cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
77255
Views
5
Helpful
16
Replies

Wireless with PEAP Authentication not working using new NPS server

dharmendra2shah
Level 1
Level 1

All,

We are planning to migrate from our old IAS server to new NPS server. We are testing the new NPS server with our wireless infrastructure using WISM. We are using PEAP with server Cert for authentication. For testing purpose we are doing user authentication but our goal is to do machine authentication. On client side we are using Windows XP, Windows 7 & iPAD’s

I believe I have configured the NPS & CA server as per the documents I found on Cisco support forum & Microsoft’s site.

But it is not working for me. I am getting the following error message on the NPS server.

Error # 1

=======

Cryptographic operation.

Subject:

            Security ID:                 SYSTEM

            Account Name:                       MADXXX

            Account Domain:                    AD

            Logon ID:                    0x3e7

Cryptographic Parameters:

            Provider Name:          Microsoft Software Key Storage Provider

            Algorithm Name:         RSA

            Key Name:      XXX-Wireless-NPS

            Key Type:       Machine key.

Cryptographic Operation:

            Operation:       Decrypt.

            Return Code:  0x80090010

Error # 2

======

An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

I was wondering if anyone has any insight on what is going on.

Thanks, Ds

1 Accepted Solution

Accepted Solutions

If you are doing peap, you don't need a client side cert. I still believe the serve side cert is the cause of your issue. I believe you can export the cert from your IAS and import that on the NPS for testing.

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***

View solution in original post

16 Replies 16

Scott Fella
Hall of Fame
Hall of Fame

Is your IAS configured for wireless already or are you doing a brand new install for wireless using NPS? Do you guys have a CA that your issuing certificates or a third party?

Can you post some screen shots of your NPS configuration or can you do an export and post that so we can see if your setting up NPS correctly? Also or machine authentication, Windows 7 works fine, Windows XP requires a registry fix and how would you add the iPad to the computer OU?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Our Wireless with IAS server is working fine (with PEAP & Server Certs). We are doing a brand new install for wireless using NPS. We have also configured the NPS server as a CA server and the CA server has issued a Cert to NPS server.

I should have stated this earlier that our CA server is a standalone server and not an Enterprise server. Our domain admins don't like them to integrate this server with AD. Therefore we push the root CA Cert to client using some other technique. Currently I am manually copying the cert on the workstation I am testing.

See attached document for NPS configuration.

Currently for testing purpose we are doing user authentication.

Thanks for you help.

Ds

Under the Network Policies > Constraints, I would only select the top two checkboxes.

On your client, I would not validate the server certificate for testing purposes. On your Windows 7, just select User for now.  If the authentication fails, can you post the log from the event viewer. What error do you see in the WLC.  YOu can run a debug

debug dot1x aaa

debug dot1x events

debug dot1x packets

-Scott
*** Please rate helpful posts ***

Scott,

I have disabled MS-CHAP v1 & only MS-CHAP v2 is enabled on Network Policies > Constraints.

I  disabled validate Certificate on Windows 7 and tried to authenticate, it is still failing. Here is the output from the event viewer:

Cryptographic operation.

Subject:

Security ID: SYSTEM

Account Name: MADHFSVNPSPI01$

Account Domain: AD

Logon ID: 0x3e7

Cryptographic Parameters:

Provider Name: Microsoft Software Key Storage Provider

Algorithm Name: RSA

Key Name: DOT-Wireless-NPS

Key Type: Machine key.

Cryptographic Operation:

Operation: Decrypt.

Return Code: 0x80090010

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID: AD\mscdzs

Account Name: AD\mscdzs

Account Domain: AD

Fully Qualified Account Name: AD\mscdzs

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: 64-ae-0c-00-de-f0:DOT

Calling Station Identifier: a0-88-b4-e2-79-cc

NAS:

NAS IPv4 Address: 130.47.128.7

NAS IPv6 Address: -

NAS Identifier: WISM2B

NAS Port-Type: Wireless - IEEE 802.11

NAS Port: 29

RADIUS Client:

Client Friendly Name: WISM2B

Client IP Address: 130.47.128.7

Authentication Details:

Connection Request Policy Name: Secure Wireless Connections

Network Policy Name: Secure Wireless Connections

Authentication Provider: Windows

Authentication Server: MADHFSVNPSPI01.AD.DOT.STATE.WI.US

Authentication Type: PEAP

EAP Type: -

Account Session Identifier: -

Logging Results: Accounting information was written to the local log file.

