Hello Community,

I have a problem with certificate based W-LAN Access with device AND user certificates from a two tier PKI infrastructure.

First to the infrastructure:

• Four Domain Controller Windows Server 2012 R2
• One of them NPS installed
• One Cisco WTC W-LAN Controller as RADIUS Client
• Two Teer PKI (Offline RootCa and Issuing Sub CA Active Directory integrated)
• Domain Controller with NPS has a Certificate installed from Issueing CA (DomainController Template) that is used for RADIUS
• Client Computer (Domain Member) has a computer certificate from Issueing CA at the local certificate store in context of the Computer
• User on Client PC has a user certificate from from Issueing CA at the local certificate store in user conext
• On all system the certificate chain is without errors/warnings

Now to the Problem:
When i configure rules in RADIUS for certificate based authentification, w-lan access works with eap-tls only for the computer account and not for the user. The option "smart cards or certificates" is set as the only option. One Group with computer accounts and one group with user accounts are added as condition.

The certificate for NPS Server has following as Extended key usage:

• Serverauthentifizierung (1.3.6.1.5.5.7.3.1)
• Clientauthentifizierung (1.3.6.1.5.5.7.3.2)

The Client certificate has the following as Extended key usage:

• Serverauthentifizierung (1.3.6.1.5.5.7.3.1)
• Clientauthentifizierung (1.3.6.1.5.5.7.3.2)

The user account in Active Directory is set to "Control access through NPS Network Policy" in dial-in properties.

Here are some logs from Client with a failed attempt to connect to the W-LAN with userAND computer account certificate as creteria. Hope some of you guys can help?

