Re: PEAP-TLS with MS NPS

Rick <(E-Mail Removed)> wrote in news:34dc55d2-fd46-4de8-a3b9-
(E-Mail Removed):

> I setup a Windows Cert server, and NPS server running Win 2008R2, in a
> AD domain. I am trying to have my wireless clients use Computer based
> certificates, however my NPS server is not seeing it as a proper cert
> for authentication.
>
> I am able to issue a user based cert ok and it sees it, and
> authenticates just fine. So I know there is no problems with the
> cisco wireless, or the NPS server as a whole.
>
> From what I have seen, to make a computer cert, on the PKI server, I
> right click on the "Workstation Authentication" Template, and create a
> new one, change permissions, the Subject name is common name (I have
> tried DNS and Fully Distinguished name as well) and make sure the
> alternate subject name is DNS.
>
> I then go into the CA portion and create a new certificate template to
> issue, I select the one I created.
>
> I then go to the client and request a new cert. Select the cert I
> made, then restart wireless, but instantly it then comes up sayin that
> it is unable to locate a cert for the wireless network.
>
> I have been banging my head on this for sometime. It must be
> something I am missing with the computer cert since I was able to make
> it work with the user cert with no problems.
>
> Thanks for any assistance!
>

Hi there --

Have you verified in the Certificates MMC on the client that the computer
actually did enroll a certificate and that the certificate is correctly
configured with the FQDN?

What is the template version that you selected when duplicating the
template?

When you attempted to enroll the computer cert, was the computer plugged
into the wire?

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

Rick <(E-Mail Removed)> wrote in
news:1eb37973-ec5d-4fee-9051-(E-Mail Removed):

> On Jan 19, 5:09*pm, "James McIllece [MS]"
> <james...@online.microsoft.com> wrote:
>> Rick <ricksnet2...@gmail.com> wrote in news:34dc55d2-fd46-4de8-a3b9-
>> 5fa0d9151...@k19g2000yqc.googlegroups.com:
>>
>>
>>
>> > I setup a Windows Cert server, and NPS server running Win 2008R2,
>> > in a AD domain. *I am trying to have my wireless clients use
>> > Computer base
> d
>> > certificates, however my NPS server is not seeing it as a proper
>> > cert for authentication.
>>
>> > I am able to issue a user based cert ok and it sees it, and
>> > authenticates just fine. *So I know there is no problems with the
>> > cisco wireless, or the NPS server as a whole.
>>
>> > From what I have seen, to make a computer cert, on the PKI server,
>> > I right click on the "Workstation Authentication" Template, and
>> > create a new one, change permissions, the Subject name is common
>> > name (I have tried DNS and Fully Distinguished name as well) and
>> > make sure the alternate subject name is DNS.
>>
>> > I then go into the CA portion and create a new certificate template
>> > to issue, I select the one I created.
>>
>> > I then go to the client and request a new cert. *Select the cert I
>> > made, then restart wireless, but instantly it then comes up sayin
>> > that it is unable to locate a cert for the wireless network.
>>
>> > I have been banging my head on this for sometime. *It must be
>> > something I am missing with the computer cert since I was able to
>> > make it work with the user cert with no problems.
>>
>> > Thanks for any assistance!
>>
>> Hi there --
>>
>> Have you verified in the Certificates MMC on the client that the
>> computer actually did enroll a certificate and that the certificate
>> is correctly configured with the FQDN?
>>
>> What is the template version that you selected when duplicating the
>> template?
>>
>> When you attempted to enroll the computer cert, was the computer
>> plugged into the wire?
>>
>> --
>> James McIllece, Microsoft
>>
>> Please do not send email directly to this alias. This is my online
>> accoun
> t
>> name for newsgroup participation only.
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> right
> s.
>
> Hi James,
> I did have the local NIC plugged in, There was times which I forgot
> but quickly got reminded when it said it could not talk to the Cert
> server when I requested a cert. I did not have auto enrollment turn
> on yet, I presently just requested the certificate, and it comes back
> successful and I can see it in the certificate store on the client
> machine.
>
> I am duplicating the "Workstation Authentication" template, it says it
> is for "Client Authentication", and the version is 101.7
>
> Thanks for the assistance!
>

Hi Rick --

I don't recall the version numbers off the top of my head, the main thing
is that when duplicating the template, for interoperability with client
OS's make sure you're selecting "Windows Server 2003."

