Wired 802.1x authentication issues

steveadams6 · 2016-08-18T09:29:46.000Z

I’ve been tasked with getting our wired network protected by 802.1x security and have followed various documentation in order to set it up using Windows Server 2012R2 with NPS for the RADIUS authentication. I’ve enabled a port on our user switch to use 802.1x and have been testing a PC on it however I’ve not been able to get it to Authenticate.

The switch I’ve set up a CISCO 3750 which looks to be set up correctly and requests are certainly getting to the NPS server which is doing the RADIUS server task.

The aim is to have the PC’s authenticate using certificate when they start up.

I have set up certificate which I have rolled out to the devices (and checked that the certificate is on the test device).

I’ve configured the Windows 7 supplicant with the necessary Authentication settings in the network settings and have configured the Connection Request and Network policies on the Network Policy Server.

I’ve even configured the security at present to “allow clients to connect without negotiating an authentication method” so in theory they should connect.

I’ve attached the log that shows a round of authentication process for the device. It seems to be giving authentication failure from what I can see but I don’t understand why.

I’m not sure if I need to have particular RADIUS attributes configured but wouldn’t expect it to return authentication failure due to that anyway.

In my network policy security I currently have the following enabled:

Microsoft Smart Card or other certificate

Microsoft: Protected EAP (PEAP)

also MS-CHAP-V2 and MS-CHAP and “allow clients to connect…”

Can anyone offer any suggestions?

Happy to put a few screenshots in of settings if required.

inkmaster · 2016-08-18T09:41:42.000Z

How is your Group Policy configured for the Wireless Network in terms of Authentication Mode?

On the Security tab of the Wireless Profile, Authentication Mode can be set to User or Computer, Computer, User, or Guest.

For it to work before a user logs in, it should be User or Computer combined or User Authentication.

Also, can you paste the errors from the NPS logs scrubbing any sensitive data?

steveadams6 · 2016-08-18T09:56:29.000Z

It’s wired not wireless but here’s the GPO settings.

802client2.JPG390×569 44.8 KB

802client.JPG410×511 26.1 KB

steveadams6 · 2016-08-18T09:58:14.000Z

I’m getting what I attached in the NPS log but in eventviewer I’m not seeing any failures where I’d expect in the network policy and access services area.

I only get occasional 4400 messages to say that an LDAP connection with the DC has been established.

Is there somewhere I need to enable logging to get the errors to come in?

inkmaster · 2016-08-18T10:10:25.000Z

Geez, I completely read it as wireless, but the configuration should be similar.

For our implementation, I have our internal Certificate Server checkec as a Trusted Root Certification Authority. Also, on Select Authentication Method, ours is set to Secure Password (EAP-MSCHAP v2).

There are no attachments for the logs on the post.

steveadams6 · 2016-08-18T12:40:17.000Z

I’ve set the same as that and still getting the same.

Here’s my network access policy’s. Only thing I wasn’t sure about was the RADIUS attributes but I didn’t think these would give the “Authentication failure” that i’m getting on the client.

nps2.JPG732×603 54 KB

npspolicy.JPG736×607 68.4 KB

justin1250 · 2016-08-18T13:00:38.000Z

Do you have radius accounting configured?

Looking at the radius logs would be helpful to see why exactly the clients are getting rejected.

They will be a bit cryptic. You will want to look at the reason codes.

Here are what they mean.

learn.microsoft.com

NPS Reason Codes 0 Through 37

steveadams6 · 2016-08-18T13:08:28.000Z

hmmmm it would appear i’m getting reason-code 0.

Which means it was successfully authenticated!

but on the network adaptor details when it try’s to connect it shows “authentication failed”.

jordack2 · 2016-08-21T23:05:43.000Z

Silly question, do you have wireless clients using the same nps server. Only ask this because while I was working on getting wired to work I kept seeing successful request, but those were wireless. The logs can be a mess made it easier to copy/paste (mine save in xml) into dream weaver or something that can format it.

As an added note, don’t learn from experience, when you get it working add the secondary nps server. It will save you from having a really bad morning.

steveadams6 · 2016-08-22T07:03:13.000Z

No we don’t have any wireless set up and 802.1x is only set up on a single port at the moment that I’m using for testing.

justin1250 · 2016-08-22T13:39:10.000Z

steveadams6:

hmmmm it would appear i’m getting reason-code 0.

Which means it was successfully authenticated!

but on the network adaptor details when it try’s to connect it shows “authentication failed”.

My guess would be something in the Radius client is not set up correctly. If the Radius server is saying everything is good to go. Which it is with a code 0 than the switch should be allowing the laptop to connect.

I’m not sure on the Cisco side of things I am sure there must be some kind of logs or something.