[1172] 10-25 11:32:05:886: PeapReadConnectionData
[1172] 10-25 11:32:05:886: IsIdentityPrivacyInPeapConnPropValid
[1172] 10-25 11:32:05:886: PeapReadUserData
[1172] 10-25 11:32:05:886: No Credentails passed
[1172] 10-25 11:32:05:886: RasEapGetInfo
[1172] 10-25 11:32:05:886: EAP-TLS using All-purpose cert
[1172] 10-25 11:32:05:886:  Self Signed Certificates will not be selected.
[1172] 10-25 11:32:05:886: EAP-TLS will accept the  All-purpose cert
[1172] 10-25 11:32:05:886: EapTlsInitialize2: PEAP using All-purpose cert
[1172] 10-25 11:32:05:886: PEAP will accept the  All-purpose cert
[1172] 10-25 11:32:05:886: PeapGetIdentity returned the identity as host/ComputerAccount.domain.tld
[1172] 10-25 11:32:05:886: EAP-TLS using All-purpose cert
[1172] 10-25 11:32:05:886:  Self Signed Certificates will not be selected.
[1172] 10-25 11:32:05:886: EAP-TLS will accept the  All-purpose cert
[1172] 10-25 11:32:05:886: EapTlsInitialize2: PEAP using All-purpose cert
[1172] 10-25 11:32:05:886: PEAP will accept the  All-purpose cert
[1172] 10-25 11:32:05:886: PeapReadConnectionData
[1172] 10-25 11:32:05:886: IsIdentityPrivacyInPeapConnPropValid
[1172] 10-25 11:32:05:886: PeapReadUserData
[1172] 10-25 11:32:05:886: No Credentails passed
[1172] 10-25 11:32:05:886: RasEapGetInfo
[1172] 10-25 11:32:05:886: EAP-TLS using All-purpose cert
[1172] 10-25 11:32:05:886:  Self Signed Certificates will not be selected.
[1172] 10-25 11:32:05:886: EAP-TLS will accept the  All-purpose cert
[1172] 10-25 11:32:05:886: EapTlsInitialize2: PEAP using All-purpose cert
[1172] 10-25 11:32:05:886: PEAP will accept the  All-purpose cert
[1172] 10-25 11:32:05:886: PeapGetIdentity returned the identity as host/ComputerAccount.domain.tld
[1172] 10-25 11:32:05:886: EAP-TLS using All-purpose cert
[1172] 10-25 11:32:05:886:  Self Signed Certificates will not be selected.
[1172] 10-25 11:32:05:886: EAP-TLS will accept the  All-purpose cert
[1172] 10-25 11:32:05:886: EapTlsInitialize2: PEAP using All-purpose cert
[1172] 10-25 11:32:05:886: PEAP will accept the  All-purpose cert
[1172] 10-25 11:32:05:886: EapPeapBegin
[1172] 10-25 11:32:05:886: EapPeapBegin - flags(0xa0)
[1172] 10-25 11:32:05:886: PeapReadConnectionData
[1172] 10-25 11:32:05:886: IsIdentityPrivacyInPeapConnPropValid
[1172] 10-25 11:32:05:886: PeapReadUserData
[1172] 10-25 11:32:05:886:
[1172] 10-25 11:32:05:886: EapTlsBegin(host/ComputerAccount.domain.tld)
[1172] 10-25 11:32:05:886: SetupMachineChangeNotification
[1172] 10-25 11:32:05:886: State change to Initial
[1172] 10-25 11:32:05:886: EapTlsBegin: Detected 8021X authentication
[1172] 10-25 11:32:05:886: EapTlsBegin: Detected PEAP authentication
[1172] 10-25 11:32:05:886: MaxTLSMessageLength is now 16384
[1172] 10-25 11:32:05:886: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[1172] 10-25 11:32:05:886: Force IgnoreRevocationOffline on client
[1172] 10-25 11:32:05:886: CRYPT_E_REVOCATION_OFFLINE will be ignored
[1172] 10-25 11:32:05:886: The root cert will not be checked for revocation
[1172] 10-25 11:32:05:886: The cert will be checked for revocation
[1172] 10-25 11:32:05:886: Unable to read TLS version registry key, return code 2
[1172] 10-25 11:32:05:886: EapPeapBegin done
[1172] 10-25 11:32:05:886: EapPeapMakeMessage
[1172] 10-25 11:32:05:886: EapPeapCMakeMessage, flags(0x80540)
[1172] 10-25 11:32:05:886: Cloned PPP_EAP_PACKET packet
[1172] 10-25 11:32:05:886: PEAP:PEAP_STATE_INITIAL
[1172] 10-25 11:32:05:886: EapTlsCMakeMessage, state(0) flags (0x5460)
[1172] 10-25 11:32:05:886: EapTlsReset
[1172] 10-25 11:32:05:886: State change to Initial
[1172] 10-25 11:32:05:886: EapGetCredentials
[1172] 10-25 11:32:05:886: Flag is Machine Auth and Store is local Machine
[1172] 10-25 11:32:05:886: GetCachedCredentials Flags = 0x5460
[1172] 10-25 11:32:05:886: FindNodeInCachedCredList, flags(0x5460), default cached creds(0), check thread token(0)
[1172] 10-25 11:32:05:886: pNode->dwCredFlags = 0x49
[1172] 10-25 11:32:05:886: No Cert Store.  Guest Access requested
[1172] 10-25 11:32:05:886: No Cert Name.  Guest access requested
[1172] 10-25 11:32:05:886: Will validate server cert
[1172] 10-25 11:32:05:886: MakeReplyMessage
[1172] 10-25 11:32:05:886: SecurityContextFunction
[1172] 10-25 11:32:05:886: InitializeSecurityContext returned 0x90312
[1172] 10-25 11:32:05:886: State change to SentHello
[1172] 10-25 11:32:05:886: BuildPacket
[1172] 10-25 11:32:05:886: << Sending Response (Code: 2) packet: Id: 4, Length: 109, Type: 13, TLS blob length: 99. Flags: L
[1172] 10-25 11:32:05:886: EapPeapCMakeMessage done
[1172] 10-25 11:32:05:886: EapPeapMakeMessage done
[1172] 10-25 11:32:05:902: EapPeapMakeMessage
[1172] 10-25 11:32:05:902: EapPeapCMakeMessage, flags(0x80540)
[1172] 10-25 11:32:05:902: Cloned PPP_EAP_PACKET packet
[1172] 10-25 11:32:05:902: PEAP:PEAP_STATE_TLS_INPROGRESS
[1172] 10-25 11:32:05:902: EapTlsCMakeMessage, state(2) flags (0x5400)
[1172] 10-25 11:32:05:902: MakeReplyMessage
[1172] 10-25 11:32:05:902: Reallocating input TLS blob buffer