Clearly this is a rough issue to troubleshoot in email, so my best advice
is that you review the certificate configuration against the instructions
in either the Foundation Network Guide (for WS08 CAs) or the Core Network
Guide (if your CA is WS08 R2). If the NPS server isn't accepting the client
cert, it is most likely the cert has a configuration issue of some kind.

For WS08 CA:

Foundation Network Companion Guide: Deploying Computer and User
Certificates, at http://technet.microsoft.com/en-
us/library/cc754057(WS.10).aspx

Specific topic: Configure the Workstation Authentication Certificate
Template, at http://technet.microsoft.com/en-
us/library/cc732966(WS.10).aspx

For WS08 R2 CA:

Core Network Companion Guide: Deploying Computer and User Certificates, at
http://technet.microsoft.com/en-us/l...43(WS.10).aspx

Specific topic: Configure the Workstation Authentication Certificate
Template, at http://technet.microsoft.com/en-
us/library/ee407536(WS.10).aspx

Using the 802.1X wireless deployment guide is a good idea as well:

802.1X Authenticated Wireless Deployment Guide, at
http://technet.microsoft.com/en-us/l...93(WS.10).aspx

You can check the client configuration against the information in
"Configure Wireless Computers Running Windows Vista to Use PEAP-TLS," or
the other topics in that section for XP computers:

http://technet.microsoft.com/en-us/l...53(WS.10).aspx

HTH...

