NPS Authentication Methods - EAP Types
We are moving from IAS to NPS and are configuring the policy like it was in IAS. When we click on the Constraints tab > Authentication Methods > and then highlight Microsoft: Protected EAP (PEAP) and click Edit we get an error "The data is
invalid". How do we fix this error? There are no errors in the event viewer for NPS.
Hi MarkNDOR,
Thanks for posting here.
We’d suggest to smoothly migrate IAS to NPS with following the guide in the link below without manually recreate all polices, it was also included the
Iasmigreader.exe utility which will help to transfer the IAS policies to NPS compatible file type:
NPS Migration Guide
http://technet.microsoft.com/en-us/library/ee791849(WS.10).aspx
Thanks.
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Similar Messages
-
wireless authentication not working
I found the following in the radius
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 1/15/2014 2:07:57 AM
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: NAP01.test.local
Description:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: doamin \user.a
Account Name: user.a
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-0F-7D-C4-45-20:staff
Calling Station Identifier: 0C-74-C2-EF-Dd-0B
NAS:
NAS IPv4 Address: 192.168.9.10
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 497
RADIUS Client:
Client Friendly Name: wcont1
Client IP Address: 192.168.9.10
Authentication Details:
Connection Request Policy Name: Wireless
Network Policy Name: wism
Authentication Provider: Windows
Authentication Server: NAP01.test.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
Please helpHi,
Anything updates?
In addition, this issue may also because your client didn't have CA certificate of your domain. Please make sure that your client has CA certificate.
Besides, the error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" may be due to that the default maximum transmission unit that NPS uses for EAP payloads is 1500
bytes. You can lower the maximum size that NPS uses for EAP payloads by adjusting the Framed-MTU attribute in a network policy to a value no greater than 1344:
Configure the EAP Payload Size
Best regards,
Susie -
Apple & Windows 7 Authentication Methods Cisco 1242AP EAP
Hi CSC Members,
I'm pretty new to wireless (so go easy on me): My situation is I need to be able to provide secure wireless internet access to guests with BYODs. Namely Apple iPads, iPhones, Windows PCs and Apple Macs, without them being under my administrative control, namely I cannot add them to a domain or indeed do I want to be able to have to interact with the user and install Certificates on their machines.
I'm looking for the 'best method' to achieve this, WPA2/AES with a PSK and MAC filtering was a suggestion but I don't really want to have to audit their MAC addresses. I'm just looking for a 'quick and dirty' secure username/password combination I'm guessing. I'm not using a WLC, just one or possibly a couple of 1242 Autonomous APs. I don't want to have to personally enter a PSK on their machines either as they can easily find this out and give the password to someone else, so I need to be able to change/add user accounts and user passwords centrally NOT on their devices.
I have an example configuration below, using the Cisco 1242AP as a Local Radius WHICH WORKS for me on Apple iPads and iPhones, however I cannot for the life of me get it to work with a Windows 7 Laptop. I'm not even totally sure exactly what type of authentication I've configured (Help!!), but entering the username and password on an iDevice just works! Is it EAP-FAST? My Windows 7 client doesn't seem to support EAP-FAST, only Microsoft PEAP, which I "believe" requires a certificate or some kind of machine authentication. So I'm not sure how to access this wifi network I've created using a Windows machine. I'd prefer to use a Windows 2008 NPS Radius Server if at all possible but couldn't get it working with the 1242AP, hence I went for Local Radius as a starting point.
1) Does anyone have a sensible suggestion as to what the best solution for my needs is? (I have access to a new Windows 2008 R2 Server)
2) How do I configure a Windows 7 as well as an Apple machine to authenticate to the suggested 'best' method.
3) I'd be really grateful if someone could clarify exactly what my configuration is using for Authentication.