[1172] 10-25 11:32:05:902: BuildPacket
[1172] 10-25 11:32:05:902: << Sending Response (Code: 2) packet: Id: 5, Length: 6, Type: 13, TLS blob length: 0. Flags:
[1172] 10-25 11:32:05:902: EapPeapCMakeMessage done
[1172] 10-25 11:32:05:902: EapPeapMakeMessage done
[1172] 10-25 11:32:05:917: EapPeapMakeMessage
[1172] 10-25 11:32:05:917: EapPeapCMakeMessage, flags(0x80540)
[1172] 10-25 11:32:05:917: Cloned PPP_EAP_PACKET packet
[1172] 10-25 11:32:05:917: PEAP:PEAP_STATE_TLS_INPROGRESS
[1172] 10-25 11:32:05:917: EapTlsCMakeMessage, state(2) flags (0x5410)
[1172] 10-25 11:32:05:917: MakeReplyMessage
[1172] 10-25 11:32:05:917: BuildPacket
[1172] 10-25 11:32:05:917: << Sending Response (Code: 2) packet: Id: 6, Length: 6, Type: 13, TLS blob length: 0. Flags:
[1172] 10-25 11:32:05:917: EapPeapCMakeMessage done
[1172] 10-25 11:32:05:917: EapPeapMakeMessage done
[1172] 10-25 11:32:05:933: EapPeapMakeMessage
[1172] 10-25 11:32:05:933: EapPeapCMakeMessage, flags(0x80540)
[1172] 10-25 11:32:05:933: Cloned PPP_EAP_PACKET packet
[1172] 10-25 11:32:05:933: PEAP:PEAP_STATE_TLS_INPROGRESS
[1172] 10-25 11:32:05:933: EapTlsCMakeMessage, state(2) flags (0x5410)
[1172] 10-25 11:32:05:933: MakeReplyMessage
[1172] 10-25 11:32:05:933: SecurityContextFunction
[1172] 10-25 11:32:05:933: InitializeSecurityContext returned 0x90312
[1172] 10-25 11:32:05:933: State change to SentFinished
[1172] 10-25 11:32:05:933: BuildPacket
[1172] 10-25 11:32:05:933: << Sending Response (Code: 2) packet: Id: 7, Length: 144, Type: 13, TLS blob length: 134. Flags: L
[1172] 10-25 11:32:05:933: EapPeapCMakeMessage done
[1172] 10-25 11:32:05:933: EapPeapMakeMessage done
[1172] 10-25 11:32:05:949: EapPeapMakeMessage
[1172] 10-25 11:32:05:949: EapPeapCMakeMessage, flags(0x80540)
[1172] 10-25 11:32:05:949: Cloned PPP_EAP_PACKET packet
[1172] 10-25 11:32:05:949: PEAP:PEAP_STATE_TLS_INPROGRESS
[1172] 10-25 11:32:05:949: EapTlsCMakeMessage, state(3) flags (0x5400)
[1172] 10-25 11:32:05:949: MakeReplyMessage
[1172] 10-25 11:32:05:949: SecurityContextFunction
[1172] 10-25 11:32:05:949: InitializeSecurityContext returned 0x0
[1172] 10-25 11:32:05:949: AuthenticateServer flags: 0x5400
[1172] 10-25 11:32:05:949: DwGetEKUUsage
[1172] 10-25 11:32:05:949: Number of EKUs on the cert are 1
[1172] 10-25 11:32:05:949: FCheckUsage: All-Purpose: 1
[1172] 10-25 11:32:05:949: Checking against the NTAuth store to verify the certificate chain.
[1172] 10-25 11:32:05:949: CertVerifyCertificateChainPolicy succeeded but returned 0x800b0112.Continuing with root hash matching.
[1172] 10-25 11:32:05:949: Root CA name: NameOfCa Authority
[1172] 10-25 11:32:05:949: Found Hash
[1172] 10-25 11:32:05:949: Server name: NameOfCa Authority
[1172] 10-25 11:32:05:949: Server name specified:
[1172] 10-25 11:32:05:949: Server name validation is disabled
[1172] 10-25 11:32:05:949: CreateMPPEKeyAttributes
[1172] 10-25 11:32:05:949: State change to RecdFinished
[1172] 10-25 11:32:05:949: BuildPacket
[1172] 10-25 11:32:05:949: << Sending Response (Code: 2) packet: Id: 8, Length: 6, Type: 13, TLS blob length: 0. Flags:
[1172] 10-25 11:32:05:949: EapPeapCMakeMessage done
[1172] 10-25 11:32:05:949: EapPeapMakeMessage done
[1172] 10-25 11:32:05:949: EapPeapMakeMessage
[1172] 10-25 11:32:05:949: EapPeapCMakeMessage, flags(0x80540)
[1172] 10-25 11:32:05:949: Cloned PPP_EAP_PACKET packet
[1172] 10-25 11:32:05:949: PEAP:PEAP_STATE_TLS_INPROGRESS
[1172] 10-25 11:32:05:949: EapTlsCMakeMessage, state(4) flags (0x5408)
[1172] 10-25 11:32:05:949: Negotiation successful
[1172] 10-25 11:32:05:949: SetCachedCredentials Flags = 0x5408
[1172] 10-25 11:32:05:949: AddNodeToCachedCredList, pEapTlsCb->fFlags(0x5408).
[1172] 10-25 11:32:05:949: FindNodeInCachedCredList, flags(0x5408), default cached creds(0), check thread token(0)
[1172] 10-25 11:32:05:949: pNode->dwCredFlags = 0x49
[1172] 10-25 11:32:05:949: GetNewCachedCredListNode
[1172] 10-25 11:32:05:949: Created a new EAPTLS_CACHED_CREDS,  pNode->dwCredFlags = 0x4a
[1172] 10-25 11:32:05:949: PeapGetTunnelProperties
[1172] 10-25 11:32:05:949: Successfully negotiated TLS with following parametersdwProtocol = 0x80, Cipher= 0x6610, CipherStrength=0x100, Hash=0x8004
[1172] 10-25 11:32:05:949: PeapGetTunnelProperties done
[1172] 10-25 11:32:05:949: GetTLSSessionCookie
[1172] 10-25 11:32:05:949: IsTLSSessionReconnect
[1172] 10-25 11:32:05:949: Full Tls authentication performed
[1172] 10-25 11:32:05:949: PEAP_STATE_FAST_ROAMING_IDENTITY_REQUEST
[1172] 10-25 11:32:05:949: PeapClientDecryptTunnelData
[1172] 10-25 11:32:05:949: IsDuplicatePacket
[1172] 10-25 11:32:05:949: PeapDecryptTunnelData dwSizeofData = 37, pData = 0x3e771a6
[1172] 10-25 11:32:05:949: Blob length 37
[1172] 10-25 11:32:05:949: PeapDecryptTunnelData completed with status 0x0
[1172] 10-25 11:32:05:949:  Buffer length is 5
[1172] 10-25 11:32:05:949: IsMsEapTlvPacket
[1172] 10-25 11:32:05:949: IsEapTLVInsidePEAP
[1172] 10-25 11:32:05:949: PeapEncryptTunnelData
[1172] 10-25 11:32:05:949: Blob length 69
[1172] 10-25 11:32:05:949: PeapEncryptTunnelData completed with status 0x0
[1172] 10-25 11:32:05:949: EapPeapCMakeMessage done
[1172] 10-25 11:32:05:949: EapPeapMakeMessage done
[1172] 10-25 11:32:05:949: EapPeapMakeMessage
[1172] 10-25 11:32:05:949: EapPeapCMakeMessage, flags(0x80540)
[1172] 10-25 11:32:05:949: Cloned PPP_EAP_PACKET packet
[1172] 10-25 11:32:05:949: PEAP:PEAP_STATE_IDENTITY_RESPONSE_SENT
[1172] 10-25 11:32:05:949: PeapClientDecryptTunnelData
[1172] 10-25 11:32:05:949: IsDuplicatePacket
[1172] 10-25 11:32:05:949: PeapDecryptTunnelData dwSizeofData = 85, pData = 0x5b288e6
[1172] 10-25 11:32:05:949: Blob length 85
[1172] 10-25 11:32:05:949: PeapDecryptTunnelData completed with status 0x0
[1172] 10-25 11:32:05:949:  Buffer length is 49
[1172] 10-25 11:32:05:949: IsMsEapTlvPacket
[1172] 10-25 11:32:05:949: IsEapTLVInsidePEAP
[1172] 10-25 11:32:05:949: PeapEncryptTunnelData
[1172] 10-25 11:32:05:949: Blob length 117
[1172] 10-25 11:32:05:949: PeapEncryptTunnelData completed with status 0x0
[1172] 10-25 11:32:05:949: EapPeapCMakeMessage done
[1172] 10-25 11:32:05:949: EapPeapMakeMessage done
[1172] 10-25 11:32:05:964: EapPeapMakeMessage
[1172] 10-25 11:32:05:964: EapPeapCMakeMessage, flags(0x80540)
[1172] 10-25 11:32:05:964: Cloned PPP_EAP_PACKET packet
[1172] 10-25 11:32:05:964: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
[1172] 10-25 11:32:05:964: PeapClientDecryptTunnelData
[1172] 10-25 11:32:05:964: IsDuplicatePacket
[1172] 10-25 11:32:05:964: PeapDecryptTunnelData dwSizeofData = 37, pData = 0x3e6f816
[1172] 10-25 11:32:05:964: Blob length 37
[1172] 10-25 11:32:05:964: PeapDecryptTunnelData completed with status 0x0
[1172] 10-25 11:32:05:964:  Buffer length is 11
[1172] 10-25 11:32:05:964: IsEapTLVInsidePEAP
[1172] 10-25 11:32:05:964: IsEapTLVInsidePEAP returned true
[1172] 10-25 11:32:05:964: CheckForUnsupportedMandatoryTLV
[1172] 10-25 11:32:05:964: GetPEAPTLVStatusMessageValue
[1172] 10-25 11:32:05:964: Found a result TLV 2
[1172] 10-25 11:32:05:964: PeapSetTypeUserAttributes
[1172] 10-25 11:32:05:964: Sending PEAP_Failure
[1172] 10-25 11:32:05:964: CreatePEAPTLVStatusMessage
[1172] 10-25 11:32:05:964: PeapEncryptTunnelData
[1172] 10-25 11:32:05:964: Blob length 37
[1172] 10-25 11:32:05:964: PeapEncryptTunnelData completed with status 0x0
[1172] 10-25 11:32:05:964: EapPeapCMakeMessage done
[1172] 10-25 11:32:05:964: EapPeapMakeMessage done
[1172] 10-25 11:32:06:963: EapPeapMakeMessage
[1172] 10-25 11:32:06:963: EapPeapCMakeMessage, flags(0x80540)
[1172] 10-25 11:32:06:963: Cloned PPP_EAP_PACKET packet
[1172] 10-25 11:32:06:963: PEAP:PEAP_STATE_PEAP_FAIL_SEND
[1172] 10-25 11:32:06:963: SetTLSFastReconnect
[1172] 10-25 11:32:06:963: IsTLSSessionReconnect
[1172] 10-25 11:32:06:963: Full Tls authentication performed
[1172] 10-25 11:32:06:963: The session is not setup for fast reconnects.  No need to disable.
[1172] 10-25 11:32:06:963: RasEapAuthAttributeRemove: received NULL attributeArray, returning
[1172] 10-25 11:32:06:963: FreeCachedCredentials
[1172] 10-25 11:32:06:963: FindNodeInCachedCredList, flags(0x5408), default cached creds(0), check thread token(0)
[1172] 10-25 11:32:06:963: pNode->dwCredFlags = 0x4a
[1172] 10-25 11:32:06:963: RemoveNodeFromCachedCredList.
[1172] 10-25 11:32:06:963: RasAuthAttributeConcat
[1172] 10-25 11:32:06:963: EapPeapCMakeMessage done
[1172] 10-25 11:32:06:963: EapPeapMakeMessage done
[1172] 10-25 11:32:06:963: EapPeapEnd
[1172] 10-25 11:32:06:963: EapTlsEnd
[1172] 10-25 11:32:06:963: EapTlsEnd(host/ComputerAccount.domain.tld)
[1172] 10-25 11:32:06:963: EapPeapEnd done
[5260] 10-25 11:32:10:847: EAP-TLS using All-purpose cert
[5260] 10-25 11:32:10:847:  Self Signed Certificates will not be selected.
[5260] 10-25 11:32:10:847: EAP-TLS will accept the  All-purpose cert
[5260] 10-25 11:32:10:847: EapTlsInitialize2: PEAP using All-purpose cert
[5260] 10-25 11:32:10:847: PEAP will accept the  All-purpose cert
[5260] 10-25 11:32:10:847: EapTlsInvokeIdentityUI
[5260] 10-25 11:32:10:847: GetCertInfo flags: 0xa2
[5260] 10-25 11:32:10:847: GetDefaultClientMachineCert
[5260] 10-25 11:32:10:847: FCheckTimeValidity
[5260] 10-25 11:32:10:847: FCheckUsage: All-Purpose: 1
[5260] 10-25 11:32:10:847: DwGetEKUUsage
[5260] 10-25 11:32:10:847: Number of EKUs on the cert are 2
[5260] 10-25 11:32:10:847: Cert do have CDP but do not have AIA OCSP extension
[5260] 10-25 11:32:10:847: Found Machine Cert based on machinename, client auth, time validity.
[5260] 10-25 11:32:10:847: GetDefaultClientMachineCert done.
[5260] 10-25 11:32:10:847: Got the default Machine Cert
[5260] 10-25 11:32:10:847: Successfully got certificate. Hash follows
[5260] 11:32:10:847: 83 C5 4B C6 EA CF 5D 36 11 C9 CC 27 F5 AA 89 E5 |..K...]6...'....|
[5260] 11:32:10:847: 28 C0 5F A4 00 00 00 00 00 00 00 00 00 00 00 00 |(._.............|
[5260] 10-25 11:32:10:847: EAP-TLS using All-purpose cert
[5260] 10-25 11:32:10:847:  Self Signed Certificates will not be selected.
[5260] 10-25 11:32:10:847: EAP-TLS will accept the  All-purpose cert
[5260] 10-25 11:32:10:847: EapTlsInitialize2: PEAP using All-purpose cert
[5260] 10-25 11:32:10:847: PEAP will accept the  All-purpose cert
[5260] 10-25 11:32:10:847: EAP-TLS using All-purpose cert
[5260] 10-25 11:32:10:847:  Self Signed Certificates will not be selected.
[5260] 10-25 11:32:10:847: EAP-TLS will accept the  All-purpose cert
[5260] 10-25 11:32:10:847: EapTlsInitialize2: PEAP using All-purpose cert
[5260] 10-25 11:32:10:847: PEAP will accept the  All-purpose cert
[5260] 10-25 11:32:10:847: EapTlsInvokeIdentityUI
[5260] 10-25 11:32:10:847: GetCertInfo flags: 0xa2
[5260] 10-25 11:32:10:847: GetDefaultClientMachineCert
[5260] 10-25 11:32:10:847: FCheckTimeValidity
[5260] 10-25 11:32:10:847: FCheckUsage: All-Purpose: 1
[5260] 10-25 11:32:10:847: DwGetEKUUsage
[5260] 10-25 11:32:10:847: Number of EKUs on the cert are 2
[5260] 10-25 11:32:10:847: Cert do have CDP but do not have AIA OCSP extension
[5260] 10-25 11:32:10:847: Found Machine Cert based on machinename, client auth, time validity.
[5260] 10-25 11:32:10:847: GetDefaultClientMachineCert done.
[5260] 10-25 11:32:10:847: Got the default Machine Cert
[5260] 10-25 11:32:10:847: Successfully got certificate. Hash follows
[5260] 11:32:10:847: 83 C5 4B C6 EA CF 5D 36 11 C9 CC 27 F5 AA 89 E5 |..K...]6...'....|
[5260] 11:32:10:847: 28 C0 5F A4 00 00 00 00 00 00 00 00 00 00 00 00 |(._.............|
[5260] 10-25 11:32:10:847: EAP-TLS using All-purpose cert
[5260] 10-25 11:32:10:847:  Self Signed Certificates will not be selected.
[5260] 10-25 11:32:10:847: EAP-TLS will accept the  All-purpose cert
[5260] 10-25 11:32:10:847: EapTlsInitialize2: PEAP using All-purpose cert
[5260] 10-25 11:32:10:847: PEAP will accept the  All-purpose cert
[5260] 10-25 11:32:14:950: EAP-TLS using All-purpose cert
[5260] 10-25 11:32:14:950:  Self Signed Certificates will not be selected.
[5260] 10-25 11:32:14:950: EAP-TLS will accept the  All-purpose cert
[5260] 10-25 11:32:14:950: EapTlsInitialize2: PEAP using All-purpose cert
[5260] 10-25 11:32:14:950: PEAP will accept the  All-purpose cert
[5260] 10-25 11:32:14:950: EapTlsInvokeIdentityUI
[5260] 10-25 11:32:14:950: GetCertInfo flags: 0xa2
[5260] 10-25 11:32:14:950: GetDefaultClientMachineCert
[5260] 10-25 11:32:14:950: FCheckTimeValidity
[5260] 10-25 11:32:14:950: FCheckUsage: All-Purpose: 1
[5260] 10-25 11:32:14:950: DwGetEKUUsage
[5260] 10-25 11:32:14:950: Number of EKUs on the cert are 2
[5260] 10-25 11:32:14:950: Cert do have CDP but do not have AIA OCSP extension
[5260] 10-25 11:32:14:950: Found Machine Cert based on machinename, client auth, time validity.
[5260] 10-25 11:32:14:950: GetDefaultClientMachineCert done.
[5260] 10-25 11:32:14:950: Got the default Machine Cert
[5260] 10-25 11:32:14:950: Successfully got certificate. Hash follows
[5260] 11:32:14:950: 83 C5 4B C6 EA CF 5D 36 11 C9 CC 27 F5 AA 89 E5 |..K...]6...'....|
[5260] 11:32:14:950: 28 C0 5F A4 00 00 00 00 00 00 00 00 00 00 00 00 |(._.............|
[5260] 10-25 11:32:14:950: EAP-TLS using All-purpose cert
[5260] 10-25 11:32:14:950:  Self Signed Certificates will not be selected.
[5260] 10-25 11:32:14:950: EAP-TLS will accept the  All-purpose cert
[5260] 10-25 11:32:14:950: EapTlsInitialize2: PEAP using All-purpose cert
[5260] 10-25 11:32:14:950: PEAP will accept the  All-purpose cert
[1172] 10-25 11:32:14:950: EAP-TLS using All-purpose cert
[1172] 10-25 11:32:14:950:  Self Signed Certificates will not be selected.
[1172] 10-25 11:32:14:950: EAP-TLS will accept the  All-purpose cert
[1172] 10-25 11:32:14:950: EapTlsInitialize2: PEAP using All-purpose cert
[1172] 10-25 11:32:14:950: PEAP will accept the  All-purpose cert
[1172] 10-25 11:32:14:950: EapTlsInvokeIdentityUI
[1172] 10-25 11:32:14:950: GetCertInfo flags: 0xa2
[1172] 10-25 11:32:14:950: GetDefaultClientMachineCert
[1172] 10-25 11:32:14:950: FCheckTimeValidity
[1172] 10-25 11:32:14:950: FCheckUsage: All-Purpose: 1
[1172] 10-25 11:32:14:950: DwGetEKUUsage
[1172] 10-25 11:32:14:950: Number of EKUs on the cert are 2
[1172] 10-25 11:32:14:950: Cert do have CDP but do not have AIA OCSP extension
[1172] 10-25 11:32:14:950: Found Machine Cert based on machinename, client auth, time validity.
[1172] 10-25 11:32:14:950: GetDefaultClientMachineCert done.
[1172] 10-25 11:32:14:950: Got the default Machine Cert
[1172] 10-25 11:32:14:950: Successfully got certificate. Hash follows
[1172] 11:32:14:950: 83 C5 4B C6 EA CF 5D 36 11 C9 CC 27 F5 AA 89 E5 |..K...]6...'....|
[1172] 11:32:14:950: 28 C0 5F A4 00 00 00 00 00 00 00 00 00 00 00 00 |(._.............|
[1172] 10-25 11:32:14:950: EAP-TLS using All-purpose cert
[1172] 10-25 11:32:14:950:  Self Signed Certificates will not be selected.
[1172] 10-25 11:32:14:950: EAP-TLS will accept the  All-purpose cert
[1172] 10-25 11:32:14:950: EapTlsInitialize2: PEAP using All-purpose cert
[1172] 10-25 11:32:14:950: PEAP will accept the  All-purpose cert

Thanks to everyone how has ideas ;-)

Regards,
Frank

Hi Everyone,

I am new to NPS. I am using Windows Server 2008 R2. I have developed an Authentication Extension DLL which is basically a MFC Extension DLL for custom authentication in NPS. (http://msdn.microsoft.com/en-us/library/windows/desktop/bb892024(v=vs.85).aspx)

Now, to apply this Extension DLL at NPS I have used following steps:- 

1. I have put that DLL in %System Root%\System32\radius.dll folder.
2. I have create HKLM\System\CurrentControlSet\Services\AuthSrv\Parameters\registry key and set path of DLL as described here http://msdn.microsoft.com/en-us/library/windows/desktop/bb892024(v=vs.85).aspx

Now, when I am restarting NPS server I am getting following error:-

"Extension Host is failed to load DLL.Path %System Root%\System32\radius.dll".

Is it possible to configure NPS to return the normalised, inner identity of a client in the User-Name AVP of an Access-Accept to cope with anonymous outer identities?

Where 802.1X authentication takes place and an anonymous outer identity is used (meaning that it differs from the inner identity) with a TLS based EAP, such as PEAP, it should be possible to return the inner identity in the Access-Accept so that the NAS has the ability to work with the 'real' identity of the user. Can NPS do this? How would this be configured?

The User-Name AVP of an Access-Accept also provides a RADIUS server the ability to return a users' identity normalised. (For example, where domain\user is supplied by a user, the RADIUS server can always respond with user@fqdn.) Can NPS do this? How would this be configured?

Increasing numbers of features are being implemented in switches and access points, such as L7 application visibility and control, so it is a significant operational concern that such devices work with an accurate identity, one that cannot be spoofed with an anonymous outer identity and is consistent for a discrete user.

If this is not possible today, how would one go about making a design change request to Microsoft to accomplish this or talk to the development team? Is this an oversight? Competing RADIUS servers such as FreeRADIUS and Radiator have this ability when configured.

For reference, this is RADIUS standard behaviour.

RFC 2865 states in Section 5.1:

[The User-Name AVP] MAY be sent in an Access-Accept packet, in which case the client SHOULD use the name returned in the Access-Accept packet in all Accounting-Request packets for this session.

RFC 3579 states in Section 3:

The User-Name attribute within the Access-Accept packet need not be the same as the User-Name attribute in the Access-Request.

Furthermore, where federated authentication has taken place, such as in eduroam, and a User-Name AVP has not been returned in the Access-Accept yet a Chargeable-User-Identity has after being requested, it should be possible to configure the RADIUS implementation to add a User-Name AVP set to cui@realm to the Access-Accept it sends on to the NAS so that it gets an identity that identifies the user with a constant identifier.

Is support for Chargeable-User-Identity (RFC 4372) support ever planned for NPS?

See:

https://community.ja.net/library/janet-services-documentation/chargeable-user-identity-eduroam-freeradius-implementation

Thanks!

Nick

I have this configured on my "NPS as RADIUS proxy" when checking UserName:

"^wcoast\\|@wcoast\.microsoft\.com$"

Is there a way to check for something like this "@wcoast$"?

I have tried:

1. "^wcoast\\|@wcoast$|@wcoast\.microsoft\.com$" + Replace "@wcoast$" with nothing

2. "^wcoast\\|@wcoast$|@wcoast\.microsoft\.com$" + Replace "@wcoast$" with "@wcoast.microsoft.com"

3. "^wcoast\\|@wcoast$|@wcoast\.microsoft\.com$" + Replace "@wcoast" with "@wcoast.microsoft.com"

All have failed.

I've been going back and forth on this off and on for a few weeks. I have a SonicWALL that can do SSO based on RADIUS accounting messages. I set it up in as a member in the "Remote RADIUS server groups" and set the connection request policies to enable forwarding of accounting messages to said group. No matter what I try, there is no traffic at all on UDP/1813  as set in as confirmed with wireshark. I've looked at many guides for setting this up and they all seem to be telling me to set things up in the exact way I have (I think.) I have tried on Server 2008, 2012R2 and 2016.

Any suggestions?

Setup:

• 2 SSIDs: Official and Guest
• 1 DHCP Server with 2 scopes: Scope A (10.0.0.0) and Scope B (172.10.0.0)

Requirements

When a user connects to Official SSID, they are issued an IP from Scope A. When a user connects to Guest SSID, they are issued an IP from Scope B.

How can I implement this?

Hi All,

I have configed a NPS server on a windows server 2012 r2 OS, the radius client is a cisco hardware vpn device.
there is a custom NPS extension registered for some extra authentication(two step authentication).
theere are two types of authentication method:

1. user submit two passwords use "active directory password" + "some extra password" format, like 
"password1_password2", NPS extension split and check both two passwords and NPS itself authorize the user 
using netwok policy, both works fine. there're two security events logged into windows event log: 
the first event (ID6272) shows Network Policy Server granted access to a user.
the second event (ID6278) shows Network Policy Server granted full access to a user because the host met the defined health policy.
in both two events, i can see the Authentication Details shows Proxy Policy Name and Network Policy Name.

2. user submit the first "active directory password" to NPS, NPS extension check the password and return a radius challenge message to the radius client, then user submit the second "some extra password" to NPS, then NPS extension check the second password again.
the problem is: when the authentication process complete, NPS bypass the authorize(network policy) process and directly grant access to the network.
there is only one security events logged into windows event log: 
event (ID6272) shows Network Policy Server granted access to a user.
in this event, only shows the Proxy Policy Name. Network Policy Name is "-".

because the NPS extesion only registered fo authentication and it's worked  fine, so i think this is not a develop related question.
i am not very familiar with NPS, may be i make some wrong configration. 

THanks for your help。

=======================================

below are policies, values that i did not mention are all use default :

create a new connect request policy:
add a conditions -- NAS Port Type=virrtual(VPN);

create a new network policy:
add a conditions -- Windows Group=contoso\vpn_access_group;
Authentication Method -- only check unencryptedauthentication(PAP,SPAP)

Hi,

I have setup PPTP VPN on Server 2012R2, However I cannot access internal network from outside. I can connect to VPN without any issues but can't access internet network. I cannot ping DNS Server or any internal network machines.  

I get IP from VPN server, but can't ping any internal IP or internet once connected.

Also, I cannot ping VPN connected IP from Server.

