Hi folks
We have a very strange phenomenon and maybe some of you guys can help me.
We had a perfect working Network Policy Server 2008 R2 environment. NPS was running on a Domain Controller (2K8R2)
authenticating requests from various sources (Cisco WLAN Controller, Cisco Switches, …)
People connected to WLAN from Windows 7 computers, MAC Books Pro, iPhones, Android Devices , …
Everything was working fine until we upgraded our Domain Controllers to Server 2012 (in-place upgrade)
The upgrades went smoothly and error free. Domain Controllers are stable and our domain works fine.
There is one exception: Our Network Policy Server which was upgraded to 2012 as well.
The configuration has been migrated and seems to be exactly the same as before.
The only difference is that Windows 7 clients (notebooks which are not member of the domain)
cannot authenticate anymore. On the Server side I see there is an event log entry (application) :
Source: EapHost
Message: Negotiation failed. Requested EAP methods not available
— Creating the WLAN profile manually doesn’t help.
— Windows 7 asks for username/password (this is what we use. no computer/user certificates).
— CA certificate is installed on these computers
The strange thing is that users with Mac Books, iPhones, Android Mobiles have no problem authenticating.
Only when they try connecting to WLAN on Windows 7 it fails.
— The NPS Policies have not changed.
— The same Windows 7 notebooks can successfully connect to other WLANs without a problem.
So it seems not to be a client problem.
Why should the NPS server not know the EAP methods when other devices (iPhone, ANdroid, Mac Book) successfully can connect ?
In the log file I see a rejection (code 3 in the fourth field). If I do the same on my Android Mobile I see code 2 which means success.
Request from Samsung Galaxy S3
«IKAWA»,»IAS»,06/14/2013,10:00:54,1,»myuser»,»mydomain.local/Prod/INS/Users/Lastname, Firstname»,»00-08-30-00-b9-00:ins»,»5c-0a-5b-38-2e-60″,,,»wlc»,»a.b.c.88″,1,9,»a.b.c.88″,»wlc»,,,19,,,2,11,»WLAN
Access»,0,»311 1 152.96.120.201 06/14/2013 04:13:00 4087″,,,,»Microsoft: Secured password (EAP-MSCHAP v2)»,,,,,,,,,,,,,,13,6,,,,»122″,,,,,,,,,,,»WLAN Access»,1,,,,
«IKAWA»,»IAS»,06/14/2013,10:00:54,2,,»mydomain.local/Prod/INS/Users/Lastname, Firstname»,,,,,,,,9,»a.b.c.88″,»wlc»,,,,,,,11,»WLAN Access»,0,»311 1 152.96.120.201 06/14/2013 04:13:00
4087″,,,,»Microsoft: Secured password (EAP-MSCHAP v2)»,,,,,,,,,,,,,,13,6,,,,»122″,,,,,,,,»0x01494E534C4F43414C»,,,»WLAN Access»,1,,,,
Request from Windows 7 Notebook
«IKAWA»,»IAS»,06/14/2013,10:05:17,1,»myuser»,»MYDOMAINMyUser»,»00-08-30-00-b9-00:ins»,»8c-70-5a-cd-05-e8″,,,»wlc»,»a.b.c.88″,1,9,»a.b.c.88″,»wlc»,,,19,,,2,5,,0,»311
1 152.96.120.201 06/14/2013 04:13:00 4161″,,,,»»,,,,,,,,,,,,,,13,6,,,,»122″,,,,,,,,,,,»WLAN Access»,1,,,,
«IKAWA»,»IAS»,06/14/2013,10:05:17,3,,»MYDOMAINMyUser»,,,,,,,,9,»a.b.c.88″,»wlc»,,,,,,,5,,22,»311 1 152.96.120.201 06/14/2013 04:13:00 4161″,,,,»»,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,»WLAN
Access»,1,,,,
This is so strange.
If anybody could help it would be great.
Regards,
Oliver
Настроил radius авторизацию при подключении к wifi, постоянно получаю сообщение «не удается подключится к этой сети»
[admin@MikroTik] /interface wireless> print
Flags: X — disabled, R — running
0 name=»wlan1″ mtu=1500 l2mtu=1600 mac-address=2C:C8:1B:14:4B:06 arp=enabled
interface-type=Atheros AR9300 mode=ap-bridge ssid=»12345678″
frequency=auto band=2ghz-b/g/n channel-width=20mhz secondary-frequency=»»
scan-list=default wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
bridge-mode=enabled default-authentication=yes default-forwarding=yes
default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no
security-profile=profile2 compression=no
[admin@MikroTik] /interface wireless> security-profiles print
1 name=»profile2″ mode=dynamic-keys authentication-types=wpa2-eap unicast-ciphers=aes-ccm group-ciphers=aes-ccm
wpa-pre-shared-key=»» wpa2-pre-shared-key=»12345678″ supplicant-identity=»» eap-methods=passthrough
tls-mode=no-certificates tls-certificate=none mschapv2-username=»» mschapv2-password=»» disable-pmkid=no
static-algo-0=none static-key-0=»» static-algo-1=none static-key-1=»» static-algo-2=none static-key-2=»»
static-algo-3=none static-key-3=»» static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key=»»
radius-mac-authentication=no radius-mac-accounting=no radius-eap-accounting=no interim-update=0s
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username radius-called-format=mac:ssid
radius-mac-caching=disabled group-key-update=5m management-protection=disabled management-protection-key=»»
Еще настроил авторизацию на микротик через радиус, она прекрасно работает.