Thanking you in advance for your guidance and recommendations,
Mike
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Media_AP
enable secret 5 $1$k3.3$QU/yBNYeOJM7BDxzRTq1g/
aaa new-model
aaa group server radius rad_local
server 192.168.1.2 auth-port 1812 acct-port 1813
aaa authentication login eap_local group rad_local
aaa session-id common
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp pool Media_DHCP_Pool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.2
dot11 syslog
dot11 ssid MediaCafe
authentication open eap eap_local
authentication network-eap eap_local
authentication key-management wpa version 2
guest-mode
infrastructure-ssid
username Cisco password 7 13261E010803
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid MediaCafe
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.1.2 255.255.255.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
radius-server local
no authentication mac
nas 192.168.1.2 key 7 0505071C32444F1B1C010417081E013E
user sky nthash 7 013150277A52525774146B5F492646375B2F277C7300716062734455335224000A
radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key 7 11071816041A0A1E012E38212B213036
bridge 1 route ip
line con 0
line vty 0 4
endThe best senerio for guest to to have an open SSID. Autonomous AP's your sort of out of luck. With the WLC you can incorporate a splash page. That being said, you might want to look at some free hotspot software unless you want to pay for one. Here are some free ones, but you can just search around.
http://www.hotspotsystem.com/en/hotspot/free_hotspot_software.html
http://www.antamedia.com/free-hotspot/
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
Cisco ISE multiple EAP authentication methods question
With Cisco ISE can you have various clients each using different EAP methods, such as PEAP for Windows machines, MD5 for legacy and TLS for others?
My current efforts seem to fail as if a device gets a request from the ISE for an EAP method it doesnt understand it just times out.
Thanks in advance.Multiple EAP Methods work fine. If your Clients are being crap you could try forcing then to use a specific set of Allowed Authentication Method by creating more specific Authentication rules.
Sent from Cisco Technical Support iPad App -
Per SSID EAP-type Authentication
Is there away to configure ACS 4.2 to only allow certain EAP-type of authentication per SSID? For example: SSIDA - only allows EAP-TLS and SSIDB - only allows EAP-PEAP on the same ACS server?
Any help is greatly appreciated.
Sent from Cisco Technical Support iPad AppYou should configure a NAP (Network Access Policy). The selection factor should be "per SSID" and then for each policy you can allow different eap types.
for the "per SSID" part, the WLC has a command to change the called-station-id to append the SSID name to the ap mac address -
VWLC 802.1x NPS authentication Fails
Hi Guys,
Hopefully someone can help me with the following problem i'm facing...
I've a vWLC running 7.3 deployed in our HQ site.
At the HQ we have a W2k8 R2 NPS deployed at works fine for VPN, Router and Switch Authentication
In a few remote branch offices which are connected to the HQ over DMVPN we have a couple of 3500's running in flexconnect mode with local switching.
These AP's register just fine through the VPN link back to the vWLC.
We deployed a few SSID's that are bound to AP groups.
All SSID's that use WPA2 with PSK work fine
All SSID's that use WPA2 with 802.1x Fail
The Security Settings for the failing SSID's are:
WPA2 Policy
WPA2 Encryption AES
Key Man 802.1x
AAA Server is pointing to the right NPS for Auth and Accounting
Radius overwrite IF is disabled
The settings of the NPS are:
Conditions:
Win Group: DOMAIN\Groupxx
NAS Port Type: Wireless - IEEE 802.11
Settings:
EAP Conf: Configured
Access Perm: Granted
EAP Method: MS PEAP
Auth Method: EAP
NAP Enforcement: Allow full access
Update non complient: True
Service Type: Login
When a laptop (Mac os 10.8) tries to connect to a 802.1x SSID It Prompts for a username and passwd.
Using DOMAIN\user + passwd the client tries to authenticate for a couple of times and fails
On the vWLC i can see trap:
AAA Authentication Failure for UserName:user User Type: WLAN USER
At the NPS i can see:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: DOMAIN\user
Account Name: user
Account Domain: DOMAIN
Fully Qualified Account Name: dom.com/OU/OU/OU/USER full name
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 34-a8-4e-70-0b-90:test.sec
Calling Station Identifier: 10-40-f3-8f-ac-62
NAS:
NAS IPv4 Address: IP vWLC
NAS IPv6 Address: -
NAS Identifier: VWLC001
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
RADIUS Client:
Client Friendly Name: vWLC001
Client IP Address: IP vWLC
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Cisco WiFi
Authentication Provider: Windows
Authentication Server: FQDN NPS server
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
Hopefully someone can point me in the right direction.