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

"James McIllece [MS]" <(E-Mail Removed)> wrote in message
news:Xns9D078A9A1B4DEjamesmcimsftcorp@207.46.248.1 6...
> Rick <(E-Mail Removed)> wrote in
> news:1eb37973-ec5d-4fee-9051-(E-Mail Removed):
>
>> On Jan 19, 5:09 pm, "James McIllece [MS]"
>> <james...@online.microsoft.com> wrote:
>>> Rick <ricksnet2...@gmail.com> wrote in news:34dc55d2-fd46-4de8-a3b9-
>>> 5fa0d9151...@k19g2000yqc.googlegroups.com:
>>>
>>>
>>>
>>> > I setup a Windows Cert server, and NPS server running Win 2008R2,
>>> > in a AD domain. I am trying to have my wireless clients use
>>> > Computer base
>> d
>>> > certificates, however my NPS server is not seeing it as a proper
>>> > cert for authentication.
>>>
>>> > I am able to issue a user based cert ok and it sees it, and
>>> > authenticates just fine. So I know there is no problems with the
>>> > cisco wireless, or the NPS server as a whole.
>>>
>>> > From what I have seen, to make a computer cert, on the PKI server,
>>> > I right click on the "Workstation Authentication" Template, and
>>> > create a new one, change permissions, the Subject name is common
>>> > name (I have tried DNS and Fully Distinguished name as well) and
>>> > make sure the alternate subject name is DNS.
>>>
>>> > I then go into the CA portion and create a new certificate template
>>> > to issue, I select the one I created.
>>>
>>> > I then go to the client and request a new cert. Select the cert I
>>> > made, then restart wireless, but instantly it then comes up sayin
>>> > that it is unable to locate a cert for the wireless network.
>>>
>>> > I have been banging my head on this for sometime. It must be
>>> > something I am missing with the computer cert since I was able to
>>> > make it work with the user cert with no problems.
>>>
>>> > Thanks for any assistance!
>>>
>>> Hi there --
>>>
>>> Have you verified in the Certificates MMC on the client that the
>>> computer actually did enroll a certificate and that the certificate
>>> is correctly configured with the FQDN?
>>>
>>> What is the template version that you selected when duplicating the
>>> template?
>>>
>>> When you attempted to enroll the computer cert, was the computer
>>> plugged into the wire?
>>>
>>> --
>>> James McIllece, Microsoft
>>>
>>> Please do not send email directly to this alias. This is my online
>>> accoun
>> t
>>> name for newsgroup participation only.
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> right
>> s.
>>
>> Hi James,
>> I did have the local NIC plugged in, There was times which I forgot
>> but quickly got reminded when it said it could not talk to the Cert
>> server when I requested a cert. I did not have auto enrollment turn
>> on yet, I presently just requested the certificate, and it comes back
>> successful and I can see it in the certificate store on the client
>> machine.
>>
>> I am duplicating the "Workstation Authentication" template, it says it
>> is for "Client Authentication", and the version is 101.7
>>
>> Thanks for the assistance!
>>
>
> Hi Rick --
>
> I don't recall the version numbers off the top of my head, the main thing
> is that when duplicating the template, for interoperability with client
> OS's make sure you're selecting "Windows Server 2003."
>
> Clearly this is a rough issue to troubleshoot in email, so my best advice
> is that you review the certificate configuration against the instructions
> in either the Foundation Network Guide (for WS08 CAs) or the Core Network
> Guide (if your CA is WS08 R2). If the NPS server isn't accepting the
> client
> cert, it is most likely the cert has a configuration issue of some kind.
>
> For WS08 CA:
>
> Foundation Network Companion Guide: Deploying Computer and User
> Certificates, at http://technet.microsoft.com/en-
> us/library/cc754057(WS.10).aspx
>
> Specific topic: Configure the Workstation Authentication Certificate
> Template, at http://technet.microsoft.com/en-
> us/library/cc732966(WS.10).aspx
>
> For WS08 R2 CA:
>
> Core Network Companion Guide: Deploying Computer and User Certificates, at
> http://technet.microsoft.com/en-us/l...43(WS.10).aspx
>
> Specific topic: Configure the Workstation Authentication Certificate
> Template, at http://technet.microsoft.com/en-
> us/library/ee407536(WS.10).aspx
>
> Using the 802.1X wireless deployment guide is a good idea as well:
>
> 802.1X Authenticated Wireless Deployment Guide, at
> http://technet.microsoft.com/en-us/l...93(WS.10).aspx
>
> You can check the client configuration against the information in
> "Configure Wireless Computers Running Windows Vista to Use PEAP-TLS," or
> the other topics in that section for XP computers:
>
> http://technet.microsoft.com/en-us/l...53(WS.10).aspx
>
> HTH...
>
> --
> James McIllece, Microsoft
>
> Please do not send email directly to this alias. This is my online account
> name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.


Jim,

If I am not mistaken, Rick would have needed to setup the CA on an
Enterprise edition so the version 2 (and now possibly v3 templates?)
certificate templates are available for creating wireless certificates for
machine and/or user authentication. Unless that was changed in 2008 R2?

The last time I set this up was on a 2003 Ent Edition using a Cisco 1231 AP
for user only authentication, and it worked nicely. I haven't used 2008 for
this yet, since the only customer I did that for is still on their 2003
implementation for the past 4 years and don't feel they need to change.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

> We do have the CA on Enterprise server. Have not done too much with
> that other then install, and duplicate the template. One thing I have
> noticed that some documentation says the user/computer cert should
> have a object identifier of 1.3.6.1.5.5.7.3.2.
>
> This is a clip from the Windows 2008 Foundation Network Companion
> Guide for Deploying Computer and User Certs.:
>
> "The user or computer certificate is configured with the Client
> Authentication purpose in Application Policies extensions (also called
> Enhanced Key Usage or EKU extensions). The object identifier for
> Client Authentication is 1.3.6.1.5.5.7.3.2. By default, the User and
> Workstation Authentication certificate templates contain this purpose
> in Application Policies extensions."
>
> Which is why I was able to make it work using the user certificate (it
> had that object identifier), but the workstation authentication cert
> had : Object identifier:
> 1.3.6.1.4.1.311.21.8.16347914.12858520.16401040.13 237215.10349353.124.13096624.16110874
>
> But it did have the Intended Purpose of "Client Authentication". So I
> am alittle unclear about why the documentation says it has to have
> 1.3.6.1.5.5.7.3.2
>
> Thanks for your input so far! Ill look at the other links and see if
> I am missing something.
>
>

