|
Home > Archive > Radius Server > September 2005 > Got PEAP working, trying for EAP-TLS, need some help
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Got PEAP working, trying for EAP-TLS, need some help
|
|
| John Smith 2005-06-01, 5:54 pm |
| I have a working setup with PEAP, and am trying to get EAP-TLS working, I
have computer and user certificates on the client and computer certificate
on the server. When I connect with the client I get the below.
The root certificate is "trusted" on both the client and server, and the
chain shows up with no problems if I click on any of the certs. Anyone got
any ideas?
PEAP is working perfectly, but I wanted to try and get it working with certs
as that is more secure. Thanks
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 6/1/2005
Time: 2:56:31 PM
User: N/A
Computer: IAS1
Description:
User Bob was denied access.
Fully-Qualified-User-Name = ws.local/Accounts/Apartment Users/Bob
NAS-IP-Address = 192.168.1.17
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = 00-12-17-e1-22-39
Client-Friendly-Name = wireless
Client-IP-Address = 192.168.1.17
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 0
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated because the Extensible
Authentication Protocol (EAP) Type cannot be processed by the server.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....
| |
| Wei Zheng [MSFT] 2005-06-02, 7:49 am |
| Hi,
It looks like either EAP-TLS is not configured on client or on server. Can
you make sure that BOTH are confgured to use EAP-TLS?
Thx.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
OR if you wish to include a script sample in your post please add "Use of
included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm"
Please do not send e-mail directly to this alias.
This alias is for newsgroup purposes only.
====================================
"John Smith" <na@na.com> wrote in message
news:eJGbO2uZFHA.2996@TK2MSFTNGP10.phx.gbl...
> I have a working setup with PEAP, and am trying to get EAP-TLS working, I
> have computer and user certificates on the client and computer certificate
> on the server. When I connect with the client I get the below.
>
>
>
> The root certificate is "trusted" on both the client and server, and the
> chain shows up with no problems if I click on any of the certs. Anyone
got
> any ideas?
>
>
>
> PEAP is working perfectly, but I wanted to try and get it working with
certs
> as that is more secure. Thanks
>
>
> Event Type: Warning
> Event Source: IAS
> Event Category: None
> Event ID: 2
> Date: 6/1/2005
> Time: 2:56:31 PM
> User: N/A
> Computer: IAS1
> Description:
> User Bob was denied access.
> Fully-Qualified-User-Name = ws.local/Accounts/Apartment Users/Bob
> NAS-IP-Address = 192.168.1.17
> NAS-Identifier = <not present>
> Called-Station-Identifier = <not present>
> Calling-Station-Identifier = 00-12-17-e1-22-39
> Client-Friendly-Name = wireless
> Client-IP-Address = 192.168.1.17
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 0
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Wireless
> Authentication-Type = EAP
> EAP-Type = <undetermined>
> Reason-Code = 22
> Reason = The client could not be authenticated because the Extensible
> Authentication Protocol (EAP) Type cannot be processed by the server.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 00 00 00 00 ....
>
>
| |
| John Smith 2005-06-02, 5:53 pm |
| Sorry had the wrong error up, my bad.
On the server under IAS Remote access Policies, under EAP Methods I have
"Smart Card or other certificate" selected, on the client I have under
"Authentication" I have "Smart Card or other certificate" selected and under
that I have "Use Certificate on this computer" I am getting the below error,
sorry I seam to have posted the wrong one last time.
Error: A certification chain processed correctly, but one of the CA
certificates is not trusted by the policy provider.
Full Event log
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 6/2/2005
Time: 10:19:28 AM
User: N/A
Computer: LCS1
Description:
User Bob was denied access.
Fully-Qualified-User-Name = Users/Bob
NAS-IP-Address = 192.168.1.17
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = 00-12-17-e1-22-39
Client-Friendly-Name = wireless
Client-IP-Address = 192.168.1.17
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 0
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 295
Reason = A certification chain processed correctly, but one of the CA
certificates is not trusted by the policy provider.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 12 01 0b 80 ...€
"Wei Zheng [MSFT]" <weizheng@online.microsoft.com> wrote in message
news:%23ZR2EH2ZFHA.1456@TK2MSFTNGP15.phx.gbl...
