Hi techs, I'm trying to set up a lab for a wifi protected by eap-tls.
The goal is to get wireless devices (laptop, playbook, BB10) authenticated on the wifi using certificates (only).
Current status is that the handshake between AP and NPS is not going well...
I used MS Network Monitor 3.4 on the client and NPS server.
On the client I see
Some EAP:Requests and a EAP:Response
EAPOL:EAPOL-Start
EAP:Request
EAP:Failure (Code: Failure, 4 Id 3)
EAP:Request
EAP:Response
After a while trying to connect, it says: can't connect to this network
On the NPS server I see
from AP to NPSTLS:TLS Rec Layer-1 HandShake: Client Hello.
from NPS to APTLS:TLS Rec Layer-1 HandShake: Server Hello. Certificate
from NPS to APIPv4:[Fragment, Offset = 1480] Src = 192.168..., Dest = 192.168...etc
TLS:TLS Rec Layer-1 HandShake: Client Hello.
TLS:TLS Rec Layer-1 HandShake: Server Hello. Certificate
from NPS to APIPv4:[Fragment, Offset = 1480] Src = 192.168..., Dest = 192.168...etc
This repeats for a few times
So far I've got the following:
1x Linksys WAP300N
1x WIN2008STD as a DC
1x WIN2008ENT as a Root CA
1x WIN2008STD as a NPS
1x WIN8ENT as a client
Configured as follows (as a source I used http://technet.microsoft.com/en-us/library/dd283093(v=ws.10).aspx)
Linksys:
Operation: Access Point, Security: WPA2-Enterprise, IP of NPS server, port 1812
DC:
GPO set up to autoenroll user and computer certificates
Root CA:
duplicated the templates: RAS and IAS server and User
Added them to the Certificate Templates of the CA so they are issued.
NPS:
Added the Linksys as RADIUS client
Ran the config wizard for 802.1X Wireless or Wired Connections
EAP Types is set to Microsoft: Smart Card or other certificate
Certificate selected that the NPS server got from the CA (duplicate of the RAS and IAS Server template)
All other Less secure authentication methods unchecked (because I only want to use certificate authentication).
WIN8ENT:
Used GPO at first, but turned that off to manually create the profile and play around with the settings.
Security type: WPA2-Enterprise - AES
Microsoft: Smart Card or other certificate (default settings, verify the server's identity and root CA certificate checked)
802.1X settings: User authentication selected.
I can confirm the client has a personal certificate in the Personal folder and the root CA certificate in the Trusted Root (and Intermediate) folder. These certificates are placed there automatically through AD and autoenrollment.
The NPS server holds a computer certificate, hence I could select it in the NPS configuration.
It also has the root CA certificate in the Trusted Root (and Intermediate) folder.
I'm happy to give more details when needed, if you have any idea by what part this issue could be caused.