Cheers,
JPFind below the output of the debug:
(Cisco Controller) >
(Cisco Controller) >*Dot1x_NW_MsgTask_4: May 27 10:08:51.567: 00:21:6a:72:3c:ec apfMsRunStateInc
*apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Processing RSN IE type 48, length 20 for mobile 10:40:f3:8f:ac:62
*apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Received RSN IE with 0 PMKIDs from mobile 10:40:f3:8f:ac:62
*apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Setting active key cache index 8 ---> 8
*apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 unsetting PmkIdValidatedByAp
*apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 apfMsAssoStateInc
*dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Station 10:40:f3:8f:ac:62 setting dot1x reauth timeout = 1800
*dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 1)
*dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
*dot1xMsgTask: May 27 10:09:41.429: 00000000: 02 00 00 32 01 01 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
*dot1xMsgTask: May 27 10:09:41.429: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
*dot1xMsgTask: May 27 10:09:41.429: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
*dot1xMsgTask: May 27 10:09:41.429: 00000030: 72 74 69 64 3d 31 rtid=1
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 00000000: 01 00 00 0e 02 01 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 00000010: 6c 73 ls
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received Identity Response (count=1) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=1) for mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 00000000: 02 01 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 00000000: 01 01 00 00 ....
*Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 3)
*Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
*Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000000: 02 00 00 32 01 03 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
*Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
*Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
*Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000030: 72 74 69 64 3d 31 rtid=1
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 00000000: 01 00 00 0e 02 03 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 00000010: 6c 73 ls
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received Identity Response (count=2) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=3) for mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 00000000: 02 03 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Unable to send AAA message for mobile 10:40:F3:8F:AC:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000000: 01 01 00 00 ....
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 5)
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000000: 02 00 00 32 01 05 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000030: 72 74 69 64 3d 31 rtid=1
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Reached Max EAP-Identity Request retries (3) for STA 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Not sending EAP-Failure for STA 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Station 10:40:f3:8f:ac:62 setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 00000000: 01 00 00 0e 02 05 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
*Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 00000010: 6c 73 ls
*Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received EAP Response packet with mismatching id (currentid=0, eapid=5) from mobile 10:40:f3:8f:ac:62
*apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Processing RSN IE type 48, length 20 for mobile 10:40:f3:8f:ac:62
*apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Received RSN IE with 0 PMKIDs from mobile 10:40:f3:8f:ac:62
*apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Setting active key cache index 8 ---> 8
*apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 unsetting PmkIdValidatedByAp
*dot1xMsgTask: May 27 10:09:54.676: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 1)
*dot1xMsgTask: May 27 10:09:54.676: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
*dot1xMsgTask: May 27 10:09:54.676: 00000000: 02 00 00 32 01 01 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
*dot1xMsgTask: May 27 10:09:54.676: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
*dot1xMsgTask: May 27 10:09:54.676: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
*dot1xMsgTask: May 27 10:09:54.676: 00000030: 72 74 69 64 3d 31 rtid=1
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000000: 01 00 00 0e 02 01 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000010: 6c 73 ls
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received Identity Response (count=1) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=1) for mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000000: 02 01 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000000: 01 01 00 00 ....