I am not sure why the object identifier should be that as well. Did any
of the links Jim offered help in explaining it?

Ace

> I did see one thing I missed, on the NPS server, I saw that I was
> using a computer cert, not a RAS/ISA cert (but it must have met the
> requirements since I was able to make it work with USER based certs) I
> duplicated that cert, and then tried again, still no workstation auth
> cert will not work, but a user cert works just fine.
>
> Must be something with that computer cert that is not right?? But I
> followed the directions, and the subjALT name is marked as DNS, and
> subject I tried with common name and fully qualified name. But still
> nothing.
>
> Does anyone have this working with machine cert and I could see a
> screen shot or two of the client's cert?
>
> Thanks!
>

Glad to hear you're making some headway. I would suggest to recreate
the computer cert, try manually installing the cert in the computer's
local store, and give it a shot.

Ace

> On Jan 22, 7:17*pm, Ace Fekay [MVP-DS, MCT]
> <ace...@mvps.RemoveThisPart.org> wrote:
>>> I did see one thing I missed, on the NPS server, I saw that I was
>>> using a computer cert, not a RAS/ISA cert (but it must have met the
>>> requirements since I was able to make it work with USER based certs) I
>>> duplicated that cert, and then tried again, still no workstation auth
>>> cert will not work, but a user cert works just fine.
>>> Must be something with that computer cert that is not right?? *But I
>>> followed the directions, *and the subjALT name is marked as DNS, and
>>> subject I tried with common name and fully qualified name. *But still
>>> nothing.
>>
>>> Does anyone have this working with machine cert and I could see a
>>> screen shot or two of the client's cert?
>>> Thanks!
>>
>> Glad to hear you're making some headway. I would suggest to recreate
>> the computer cert, try manually installing the cert in the computer's
>> local store, and give it a shot.
>>
>> Ace
>
> Hi Ace,
> I did recreate the cert for the computer, but still nothing. One
> thing I did do was put Wireshark on the NPS box. When I put the user
> cert on it, I see the radius communication between the NPS and the
> Cisco WISM. However when I remove the user cert and leave only the
> computer cert. I don't see any additional activity between the two.
> Nothing is set differently on the Cisco WISM, all all 802.1x traffic
> is sent to the NPS server. So it seems like something in AD/
> Microsoft XP is stopping it??? Not sure what.
>
> Thanks for your input.
>
> Rick

Hi Rick,

I tried to read back to see which template you were using. Remember, it
has to be a version 2, and I believe 2008 now has a version 3 template.
Can you identify the template ver?

It's been a number of years doing this on 2003, so I am going
completely on memory.

Also, did those links James provided, help?

Otherwise, if there is a Cisco WISM involved, do you have Cisco Gold
Support? They will walk you through it step by step. Same with
Microsoft PSS.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit
among responding engineers, and to help others benefit from your
resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE
& MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance,
please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