В настройках радиус галочку wireless поставил.
Hi folks
We have a very strange phenomenon and maybe some of you guys can help me.
We had a perfect working Network Policy Server 2008 R2 environment. NPS was running on a Domain Controller (2K8R2)
authenticating requests from various sources (Cisco WLAN Controller, Cisco Switches, …)
People connected to WLAN from Windows 7 computers, MAC Books Pro, iPhones, Android Devices , …
Everything was working fine until we upgraded our Domain Controllers to Server 2012 (in-place upgrade)
The upgrades went smoothly and error free. Domain Controllers are stable and our domain works fine.
There is one exception: Our Network Policy Server which was upgraded to 2012 as well.
The configuration has been migrated and seems to be exactly the same as before.
The only difference is that Windows 7 clients (notebooks which are not member of the domain)
cannot authenticate anymore. On the Server side I see there is an event log entry (application) :
Source: EapHost
Message: Negotiation failed. Requested EAP methods not available
— Creating the WLAN profile manually doesn’t help.
— Windows 7 asks for username/password (this is what we use. no computer/user certificates).
— CA certificate is installed on these computers
The strange thing is that users with Mac Books, iPhones, Android Mobiles have no problem authenticating.
Only when they try connecting to WLAN on Windows 7 it fails.
— The NPS Policies have not changed.
— The same Windows 7 notebooks can successfully connect to other WLANs without a problem.
So it seems not to be a client problem.
Why should the NPS server not know the EAP methods when other devices (iPhone, ANdroid, Mac Book) successfully can connect ?
In the log file I see a rejection (code 3 in the fourth field). If I do the same on my Android Mobile I see code 2 which means success.
Request from Samsung Galaxy S3
«IKAWA»,»IAS»,06/14/2013,10:00:54,1,»myuser»,»mydomain.local/Prod/INS/Users/Lastname, Firstname»,»00-08-30-00-b9-00:ins»,»5c-0a-5b-38-2e-60″,,,»wlc»,»a.b.c.88″,1,9,»a.b.c.88″,»wlc»,,,19,,,2,11,»WLAN
Access»,0,»311 1 152.96.120.201 06/14/2013 04:13:00 4087″,,,,»Microsoft: Secured password (EAP-MSCHAP v2)»,,,,,,,,,,,,,,13,6,,,,»122″,,,,,,,,,,,»WLAN Access»,1,,,,
«IKAWA»,»IAS»,06/14/2013,10:00:54,2,,»mydomain.local/Prod/INS/Users/Lastname, Firstname»,,,,,,,,9,»a.b.c.88″,»wlc»,,,,,,,11,»WLAN Access»,0,»311 1 152.96.120.201 06/14/2013 04:13:00
4087″,,,,»Microsoft: Secured password (EAP-MSCHAP v2)»,,,,,,,,,,,,,,13,6,,,,»122″,,,,,,,,»0x01494E534C4F43414C»,,,»WLAN Access»,1,,,,
Request from Windows 7 Notebook
«IKAWA»,»IAS»,06/14/2013,10:05:17,1,»myuser»,»MYDOMAINMyUser»,»00-08-30-00-b9-00:ins»,»8c-70-5a-cd-05-e8″,,,»wlc»,»a.b.c.88″,1,9,»a.b.c.88″,»wlc»,,,19,,,2,5,,0,»311
1 152.96.120.201 06/14/2013 04:13:00 4161″,,,,»»,,,,,,,,,,,,,,13,6,,,,»122″,,,,,,,,,,,»WLAN Access»,1,,,,
«IKAWA»,»IAS»,06/14/2013,10:05:17,3,,»MYDOMAINMyUser»,,,,,,,,9,»a.b.c.88″,»wlc»,,,,,,,5,,22,»311 1 152.96.120.201 06/14/2013 04:13:00 4161″,,,,»»,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,»WLAN
Access»,1,,,,
This is so strange.
If anybody could help it would be great.
Regards,
Oliver
-
Question
-
Hi folks
We have a very strange phenomenon and maybe some of you guys can help me.