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 3)
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000000: 02 00 00 32 01 03 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000030: 72 74 69 64 3d 31 rtid=1
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000000: 01 00 00 0e 02 03 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000010: 6c 73 ls
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received Identity Response (count=2) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=3) for mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000000: 02 03 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Unable to send AAA message for mobile 10:40:F3:8F:AC:62
*radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
*radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-resp] AAA request requeued OK
*radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
*radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
*radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-resp] Requeue failed. Returning AAA response
*radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 AAA Message 'Timeout' received for mobile 10:40:f3:8f:ac:62
*radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 Filtering AAA Response with invalid Session ID - proxy state 10:40:f3:8f:ac:62-02:00
*radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
*radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-resp] AAA request requeued OK
*radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
*radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
*radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-resp] Requeue failed. Returning AAA response
*radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 AAA Message 'Timeout' received for mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:11:11.529: 10:40:f3:8f:ac:62 Processing AAA Error 'Timeout' (-5) for mobile 10:40:f3:8f:ac:62 -
NPS Authentication Fails (Reason 16) After Migration to 2012 R2 from 2008 R2
I'm using NPS for wired dot1x authentication and I just migrated my NPS server from 2008 R2 to 2012 R2. When I point the network switch to start using the new 2012 R2 NPS as the RADIUS server, I get authentication failures - event 6273, reason code
16. When I switch it back to the 2008 R2 server, it works fine. The two servers are configured EXACTLY the same as far as I can tell - same RADIUS client config, same connection request policies, same network policies - and it should be since I
used the MS prescribed migration process. The only thing that differs is the server's certificate name used in the PEAP setup screen.
I'm using computer authentication only, so everything is based on computer accounts and I've selected to NOT validate server credentials on the group policy.
I've verified the shared secrets multiple times. Both servers are domain controllers.
Here is an example of the errors logged on the 2012 R2 server.
========================================
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: FAITHCHURCH\youthroom$
Account Name: host/YOUTHROOM.faithchurch.net
Account Domain: FAITHCHURCH
Fully Qualified Account Name: FAITHCHURCH\youthroom$
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: 44-37-E6-C0-32-CA
NAS:
NAS IPv4 Address: 192.168.1.1
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Ethernet
NAS Port: 1010
RADIUS Client:
Client Friendly Name: Extreme X440
Client IP Address: 192.168.1.1
Authentication Details:
Connection Request Policy Name: Secure Wired (Ethernet) Connections 2
Network Policy Name: Secure Wired (Ethernet) Connections 2
Authentication Provider: Windows
Authentication Server: Sigma.faithchurch.net
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
========================================Hi,
Have you added the NPS server to the RAS and IAS Servers
security group in AD DS?
The NPS server needs permission to read the dial-in properties of user accounts during the authorization process.
Try to add a loal user on the NPS server, then test with the local user. If it works, it means that there is something wrong between NPS and DC.
If the issue persists, it means that the configuration between NPS and NAS is wrong.
Steven Lee
TechNet Community Support -
Hello everyone:
I know this question have been asked in these forums quite a few times. I apologize if it is a repeat telecast but I was not able to find a suitable solution pertaining to my problem.
I have a AP/SM setup that is configured to get EAP-PEAP authentication from Windows 2012 Server. I have setup everything and have verified that the EAP-PEAP authentication works fine on AP/SM by getting authentication from FreeRADIUS server. Now, when I try
to get authentication from Windows Server, I am getting a reject. The Event log shows this generic message:
Reason Code: 23
Reason:
An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
There is nothing in the EAP logs that is obvious too:
"USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1
07/11/2014 00:05:57 4927",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
"USIL01PMPTST01","IAS",07/11/2014,11:59:44,11,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1 07/11/2014 00:05:57 4927",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
"USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1
07/11/2014 00:05:57 4928",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
"USIL01PMPTST01","IAS",07/11/2014,11:59:44,11,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1 07/11/2014 00:05:57 4928",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
"USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,11,"PEAP_TEST",0,"311 1 10.120.133.1
07/11/2014 00:05:57 4929",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
"USIL01PMPTST01","IAS",07/11/2014,11:59:44,3,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,11,"PEAP_TEST",23,"311 1 10.120.133.1 07/11/2014 00:05:57 4929",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
So, basically, the sequence is this:
request , challenge, request , challenge, request, reject
Any idea what might be happening?
Thank you.Hi,
Have you installed certificates on the NPS server properly? Have you selected the proper certificate in the properties of PEAP?
Here is an article about the Certificate requirements of PEAP,
Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS
http://support.microsoft.com/kb/814394
If your certificate matches the requirement, you may try to reinstall the certificate by export and import.
To export a certificate, please follow the steps below,
Open the Certificates snap-in for a user, computer, or service.
In the console tree under the logical store that contains the certificate to export, click
Certificates.
In the details pane, click the certificate that you want to export.
On the Action menu, point to
All Tasks, and then click Export.
In the Certificate Export Wizard, click No, do not export the private key. (This option will appear only if the private key is marked as exportable and you have access to the private key.)
Provide the following information in the Certificate Export Wizard:
Click the file format that you want to use to store the exported certificate: a DER-encoded file, a Base64-encoded file, or a PKCS #7 file.
If you are exporting the certificate to a PKCS #7 file, you also have the option to include all certificates in the certification path.
If required, in Password, type a password to encrypt the private key you are exporting. In
Confirm password, type the same password again, and then click
Next.
In File name, type a file name and path for the PKCS #7 file that will store the exported certificate and private key. Click
Next, and then click Finish.
To import a certificate, please follow the steps below,
Open the Certificates snap-in for a user, computer, or service.
In the console tree, click the logical store where you want to import the certificate.
On the Action menu, point to
All Tasks, and then click Import to start the Certificate Import Wizard.
Type the file name containing the certificate to be imported. (You can also click
Browse and navigate to the file.)
If it is a PKCS #12 file, do the following:
Type the password used to encrypt the private key.
(Optional) If you want to be able to use strong private key protection, select the
Enable strong private key protection check box.
(Optional) If you want to back up or transport your keys at a later time, select the
Mark key as exportable check box.
Do one of the following:
If the certificate should be automatically placed in a certificate store based on the type of certificate, click
Automatically select the certificate store based on the type of certificate.
If you want to specify where the certificate is stored, select
Place all certificates in the following store, click
Browse, and choose the certificate store to use.
If issue persists, you may try to re-issue the certificate.
For detailed procedure, you may refer to the similar threads below,
Having issues getting PEAP with EAP-MSCHAP v2 working on Windows 2008 R2
http://social.technet.microsoft.com/Forums/windowsserver/en-US/c66cf0a8-24dd-4ccd-b5bb-16bd28ad8d4c/having-issues-getting-peap-with-eapmschap-v2-working-on-windows-2008-r2?forum=winserverNAP
Hope this helps.
Steven Lee
TechNet Community Support -
Which EAP Type to choose for 802.1x Wireless Policy?
Hi everyone,
i have a question about recommendation for EAP Type in a wireless policy:
Which configuration is more secure/recommendet?
a)
Authentication Type: PEAP
EAP Type: EAP-MSCHAP v2
b)
Authentication Type: EAP
EAP Type: Certificate
We have a working configuration with a) and could Change to b).
Thanks,
AndyHi,
Project a uses PEAP cooperate with EAP(EAP-MSCHAP v2) is more security/recommended.
PEAP is a new member of the family of EAP protocols. To enhance both the EAP protocols and network security, PEAP provides:
1. Protection for the EAP method negotiation that occurs between client and server through a TLS channel. This helps prevent an attacker from injecting packets between the client and the network access server (NAS) to cause the negotiation of a less secure
EAP method. The encrypted TLS channel also helps prevent denial of service attacks against the IAS server.
2. Support for the fragmentation and reassembly of messages, allowing the use of EAP types that do not provide this.
3. Wireless clients with the ability to authenticate the IAS or RADIUS server. Because the server also authenticates the client, mutual authentication occurs.
4. Protection against the deployment of an unauthorized wireless access point (WAP) when the EAP client authenticates the certificate provided by the IAS server. In addition, the TLS master secret created by the PEAP authenticator and client is not shared
with the access point. Because of this, the access point cannot decrypt the messages protected by PEAP.
5. PEAP fast reconnect, which reduces the delay in time between an authentication request by a client and the response by the IAS or RADIUS server, and allows wireless clients to move between access points without repeated requests for authentication.
This reduces resource requirements for both client and server.
