user.
 
Contact the Network Policy Server administrator for more information.
 
User:
               Security ID:                                         RFHC\1796-IT01$
               Account Name:                                  host/1796-IT01.rfhc.local
               Account Domain:                               RFHC
               Fully Qualified Account Name:         RFHC\1796-IT01$
 
Client Machine:
               Security ID:                                         NULL SID
               Account Name:                                  -
               Fully Qualified Account Name:         -
               OS-Version:                                         -
               Called Station Identifier:                    a0-ec-f9-11-52-d0:RFHC_INTERNAL
               Calling Station Identifier:                  00-C2-C6-38-0C-F2
 
NAS:
               NAS IPv4 Address:                              10.0.0.30
               NAS IPv6 Address:                              -
               NAS Identifier:                                    -
               NAS Port-Type:                                   Wireless - IEEE 802.11
               NAS Port:                                            60000
 
RADIUS Client:
               Client Friendly Name:                        Cisco Wireless Controller
               Client IP Address:                               10.0.0.30
 
Authentication Details:
               Connection Request Policy Name:    Secure Wireless Connections
               Network Policy Name:                        -
               Authentication Provider:                   Windows
               Authentication Server:                       RFHC-RADIUS.rfhc.local
               Authentication Type:                         EAP
               EAP Type:                                            -
               Account Session Identifier:                -
               Logging Results:                                 Accounting information was written to the local log file.
               Reason Code:                                     48
               Reason:                                               The connection request did not match any configured network policy.
 

Here is how the radius server is setup.

 radius settings 1.png   36.13KB   1 downloads  rasius settings 2.png   26.01KB   1 downloads  radius settings 3.png   42.72KB   1 downloads  radius settings 4.png   19.51KB   1 downloads

Here is how the wifi profile is setup

 wifi profile settings 1.png   23.54KB   0 downloads  wifi profile settings 2.png   25.54KB   1 downloads  wifi profile settings 3.png   25.49KB   1 downloads  wifi profile settings 4.png   31.67KB   1 downloads

Edited by raiden453, 10 August 2016 - 03:29 PM.

In your network policy remove both windows group conditions, add the machine group condition domain computers.

Change the wireless profile settings to Computer authentication.

Edited by pcgeek1510, 11 August 2016 - 09:45 AM.

On your authentication methods make sure you select MS-CHAP-v2

So you are doing EAP-TLS?