We had a perfect working Network Policy Server 2008 R2 environment. NPS was running on a Domain Controller (2K8R2)
authenticating requests from various sources (Cisco WLAN Controller, Cisco Switches, …)People connected to WLAN from Windows 7 computers, MAC Books Pro, iPhones, Android Devices , …
Everything was working fine until we upgraded our Domain Controllers to Server 2012 (in-place upgrade)
The upgrades went smoothly and error free. Domain Controllers are stable and our domain works fine.There is one exception: Our Network Policy Server which was upgraded to 2012 as well.
The configuration has been migrated and seems to be exactly the same as before.
The only difference is that Windows 7 clients (notebooks which are not member of the domain)
cannot authenticate anymore. On the Server side I see there is an event log entry (application) :Source: EapHost
Message: Negotiation failed. Requested EAP methods not available— Creating the WLAN profile manually doesn’t help.
— Windows 7 asks for username/password (this is what we use. no computer/user certificates).
— CA certificate is installed on these computersThe strange thing is that users with Mac Books, iPhones, Android Mobiles have no problem authenticating.
Only when they try connecting to WLAN on Windows 7 it fails.— The NPS Policies have not changed.
— The same Windows 7 notebooks can successfully connect to other WLANs without a problem.
So it seems not to be a client problem.Why should the NPS server not know the EAP methods when other devices (iPhone, ANdroid, Mac Book) successfully can connect ?
In the log file I see a rejection (code 3 in the fourth field). If I do the same on my Android Mobile I see code 2 which means success.
Request from Samsung Galaxy S3
«IKAWA»,»IAS»,06/14/2013,10:00:54,1,»myuser»,»mydomain.local/Prod/INS/Users/Lastname, Firstname»,»00-08-30-00-b9-00:ins»,»5c-0a-5b-38-2e-60″,,,»wlc»,»a.b.c.88″,1,9,»a.b.c.88″,»wlc»,,,19,,,2,11,»WLAN
Access»,0,»311 1 152.96.120.201 06/14/2013 04:13:00 4087″,,,,»Microsoft: Secured password (EAP-MSCHAP v2)»,,,,,,,,,,,,,,13,6,,,,»122″,,,,,,,,,,,»WLAN Access»,1,,,,
«IKAWA»,»IAS»,06/14/2013,10:00:54,2,,»mydomain.local/Prod/INS/Users/Lastname, Firstname»,,,,,,,,9,»a.b.c.88″,»wlc»,,,,,,,11,»WLAN Access»,0,»311 1 152.96.120.201 06/14/2013 04:13:00
4087″,,,,»Microsoft: Secured password (EAP-MSCHAP v2)»,,,,,,,,,,,,,,13,6,,,,»122″,,,,,,,,»0x01494E534C4F43414C»,,,»WLAN Access»,1,,,,Request from Windows 7 Notebook
«IKAWA»,»IAS»,06/14/2013,10:05:17,1,»myuser»,»MYDOMAIN\MyUser»,»00-08-30-00-b9-00:ins»,»8c-70-5a-cd-05-e8″,,,»wlc»,»a.b.c.88″,1,9,»a.b.c.88″,»wlc»,,,19,,,2,5,,0,»311
1 152.96.120.201 06/14/2013 04:13:00 4161″,,,,»»,,,,,,,,,,,,,,13,6,,,,»122″,,,,,,,,,,,»WLAN Access»,1,,,,
«IKAWA»,»IAS»,06/14/2013,10:05:17,3,,»MYDOMAIN\MyUser»,,,,,,,,9,»a.b.c.88″,»wlc»,,,,,,,5,,22,»311 1 152.96.120.201 06/14/2013 04:13:00 4161″,,,,»»,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,»WLAN
Access»,1,,,,This is so strange.
If anybody could help it would be great.
Regards,
Oliver
Answers
-
Hi folks
It seems that after a 2h debugging session we found the problems and Windows Clients can connect again. It seems that there are two factors involved in the problem:
- We use a custom Domain Controller Certificate (Derived from the Domain Controller Certificate Template but with an additional SAN instead of the DC FQDN only). This Certificate has no «Subject Name» (only SANs). It seems that NPS Server 2012 doesn’t like
that and needs the Subject Name.But we are not 100% sure. We just see that it doesn’t work with our DC Certificate (which works fine for the whole Domain Environment) and it works with the automatically enrolled one.
- We had two conflicting WLAN Access Rules. One under
Connection Request Policies and another one under
Network Policies.