> Hi,
>
> It looks like either EAP-TLS is not configured on client or on server. Can
> you make sure that BOTH are confgured to use EAP-TLS?
>
> Thx.
>
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> OR if you wish to include a script sample in your post please add "Use of
> included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm"
>
> Please do not send e-mail directly to this alias.
> This alias is for newsgroup purposes only.
> ====================================
> "John Smith" <na@na.com> wrote in message
> news:eJGbO2uZFHA.2996@TK2MSFTNGP10.phx.gbl...
> got
> certs
>
>
| |
| Wei Zheng [MSFT] 2005-06-06, 8:49 pm |
| Hi,
Have you tried this?
http://support.microsoft.com/defaul...kb;en-us;255681
Follow the steps, see if it helps you.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm.
Please do not send e-mail directly to this alias.
This alias is for newsgroup purposes only.
====================================
"John Smith" <na@na.com> wrote in message
news:u#haB#4ZFHA.2900@TK2MSFTNGP15.phx.gbl...
> Sorry had the wrong error up, my bad.
>
>
>
> On the server under IAS Remote access Policies, under EAP Methods I have
> "Smart Card or other certificate" selected, on the client I have under
> "Authentication" I have "Smart Card or other certificate" selected and
under
> that I have "Use Certificate on this computer" I am getting the below
error,
> sorry I seam to have posted the wrong one last time.
>
>
>
> Error: A certification chain processed correctly, but one of the CA
> certificates is not trusted by the policy provider.
>
>
> Full Event log
>
> Event Type: Warning
> Event Source: IAS
> Event Category: None
> Event ID: 2
> Date: 6/2/2005
> Time: 10:19:28 AM
> User: N/A
> Computer: LCS1
> Description:
> User Bob was denied access.
> Fully-Qualified-User-Name = Users/Bob
> NAS-IP-Address = 192.168.1.17
> NAS-Identifier = <not present>
> Called-Station-Identifier = <not present>
> Calling-Station-Identifier = 00-12-17-e1-22-39
> Client-Friendly-Name = wireless
> Client-IP-Address = 192.168.1.17
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 0
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Wireless
> Authentication-Type = EAP
> EAP-Type = Smart Card or other certificate
> Reason-Code = 295
> Reason = A certification chain processed correctly, but one of the CA
> certificates is not trusted by the policy provider.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 12 01 0b 80 ...?
>
>
>
>
>
>
>
>
>
>
> "Wei Zheng [MSFT]" <weizheng@online.microsoft.com> wrote in message
> news:%23ZR2EH2ZFHA.1456@TK2MSFTNGP15.phx.gbl...
Can[vbcol=seagreen]
of[vbcol=seagreen]
I[vbcol=seagreen]
the[vbcol=seagreen]
>
>
| |
| jburns 2005-09-19, 11:30 am |
| I received the exact same error as below, but my problem was with a CA certificate in the NTAuthCertificates Store in AD. Use the PKIHealth tool to remove and replace the offending certificate.
I had several issuing CAs, and was able to recognize that only one particular CA's certificates that were issued to the users/workstations never worked. I replaced it's CA certificate in the store and all is well.
the q article below describes how to work with the store.
http://support.microsoft.com/defaul...b;EN-US;Q295663
> Full Event log
>
> Event Type: Warning
> Event Source: IAS
> Event Category: None
> Event ID: 2
> Date: 6/2/2005
> Time: 10:19:28 AM
> User: N/A
> Computer: LCS1
> Description:
> User Bob was denied access.
> Fully-Qualified-User-Name = Users/Bob
> NAS-IP-Address = 192.168.1.17
> NAS-Identifier = <not present>
> Called-Station-Identifier = <not present>
> Calling-Station-Identifier = 00-12-17-e1-22-39
> Client-Friendly-Name = wireless
> Client-IP-Address = 192.168.1.17
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 0
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Wireless
> Authentication-Type = EAP
> EAP-Type = Smart Card or other certificate
> Reason-Code = 295
> Reason = A certification chain processed correctly, but one of the CA
> certificates is not trusted by the policy provider.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 12 01 0b 80 ...?
>
> |
|
|
|
|