You can choose between two EAP types for use with PEAP: EAP-MS-CHAPv2 or EAP-TLS. EAP-MS-CHAPv2 uses credentials (user name and password) for user authentication. EAP-TLS uses either certificates installed in the client computer certificate store or a smart
card for user and client computer authentication. Comparatively, the second one is more security because public Key certificates provide a much stronger authentication method than those that use password-based credentials.
Best Regards,
Eve Wang -
I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL> -
Authentication method for JCo connection in XSS installation
Hi All,
I have a query which perplexes me. I am implementing XSS (ESS/MSS) on SAP Portal EP6 SR1 with an ECC5 backend for prototype purposes.
When I follow SAP's help steps to setup JCo connections, it states that for the metadata connection you should use a security authentication method of 'User/Password', but for the application data connection you should use a security authentication method of 'Ticket'.
Does anyone know why the difference in methods here? Is it possible to use 'User/Password' for both? Any thoughts would be appreciated.Hi john,
User -ID /Pwd method can be used to access the backend for both types of Data as per your scenario.
User -ID /Pwd method and logon tickets both can be used to access data in backend.
The difference lies in the scenario with which you are accessing the back-end.
If all your portal users are same as backend users then you can select Logon ticket methods.
If they are going to be different then you need User-ID /Pwd method .
Check the following link to get a clear picture:
<a href="http://help.sap.com/saphelp_ep50sp2/helpdata/en/4d/dd9b9ce80311d5995500508b6b8b11/frameset.htm">Scenario to use type of SSO</a>
Hope it helps.
Regards,
Vivekanandan -
802.1x EAP type not configured
Hi, a simple 802.1x test with XP client sp2, 3560 with IOS 12.2(35)SE5 and ACS 4.1(1) build 23.
EAP MD5 selected on the client and enabled on the ACS but I receive in ACS an authentication failure message, with Authen-Failure-Code "EAP type not configured".
Any idea ?
thank you in advance
greatingsYou have to install a self-generated certificate on the ACS, and enabled PEAP with "Allow EAP-MSCHAPv2". then changed the setting on our PC, and manage to make it work.
Could you do the following,
1.) Enable full detail logging on the ACS: System Configuration -> Service
Control -> Logging detail level = "FULL". Then restart the ACS services.
2.) Enable "debug radius" together with the debugs that you already have
on the switch
3.) If there is a sniffer (Norton SnifferPro, or the freeware Wireshark or
Ethereal) on the client laptop, please start it and enable sniffing on the
client interface.
4.) Make another authentication attempt.
5.) Generate a "package.cab" on the ACS, by running Bin\CSSupport.exe
underneath the ACS installation directory
6.) Please send me the following information,
a) The package.cab file,
b) the debug output from the switch,
c) the sniffer trace (if available). -
Wireless Security & Authentication methods
Hi,
I've some experience on WLAN Networks, but I would like to have your opinion around Wireless Security implemenations.
We have several sites where we have some Cisco Access points running IOS. We are currently doing WEP 128b, with Mac-Authentication against a central ACS Server.
But having fixed WEP, and mac registrations is not very practical.
Do you know about any method to have authentication against Active Directory (passing through the Cisco ACS), and Dynamic WEP Keys ?
Any recommendation is welcome.
Of course with this we would like to bring up our level of security.
Thanks a lot for all,
Best Regards,
Jorge802.1x/EAP authentication is the most popular authentication method in wireless. The following documents explain how to configure EAP authentication.
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a13.shtml -
None of the available endpoints supports authentication methods user/pass
Dear All
i create a destination in the ce7.1.but when i test the destination in the ws navigator ,but it cant not run , the error is:
The destination [YHSendMessage02] supports the following authentication methods [User Name/Password (Basic)], but none of the available endpoints supports them. The supported authentication types are [None]. Either the destination has to be updated or a new endpoint should be used
i test the ws in the navigator dont used the destination ,it work well, so i think maybe some wrong in my ce about the destination 'configuration.
best regardsThe following message returned from SAP:
Root of the problem is found. The problem occurs as PI WSDLs doesn't contain security settings. Lack of security settings breaks consumption of those services. I'm working on providing a fix to enable consumption of such services.