The first one was set to override the network policy (Auth Methods) but looked more or less identical with the exception that it had the
«less secure authentication methods «MS-CHAP-v2, MC-CHAP, CHAP, PAP, SPAP) enabled in addition to EAP-PEAP while the second one
only had EAP-PEAP. So we disabled the override and changed the certificate to the auto enrolled one and it worked again (Windows, Android,
iOS, OS X)Could it be that the Domain Controller after upgrading to Server 2012 (NPS is installed on DC) rejects some of the less secure
authentication methods we had checked ? I mean could it be that DC 2012 acts different as DC 2008 R2 and this has an impact
on NPS 2012?Ayyway. It works again but there is still the feeling that we don’t know exactly what the roots of the problem are.
As already mentioned, this configuration worked flawlessly on Server/NPS 2008 R2. Maybe it is a bug on the 2012 product line; who knows.Thanks for helping anyway
Regards,
Oliver
-
Marked as answer by
Thursday, June 27, 2013 11:18 AM
- We use a custom Domain Controller Certificate (Derived from the Domain Controller Certificate Template but with an additional SAN instead of the DC FQDN only). This Certificate has no «Subject Name» (only SANs). It seems that NPS Server 2012 doesn’t like
Hi folks
We have a very strange phenomenon and maybe some of you guys can help me.
We had a perfect working Network Policy Server 2008 R2 environment. NPS was running on a Domain Controller (2K8R2)
authenticating requests from various sources (Cisco WLAN Controller, Cisco Switches, …)
People connected to WLAN from Windows 7 computers, MAC Books Pro, iPhones, Android Devices , …
Everything was working fine until we upgraded our Domain Controllers to Server 2012 (in-place upgrade)
The upgrades went smoothly and error free. Domain Controllers are stable and our domain works fine.
There is one exception: Our Network Policy Server which was upgraded to 2012 as well.
The configuration has been migrated and seems to be exactly the same as before.
The only difference is that Windows 7 clients (notebooks which are not member of the domain)
cannot authenticate anymore. On the Server side I see there is an event log entry (application) :
Source: EapHost
Message: Negotiation failed. Requested EAP methods not available
— Creating the WLAN profile manually doesn’t help.
— Windows 7 asks for username/password (this is what we use. no computer/user certificates).
— CA certificate is installed on these computers
The strange thing is that users with Mac Books, iPhones, Android Mobiles have no problem authenticating.
Only when they try connecting to WLAN on Windows 7 it fails.
— The NPS Policies have not changed.
— The same Windows 7 notebooks can successfully connect to other WLANs without a problem.
So it seems not to be a client problem.
Why should the NPS server not know the EAP methods when other devices (iPhone, ANdroid, Mac Book) successfully can connect ?
In the log file I see a rejection (code 3 in the fourth field). If I do the same on my Android Mobile I see code 2 which means success.
Request from Samsung Galaxy S3
«IKAWA»,»IAS»,06/14/2013,10:00:54,1,»myuser»,»mydomain.local/Prod/INS/Users/Lastname, Firstname»,»00-08-30-00-b9-00:ins»,»5c-0a-5b-38-2e-60″,,,»wlc»,»a.b.c.88″,1,9,»a.b.c.88″,»wlc»,,,19,,,2,11,»WLAN
Access»,0,»311 1 152.96.120.201 06/14/2013 04:13:00 4087″,,,,»Microsoft: Secured password (EAP-MSCHAP v2)»,,,,,,,,,,,,,,13,6,,,,»122″,,,,,,,,,,,»WLAN Access»,1,,,,
«IKAWA»,»IAS»,06/14/2013,10:00:54,2,,»mydomain.local/Prod/INS/Users/Lastname, Firstname»,,,,,,,,9,»a.b.c.88″,»wlc»,,,,,,,11,»WLAN Access»,0,»311 1 152.96.120.201 06/14/2013 04:13:00
4087″,,,,»Microsoft: Secured password (EAP-MSCHAP v2)»,,,,,,,,,,,,,,13,6,,,,»122″,,,,,,,,»0x01494E534C4F43414C»,,,»WLAN Access»,1,,,,
Request from Windows 7 Notebook
«IKAWA»,»IAS»,06/14/2013,10:05:17,1,»myuser»,»MYDOMAINMyUser»,»00-08-30-00-b9-00:ins»,»8c-70-5a-cd-05-e8″,,,»wlc»,»a.b.c.88″,1,9,»a.b.c.88″,»wlc»,,,19,,,2,5,,0,»311
1 152.96.120.201 06/14/2013 04:13:00 4161″,,,,»»,,,,,,,,,,,,,,13,6,,,,»122″,,,,,,,,,,,»WLAN Access»,1,,,,
«IKAWA»,»IAS»,06/14/2013,10:05:17,3,,»MYDOMAINMyUser»,,,,,,,,9,»a.b.c.88″,»wlc»,,,,,,,5,,22,»311 1 152.96.120.201 06/14/2013 04:13:00 4161″,,,,»»,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,»WLAN
Access»,1,,,,
This is so strange.
If anybody could help it would be great.
Regards,
Oliver