Any suggestions?

Regards,

Mitesh Sudan

Hello.

I have a problem with my MS Windows Server 2008R2 with installed Network Policy and Access Services role.

All PCs in my network authorized by this server and everything is fine, but i have a problem with authentication MFPs and printers (HP and Kyocera).

I created users for printers and network policy to assign it to properly VLAN using PEAP (EAP-MS-CHAP-v2) authentication. After specifying at printer domain username and password I set port on my switch in authentication mode, but server told me that there is a error with code 23 - An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors- there is a same error for all printers in my LAN

There is CA-server in my network, and certificate for NPS-server issued by it. I tried to install certificate of this CA (and NPS-server) on printers, but it does not matter for it. 

In IASSAM.log there is the next messages about authentication attempts:

[5140] 11-04 12:49:39:877: NT-SAM Names handler received request with user identity PRINTERUSER@DOMAINNAME
[5140] 11-04 12:49:39:877: Successfully cracked username.
[5140] 11-04 12:49:39:877: SAM-Account-Name is "DOMAINNAME\PRINTERUSER".
[5140] 11-04 12:49:39:877: Successfully created new RAP Based EAP session for user DOMAINNAME\PRINTERUSER
[5140] 11-04 12:49:39:877: No AUTHENTICATION extensions, continuing
[5140] 11-04 12:49:39:877: NT-SAM Authentication handler received request for DOMAINNAME\PRINTERUSER
[5140] 11-04 12:49:39:877: Validating windows user account DOMAINNAME\PRINTERUSER
[5140] 11-04 12:49:39:877: Sending LDAP search to dc.DOMAINNAME.
[5140] 11-04 12:49:39:877: Successfully validated windows account DOMAINNAME\PRINTERUSER
[5140] 11-04 12:49:39:877: NT-SAM User Authorization handler received request for DOMAINNAME\PRINTERUSER
[5140] 11-04 12:49:39:877: Using native-mode dial-in parameters.
[5140] 11-04 12:49:39:877: Sending LDAP search to dc.DOMAINNAME.
[5140] 11-04 12:49:39:877: Successfully retrieved per-user attributes.
[5140] 11-04 12:49:39:877: Allowed EAP type: 25
[5140] 11-04 12:49:39:877: Allowed EAP type: 26
[5140] 11-04 12:49:39:877: Succesfully created EAP Host session with session id 1218224
[5140] 11-04 12:49:39:877: Processing output from EAP: action:1
[5140] 11-04 12:49:39:877: Inserting outbound EAP-Message of length 6.
[5140] 11-04 12:49:39:877: Issuing Access-Challenge.
[5140] 11-04 12:49:39:877: No AUTHORIZATION extensions, continuing
[7224] 11-04 12:49:39:924: Successfully retrieved session (1218224) for user DOMAINNAME\PRINTERUSER
[7224] 11-04 12:49:39:924: No AUTHENTICATION extensions, continuing
[7224] 11-04 12:49:39:924: Processing output from EAP: action:1
[7224] 11-04 12:49:39:924: Inserting outbound EAP-Message of length 1462.
[7224] 11-04 12:49:39:924: Issuing Access-Challenge.
[7224] 11-04 12:49:39:924: No AUTHORIZATION extensions, continuing
[5140] 11-04 12:49:39:955: Successfully retrieved session (1218224) for user DOMAINNAME\PRINTERUSER
[5140] 11-04 12:49:39:955: No AUTHENTICATION extensions, continuing
[5140] 11-04 12:49:39:955: Processing output from EAP: action:1
[5140] 11-04 12:49:39:955: Inserting outbound EAP-Message of length 1325.
[5140] 11-04 12:49:39:955: Issuing Access-Challenge.
[5140] 11-04 12:49:39:955: No AUTHORIZATION extensions, continuing
[7224] 11-04 12:49:39:986: Successfully retrieved session (1218224) for user DOMAINNAME\PRINTERUSER
[7224] 11-04 12:49:39:986: No AUTHENTICATION extensions, continuing
[7224] 11-04 12:49:39:986: Processing output from EAP: action:2
[7224] 11-04 12:49:39:986: Translating attributes returned by EAPHost.
[7224] 11-04 12:49:39:986: EAP authentication failed.
[7224] 11-04 12:49:39:986: No AUTHORIZATION extensions, continuing
[7224] 11-04 12:49:39:986: Inserting outbound EAP-Message of length 4.

Can anybody explain what i need to do to make my printers will authenticated by NPS server?

Hi,  I'm seeing several Audit failures with the event information below.  System is Window Server 2008 R2 in vitrual environment.  Basically the event states that the Guest account tried to access Windows explorer and the user account is disabled.  The system is in test at the moment and I'm the only one accessing the machine.   The guest account is disabled but I'm tring to figure out why the login attempts?

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          8/17/2013 5:36:04 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      NEWPRD.sorvive.com
Description:
An account failed to log on.

Subject:
 Security ID:  NEWPRD\Administrator
 Account Name:  Administrator
 Account Domain:  NEWPRD
 Logon ID:  0x1245586

Logon Type:   3

Account For Which Logon Failed:
 Security ID:  NULL SID
 Account Name:  Guest
 Account Domain:  NEWPRD

Failure Information:
 Failure Reason:  Account currently disabled.
 Status:   0xc000006e
 Sub Status:  0xc0000072

Process Information:
 Caller Process ID: 0xce0
 Caller Process Name: C:\Windows\explorer.exe

Network Information:
 Workstation Name: NEWPRD
 Source Network Address: -
 Source Port:  -

Detailed Authentication Information:
 Logon Process:  Advapi 
 Authentication Package: Negotiate
 Transited Services: -
 Package Name (NTLM only): -
 Key Length:  0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
 - Transited services indicate which intermediate services have participated in this logon request.
 - Package name indicates which sub-protocol was used among the NTLM protocols.
 - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2013-08-17T21:36:04.587579800Z" />
    <EventRecordID>17342</EventRecordID>
    <Correlation />
    <Execution ProcessID="656" ThreadID="2812" />
    <Channel>Security</Channel>
    <Computer>NEWPRD.sorvive.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-2531602938-1099658101-1319544182-500</Data>
    <Data Name="SubjectUserName">Administrator</Data>
    <Data Name="SubjectDomainName">NEWPRD</Data>
    <Data Name="SubjectLogonId">0x1245586</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">Guest</Data>
    <Data Name="TargetDomainName">NEWPRD</Data>
    <Data Name="Status">0xc000006e</Data>
    <Data Name="FailureReason">%%2310</Data>
    <Data Name="SubStatus">0xc0000072</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">Advapi  </Data>
    <Data Name="AuthenticationPackageName">Negotiate</Data>
    <Data Name="WorkstationName">NEWPRD</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0xce0</Data>
    <Data Name="ProcessName">C:\Windows\explorer.exe</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
  </EventData>
</Event>

Hi,

I have a server and 30 client computers. I have 2 ISP with default gateway address of 192.168.1.1 and 192.168.100.1. All of the client computers are on workgroup environment. Main problem I face every day is that when 1 ISP connection is down, I visit every client PC and connect them to other ISP connection. Is there anyway in windows server 2012 that can accept 2 ISP connections and then transfer it to client computers and when 1 ISP go down, it automatically transfers client computers on other network. Please guide me step by step procedure and any hardware change or addition like how many NIC cards will be used.

Regards.

Hi

I have an NPS server which logs all the relevant information in the NPS Event viewer Logs. I also have this information recording to a local text file.

So I can keep records for longer I have set up the  link to an SQL server to also store the data in there which I can then extract using a custom web search system on client MAC Addresses.

However, the majority of information which is being transferred in coming over as NULL or some of the columns are missing. in SQL I have one column which shows the calling station ID with the AP Mac address and WIFI name, however there is no column for just the MAc address of the client.

However, this information is recorded in the Event log viewer. Do not ALL the fields that show in the windows event log transfer over to SQL?

Thanks.

Operating System: Windows Server 2008

.

Description: - We have a web project which is running on HTTPS  PORT 443 on WWW and deployed on JBoss Application Server on Windows Operating System. Recently we received an attack on HTTP Port 80 on application server file.

.

Attempt: - We scanned application server and were able to identified API which can be executed by an attacker. We have handled this situation.

.

Problem Description: - On asking with IT team, why have they opened HTTP Port 80 on the machine? What is the need to open HTTP port, if the project is running on HTTPS  PORT 443? They said that it is open because  if customer access http://www.abc.com, so they will automatically transfer it to https://www.abc.com

And if they will close the PORT 80, then following request "http://www.abc.com" cannot be received.

.

Kindly let us know, how can we deal with this situation? We want some solution so that we can close the HTTP port on the machine but if a request comes to HTTP, we can automatically forward it to https.

.

Kindly assist us, I will be really thankful for any suggestion.

Regards, S.P Singh

Hi guys,

Remember with windows xp, windows 7 you can \\server and when it is the same username and password you just get through, with Windows 10 now it does not work , seems you have to put domain name in the front, is there anyway to make it work like before, it will also help with the other problem as well, such as access to Sql server...

Thank you

J

Hi,

I have 4 different radius servers (NPS, Steelbelted, ACS and Freeradius) connected in a network. I am planning to use NPS as a radius server and a radius proxy for other radius servers. I will be using a wireless access point to give access for my clients to the servers. 

Using NPS as standalone for authentication is working for EAP securities, but when I add a connection request policy for forwarding the requests to other radius servers everything stops working. I will be changing the IP address of the radius server in the wireless access point to determine which radius server to be used for authentication. 

Could anyone help me create a correct connection request policy which will forward the request to the correct radius servers based on the IP address I give in the wireless access point? The IP address of the radius server given in the access point is the only thing from which I can figure out which radius server is to be used for authentication.

Thanks in advance,

Dilshan

Do i need a certificate server to deploy EAP-TLS to laptops? We have a godaddy certficate that we purchased for our wireless network and i'm wondering if i can use that? I can push out the certificate via GPO, right? My main question is do i need to install an CA server because we need to generate a client certificate. We are using NPS and cisco wireless controller. EAP-PEAP works, but my company wants to move to EAP-TLS.

Any advice would be greatly appreciated.  

Windows Server 2008 R2

we just recently installed "Network Policy Server" and it went smoothly. everyone can connect to the AP using their Active Directory credentials. now, we need to limit who can connect by allowing only Windows 7 laptops. no Android or iOS devices.

in the "Network Policies" condition (btw i'm using Wireless PEAP with NAS port type IEEE 802.11), i tried to include an operating system version as a condition but it doesn't work. the format it was expecting is 00000.00000 for the version number.

how does one find out this version number?

Ok I am trying to get NPS setup that will be used for guests to access the Internet but still require a login on our network using PEAP.  I got a trial certificate from GeoTrust/RapidSSL/FreeSSL and it only offers "Digital Signature, Key Encipherment (a0)" but NPS requires a certificate with "Data Encipherment".  I have not found ANY public CA that issue this type of certificate so if Microsoft requires this for PEAP where am I to get a valid certificate for this?

I have check Verisign, and GoDaddy and all of them only offer "Key Encipherment".

I have to implement following solution .

We have a scenario with 180 workstations ( win7/8/10 mixed) We have WS2012R2 ADS server.We have implemented Group Policies to contain the activities that a user can do.

There are unused wired network points in the premises. We would like to implement a solution whereby if an outsider connects his laptop to any of the used network points; he should either not get access or we should get an alert.

Is it possible to implement Network Access protection to achieve this ? We also have a CYberoam fiorewall on the internet gateway.

We have had an incident wherein an outside had connected his laptop to the network. His laptop had virus/ransomware and due to this there was infection on some of the PCs and there was loss of data. We could restore last backup and reduce damage but we need to ensure that such incidences do not happen in future.

Can we do it with NPS or we need to have some third party software to achieve this.?