Reason Code: 23

Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

Attached are EAP logs & debug logs from the controller.

Thanks for all the help. I really appreciate.

It must be your certificate.  If you open up the mmc snap-in for certificates and you look in the computer personal certificate folder, next to the certificate, do you see a key icon on the top left side of the certificate cert?

-Scott
*** Please rate helpful posts ***

On the CA server side I see the key. On the client side (Windows 7) I don't because the server will not share his private key. I believe the key you are talking about is the private key.

Here is the screen shot

I agree with Scott that the issue is most likely your server certificate.

I have seen error messages like that a couple of times, and usually requesting a new computer certificate for the IAS/NPS (and changing the PEAP config to use it) did it for me.

Maybe you have the chance to get a server certificate from another NPS, where you know that it's working - for testing purposes?

I also would double-check Microsoft's requirements for NPS server certificates.

regards

Stefan

If you are doing peap, you don't need a client side cert. I still believe the serve side cert is the cause of your issue. I believe you can export the cert from your IAS and import that on the NPS for testing.

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***

I agree with you guys (Scott & Stefan). I am quite sure that the problem is the Server Certificate. How can I rectify that? My problem is when the CA server issues the certificate to the NPS server. It is not appearing on the Network Policies > Constraints > Authentication method > Microsoft: Protected EAP (PEAP). When I click Edit I am seeing CA server’s certificate and NOT the certificate he issued to the NPS server.

How can I get the issued cert by the CA server in Network Policies > Constraints > Authentication method > Microsoft: Protected EAP (PEAP).

Where exactly it is stored in the NPS server?

The other problem I am thinking is that my CA server is an Enterprise Standalone server. It is not integrated with AD. Will it make any difference?

You were correct. The problem was the Certificate. I was able to convince our Windows Server admin to install the CA server as Enterprise CA & not as Standalone CA. Once the server was integrated with Active Directory and we requested the Cert as per procedure (used by Windows) and not using the Web method. The requested Cert had the private key which was missing earlier.

Again Thanks a lot Scott  !!!

This the best forum. No need to open TAC case.

Hi Scott,

i have read this complete listing at searching for an answer that clients are connected/authenticated over autonomous AP´s with PEAP working fine but not with the WLC5508 with 7.4.121.0. We plan here the migration to the controller and have test it with an 2602i AP. But the client that would be ok on autonomous AP, goes not in RUN state on the WLC.

It is the same GPO profile and the same NPS as RADIUS Server. DHCP are OK and the Events on the NPS show that the authentication is OK. The Server Certificate would not be checked and the NPS config was checked with the infos from the postings here.

I see in the debug logs from the wlc the similar messages as in the above posts.

Have we here also the Problem with the Server certificate, but why it goes on autonomus but not over wlc?

Thanks and best regards!

Marc.

The server certificate should be fine since the radius server is working with autonomous.  I think its your policies that is the issue and what is being sent back to the WLC versus an autonomous AP.  The easiest way to fix this is to go into your NPS and right click on your NPS (globe with the key) and export the configuration.  Email or PM that to me and I can look at how you can tweak your policies.  Also give me an overview of what you want... for example.... I want user in this AD group to be able to access the wireless on this SSID from a wireless device, etc.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Hi Scott,

thanks for the answer of my question!

Ok, at the moment I don't have any chance to become the export file from the NPS, but I have make a snapshot from the Event Log that shows me it seems all good!? But I don´t know.

What we plan is to migrate about 25 Autonomous 1242AG AP´s to CAPWAP. The 1242AG works fine with the RADIUS and PEAP.

In this test we have setup the new 5508 WLC an have one CAP2602i attached on the WLC. We use the same SSID enrolled over GPO. The RADIUS for the WLC is OK, first we had here an mistake with the Key, this problem was fixed.

The NPS Policy is the same for the Autonomus and WLC Clients.

Why now the Client over the Autonomous AP is OK authenticated but not over the WLC. Where is the problem?

I have invite my colleagues to check the NPS config and policy again an check also the server certificate. I wait of his answers.

bye an thanks a lot!

NPS-Event.jpg

Please scroll through the event log and see if the authentication actually shows hitting the correct policies in NPS?  I see from your screen shot that the result is Full Access, but you need to also verify that it indeed can for the WLC AAA client and is hitting the correct policies.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: