08-24-2012 12:18 PM - edited 07-03-2021 10:34 PM
Folks,
I'm almost mad. How much brain power does it usually take to have Windows client connect to wireless using dot1x authentication.
No problem with Mac, iPhone, Android. Windows supplicant either sucks or I'm missing something.
I'm getting the error message for Windows authentication attempt:
Authentication failed :
11514 Unexpectedly received empty TLS message; treating as a rejection by the client
The advanced properties for the client are as follows:
Association
Network authentication: WPA2
Data encryption: AES
Authentication
Protected EAP (PEAP)
Properties for Authentication via PEAP
Validate server certificate: checked
Select Authentication Method: EAP-MSCHAP v2 (automatically use my Windows logon name and password unchecked)
Enable fast reconnect: checked
I end up with endless prompts to enter username and password and this doesn't go anywhere.
Any suggestions, please
08-24-2012 12:33 PM
Can you try not validating the server certificate, and see if that helps?
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
08-24-2012 03:25 PM
Thanks, Steve.
The problem seems to be lying inside Windows stupid logic of connecting to wireless networks.
This is what I discovered. Let's say this is brand new PC that doesn't know anything about a new wireless network.
You open a list of available wireless networks and connect to the required one. You are an average user and you don't have a slightest idea what dot1x and EAP is about.
You simply connect and wait for some kind of interactive behaviour. Nothing happens. Windows opens a yellow baloon message saying "Windows was unable to find a certificate to log you on the network". The connection stucks on Validating Identity phase.
I go into the wireless settings and find that:
1) The required SSID is automatically selected
2) Its authentication paramater is set to "Smart Card or other Certificate"
3) Validate server certificate is checked
Ok, I'm thinking that I'll have to teach average users to be computer nerds and change to the settings of their wireless connection. I go to wireless settings, authentication and change it to PEAP, uncheck "Validate server certificates" and disable "automatically use my windows logon name and password". The goes through and I'm being authenticated and connected. Life is good and I'm going home.
Then I come back on the next day and try to connect again to the same network. To my greatest suprise and frustration I can't connect again. Verifying wireless settings reveals that damn stupid Windows again tries to use "Smart Card or other certificate" in the authentication settings even though the connection is now in the manual state.
I'm wondering what kind of warped logic do Windows developers pursue when they design their Windows based wireless management. It doesn't work this way if I use a third party wireless management application for my wireless adaptor.
08-24-2012 03:51 PM
If these are domain users you could push the wireless profile with a GPO. That way you don't have ti touch all the machines.
Steve
Sent from Cisco Technical Support iPhone App
08-24-2012 05:09 PM
Some of them are domain users, some of them not. Will see if I can pursuade the client to do it.
Thanks, Steve, anyways.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide