Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Issue with setting up certificate authentication for wifi


  • Please log in to reply
4 replies to this topic

#1 raiden453

raiden453

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:10 PM

Posted 09 August 2016 - 09:08 PM

Hello All,

How my environment is setup:

I am currently trying to implement certificate based authentication for wifi. I have a domain controller (rfhc-DC1) I have a radius server (rfhc-radius) the radius server also has active directory certificate services installed to hand out certs. The wireless controller is a cisco 5700 wireless controller. Oh and the certificate is a self-made one.

I have setup another ssid with radius, except its mschap v2 username and password auth. (it works fine)

 

 

Problem:

So I setup active directory certificate services and went through the process on the radius server. The pics uploaded is how I set it up. SO the radius server hands out the certificates fine. The wifi does not connect. Then I get this error message in event viewer on the radius server. Now I have played with every kind of setting possible. The only way it works is if I do ad authentication. Please help.

  Network Policy Server denied access to a user.
 
Contact the Network Policy Server administrator for more information.
 
User:
               Security ID:                                         RFHC\1796-IT01$
               Account Name:                                  host/1796-IT01.rfhc.local
               Account Domain:                               RFHC
               Fully Qualified Account Name:         RFHC\1796-IT01$
 
Client Machine:
               Security ID:                                         NULL SID
               Account Name:                                  -
               Fully Qualified Account Name:         -
               OS-Version:                                         -
               Called Station Identifier:                    a0-ec-f9-11-52-d0:RFHC_INTERNAL
               Calling Station Identifier:                  00-C2-C6-38-0C-F2
 
NAS:
               NAS IPv4 Address:                              10.0.0.30
               NAS IPv6 Address:                              -
               NAS Identifier:                                    -
               NAS Port-Type:                                   Wireless - IEEE 802.11
               NAS Port:                                            60000
 
RADIUS Client:
               Client Friendly Name:                        Cisco Wireless Controller
               Client IP Address:                               10.0.0.30
 
Authentication Details:
               Connection Request Policy Name:    Secure Wireless Connections
               Network Policy Name:                        -
               Authentication Provider:                   Windows
               Authentication Server:                       RFHC-RADIUS.rfhc.local
               Authentication Type:                         EAP
               EAP Type:                                            -
               Account Session Identifier:                -
               Logging Results:                                 Accounting information was written to the local log file.
               Reason Code:                                     48
               Reason:                                               The connection request did not match any configured network policy.
 

Here is how the radius server is setup.

Attached File  radius settings 1.png   36.13KB   1 downloadsAttached File  rasius settings 2.png   26.01KB   1 downloadsAttached File  radius settings 3.png   42.72KB   1 downloadsAttached File  radius settings 4.png   19.51KB   1 downloads

 

 

Here is how the wifi profile is setup

Attached File  wifi profile settings 1.png   23.54KB   0 downloadsAttached File  wifi profile settings 2.png   25.54KB   1 downloadsAttached File  wifi profile settings 3.png   25.49KB   1 downloadsAttached File  wifi profile settings 4.png   31.67KB   1 downloads


Edited by raiden453, 10 August 2016 - 03:29 PM.


BC AdBot (Login to Remove)

 


#2 pcgeek1510

pcgeek1510

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 11 August 2016 - 09:42 AM

In your network policy remove both windows group conditions, add the machine group condition domain computers.


Change the wireless profile settings to Computer authentication.


Edited by pcgeek1510, 11 August 2016 - 09:45 AM.


#3 pcgeek1510

pcgeek1510

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 11 August 2016 - 09:43 AM

On your authentication methods make sure you select MS-CHAP-v2



#4 raiden453

raiden453
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:10 PM

Posted 11 August 2016 - 10:06 AM

Thanks but the solution was I needed to do an auto enrollment cert which was user certificate. I choose the wrong cert

#5 pcgeek1510

pcgeek1510

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 11 August 2016 - 10:16 AM

So you are doing EAP-TLS?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users