> On Feb 3, 12:19*pm, Ace Fekay [MVP-DS, MCT]
> <ace...@mvps.RemoveThisPart.org> wrote:
>>> On Jan 22, 7:17*pm, Ace Fekay [MVP-DS, MCT]
>>> <ace...@mvps.RemoveThisPart.org> wrote:
>>>>> I did see one thing I missed, on the NPS server, I saw that I was
>>>>> using a computer cert, not a RAS/ISA cert (but it must have met the
>>>>> requirements since I was able to make it work with USER based certs) I
>>>>> duplicated that cert, and then tried again, still no workstation auth
>>>>> cert will not work, but a user cert works just fine.
>>>>> Must be something with that computer cert that is not right?? *But I
>>>>> followed the directions, *and the subjALT name is marked as DNS, and
>>>>> subject I tried with common name and fully qualified name. *But still
>>>>> nothing.
>>
>>>>> Does anyone have this working with machine cert and I could see a
>>>>> screen shot or two of the client's cert?
>>>>> Thanks!
>>
>>>> Glad to hear you're making some headway. I would suggest to recreate
>>>> the computer cert, try manually installing the cert in the computer's
>>>> local store, and give it a shot.
>>
>>>> Ace
>>
>>> Hi Ace,
>>> I did recreate the cert for the computer, but still nothing. *One
>>> thing I did do was put Wireshark on the NPS box. *When I put the user
>>> cert on it, I see the radius communication between the NPS and the
>>> Cisco WISM. *However when I remove the user cert and leave only the
>>> computer cert. *I don't see any additional activity between the two.
>>> Nothing is set differently on the Cisco WISM, all all 802.1x traffic
>>> is sent to the NPS server. * So it seems like something in AD/
>>> Microsoft XP is stopping it??? *Not sure what.
>>> Thanks for your input.
>>
>>> Rick
>>
>> Hi Rick,
>>
>> I tried to read back to see which template you were using. Remember, it
>> has to be a version 2, and I believe 2008 now has a version 3 template.
>> Can you identify the template ver?
>>
>> It's been a number of years doing this on 2003, so I am going
>> completely on memory.
>>
>> Also, did those links James provided, help?
>>
>> Otherwise, if there is a Cisco WISM involved, do you have Cisco Gold
>> Support? They will walk you through it step by step. Same with
>> Microsoft PSS.
>>
>> --
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Please reply back to the newsgroup or forum for collaboration benefit
>> among responding engineers, and to help others benefit from your
>> resolution.
>>
>> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE
>> & MCSA 2003/2000, MCSA Messaging 2003
>> Microsoft Certified Trainer
>> Microsoft MVP - Directory Services
>>
>> If you feel this is an urgent issue and require immediate assistance,
>> please contact Microsoft PSS directly. Please
>> checkhttp://support.microsoft.comfor regional support phone numbers.
>
> Yes, It is version 2, keeping it Windows 2003. Here are some other
> extra tidbits I saw...
>
> Sorry for my delay. I did have the trusted roots setup right. I was
> able to make it work with my User Cert.
>
> I did a wireshark sniff on the laptop, and when I use the user cert:
>
> * I see the Cisco Controller do a EAP request Identity.
> * Then the laptop responds EAPOL Start
> * Cisco responds: Request Identity
> * Laptop responds to that.
> * Cisco Request PEAP
> * Laptop: Client Hello
> * Cisco: request PEAP
> * Laptop: Responce Peap
> * Cisco: TLS - Server Hello, Certificate Request, Server
> * Laptop: TLS - Certificate, Client Key Exchange, Change Cipher
> Spec
> * Cisco: Encrypted Handshake Message
> * Laptop: Responce Peap.
>
> Etc... Then it connects.
>
> When I only have the Machine cert, I get the first 3 lines. Then
> Cisco keeps requesting, Identity 2 more times, then nothing. Like
> the laptops has nothing to respond back with even though it has a
> Computer Cert.
>
> Weird.

The user cert setup is what I used with that one customer in the past,
and works nicely. I never bothered with the computer cert, because we
figured the user cert would be enough. I know it would have been one
additional layer. It's been awhile trying to remember back. IIRC, there
were additional steps involved to use the computer cert either on the
NPS side, or the Cisco side, or both. Something is missing, and I can't
think of it.

I would probably suggest the best thing at this point is to contact
Microsoft PSS.

Sorry I wasn't more helpful.

Ace