Looking at a WSDL generated by PI (example):
<wsp:Policy wsu:Id="OP_si_servicename"/>
The policy contains no transportbinding or authentication methods at all.
Looking at a WDSL generated by ECC (example):
<wsp:Policy wsu:Id="BN_BN_si_ManageCustomizingCustomerService_binding">
<saptrnbnd:OptimizedXMLTransfer uri="http://xml.sap.com/2006/11/esi/esp/binxml" wsp:Optional="true" xmlns:saptrnbnd="http://www.sap.com/webas/710/soap/features/transportbinding/"/>
<saptrnbnd:OptimizedXMLTransfer uri="http://www.w3.org/2004/08/soap/features/http-optimization" wsp:Optional="true" xmlns:saptrnbnd="http://www.sap.com/webas/710/soap/features/transportbinding/"/>
<wsp:ExactlyOne xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">
<wsp:All>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken>
<wsp:Policy>
<sp:HttpBasicAuthentication/>
</wsp:Policy>
</sp:HttpsToken>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:TransportBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
At the moment SAP is working on a fix to solve this problem. -
None of the authentication methods supported by this client are supported by your server.
Dear Exchange Admin
We have implemented exchange server .
MAPI profile configuration in outlook is working fine.but when we try to configure POP3 in outlook ,without SMTP authentication it is fine.
But when we enable SMTP authentication ,it is getting the following error
"None of the authentication methods supported by this client are supported by your server.
Kindly help
AshrafThis worked for me today, as I had the same issue.
I had to set encryption to TLS to get it to work, and the server names as yahoo.co.uk...
In Outlook 2013, click File | Add Account.
Select Manual setup or additional server types.
Click Next.
Select POP.
Click Next.
On the “Account Settings” page, enter your account settings:
Your Name: The name you want to show when you send email.
Email address: Your full Yahoo email address.
Account Type: POP3
Incoming Mail Server: pop.mail.yahoo.com
Outgoing Mail Server: smtp.mail.yahoo.com
User Name: Your Yahoo ID.
Password: Your Yahoo account password.
Leave the “Require logon using Secure Password Authentication” option unchecked.
Click More Settings.
Click the Outgoing Server tab.
Select the My outgoing server (SMTP) requires authentication box.
Click Use same settings as my incoming mail server.
Click the Advanced tab. Enter advanced information:
Incoming server (POP3) port: 995
Select This server requires an encrypted connection (SSL).
Outgoing server (SMTP) port: 465, 587, or 25
Set the encryption type to SSL or TLS
Set your desired server timeout and delivery options.
- We recommend leaving a copy of messages on the server.
Click OK.
Restart Outlook.
Click Send/Receive All Folders.
You can now retrieve emails from your Yahoo Mail account in Outlook 2013.
Maybe you are looking for
-
Hi! I wolud like to create a variable based on an object from the database times a value the user can choose. For example: =<Sales>*( 0,2 or whatever the user choose to write). I do not want the user to edit in the variable, can I create a prompt whe
-
HT4889 How do change the ownership of files after using the migration assistant?
After I copied all of my files across using the migration assistant, the tool is nice enough to assume that I want to use the same ID that I had on my PC. This is not my case as I am using a different name on the mac. How do I get the files from th
-
Hi all, We have an existing application in struts and ejb.We have to add an applet to performa validation with the server. things are fine but when the Action method is supposed to redirect for an action mapping the corresponding JSP isnot loading so
-
Is there a limit to how many AExp that can be streamed to at once?
Hi Guys and Girls Have been looking at the Sonos system for a while now but I wonder if multiple AE would be a cheaper alternative? Is there a limit to how many Airport Express units can be streamed to at once? The house is quite large and I would li
-
Vendore Material return Rejection
Guru We have received the material for processing & the material is rejected now my client want to send the material back to vendor Can u explain in details proedure. Thanks Sudhir