Hello Community,
I have a problem with certificate based W-LAN Access with device AND user certificates from a two tier PKI infrastructure.
First to the infrastructure:
- Four Domain Controller Windows Server 2012 R2
- One of them NPS installed
- One Cisco WTC W-LAN Controller as RADIUS Client
- Two Teer PKI (Offline RootCa and Issuing Sub CA Active Directory integrated)
- Domain Controller with NPS has a Certificate installed from Issueing CA (DomainController Template) that is used for RADIUS
- Client Computer (Domain Member) has a computer certificate from Issueing CA at the local certificate store in context of the Computer
- User on Client PC has a user certificate from from Issueing CA at the local certificate store in user conext
- On all system the certificate chain is without errors/warnings
Now to the Problem:
When i configure rules in RADIUS for certificate based authentification, w-lan access works with eap-tls only for the computer account and not for the user. The option "smart cards or certificates" is set as the only option. One Group with computer
accounts and one group with user accounts are added as condition.
The certificate for NPS Server has following as Extended key usage:
- Serverauthentifizierung (1.3.6.1.5.5.7.3.1)
- Clientauthentifizierung (1.3.6.1.5.5.7.3.2)
The Client certificate has the following as Extended key usage:
- Serverauthentifizierung (1.3.6.1.5.5.7.3.1)
- Clientauthentifizierung (1.3.6.1.5.5.7.3.2)
The user account in Active Directory is set to "Control access through NPS Network Policy" in dial-in properties.
Here are some logs from Client with a failed attempt to connect to the W-LAN with userAND computer account certificate as creteria. Hope some of you guys can help?
[1172] 10-25 11:32:05:886: PeapReadConnectionData
[1172] 10-25 11:32:05:886: IsIdentityPrivacyInPeapConnPropValid
[1172] 10-25 11:32:05:886: PeapReadUserData
[1172] 10-25 11:32:05:886: No Credentails passed
[1172] 10-25 11:32:05:886: RasEapGetInfo
[1172] 10-25 11:32:05:886: EAP-TLS using All-purpose cert
[1172] 10-25 11:32:05:886: Self Signed Certificates will not be selected.
[1172] 10-25 11:32:05:886: EAP-TLS will accept the All-purpose cert
[1172] 10-25 11:32:05:886: EapTlsInitialize2: PEAP using All-purpose cert
[1172] 10-25 11:32:05:886: PEAP will accept the All-purpose cert
[1172] 10-25 11:32:05:886: PeapGetIdentity returned the identity as host/ComputerAccount.domain.tld
[1172] 10-25 11:32:05:886: EAP-TLS using All-purpose cert
[1172] 10-25 11:32:05:886: Self Signed Certificates will not be selected.
[1172] 10-25 11:32:05:886: EAP-TLS will accept the All-purpose cert
[1172] 10-25 11:32:05:886: EapTlsInitialize2: PEAP using All-purpose cert
[1172] 10-25 11:32:05:886: PEAP will accept the All-purpose cert
[1172] 10-25 11:32:05:886: PeapReadConnectionData
[1172] 10-25 11:32:05:886: IsIdentityPrivacyInPeapConnPropValid
[1172] 10-25 11:32:05:886: PeapReadUserData
[1172] 10-25 11:32:05:886: No Credentails passed
[1172] 10-25 11:32:05:886: RasEapGetInfo
[1172] 10-25 11:32:05:886: EAP-TLS using All-purpose cert
[1172] 10-25 11:32:05:886: Self Signed Certificates will not be selected.
[1172] 10-25 11:32:05:886: EAP-TLS will accept the All-purpose cert
[1172] 10-25 11:32:05:886: EapTlsInitialize2: PEAP using All-purpose cert
[1172] 10-25 11:32:05:886: PEAP will accept the All-purpose cert
[1172] 10-25 11:32:05:886: PeapGetIdentity returned the identity as host/ComputerAccount.domain.tld
[1172] 10-25 11:32:05:886: EAP-TLS using All-purpose cert
[1172] 10-25 11:32:05:886: Self Signed Certificates will not be selected.
[1172] 10-25 11:32:05:886: EAP-TLS will accept the All-purpose cert
[1172] 10-25 11:32:05:886: EapTlsInitialize2: PEAP using All-purpose cert
[1172] 10-25 11:32:05:886: PEAP will accept the All-purpose cert
[1172] 10-25 11:32:05:886: EapPeapBegin
[1172] 10-25 11:32:05:886: EapPeapBegin - flags(0xa0)
[1172] 10-25 11:32:05:886: PeapReadConnectionData
[1172] 10-25 11:32:05:886: IsIdentityPrivacyInPeapConnPropValid
[1172] 10-25 11:32:05:886: PeapReadUserData
[1172] 10-25 11:32:05:886:
[1172] 10-25 11:32:05:886: EapTlsBegin(host/ComputerAccount.domain.tld)
[1172] 10-25 11:32:05:886: SetupMachineChangeNotification
[1172] 10-25 11:32:05:886: State change to Initial
[1172] 10-25 11:32:05:886: EapTlsBegin: Detected 8021X authentication
[1172] 10-25 11:32:05:886: EapTlsBegin: Detected PEAP authentication
[1172] 10-25 11:32:05:886: MaxTLSMessageLength is now 16384
[1172] 10-25 11:32:05:886: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[1172] 10-25 11:32:05:886: Force IgnoreRevocationOffline on client
[1172] 10-25 11:32:05:886: CRYPT_E_REVOCATION_OFFLINE will be ignored
[1172] 10-25 11:32:05:886: The root cert will not be checked for revocation
[1172] 10-25 11:32:05:886: The cert will be checked for revocation
[1172] 10-25 11:32:05:886: Unable to read TLS version registry key, return code 2
[1172] 10-25 11:32:05:886: EapPeapBegin done
[1172] 10-25 11:32:05:886: EapPeapMakeMessage
[1172] 10-25 11:32:05:886: EapPeapCMakeMessage, flags(0x80540)
[1172] 10-25 11:32:05:886: Cloned PPP_EAP_PACKET packet
[1172] 10-25 11:32:05:886: PEAP:PEAP_STATE_INITIAL
[1172] 10-25 11:32:05:886: EapTlsCMakeMessage, state(0) flags (0x5460)
[1172] 10-25 11:32:05:886: EapTlsReset
[1172] 10-25 11:32:05:886: State change to Initial
[1172] 10-25 11:32:05:886: EapGetCredentials
[1172] 10-25 11:32:05:886: Flag is Machine Auth and Store is local Machine
[1172] 10-25 11:32:05:886: GetCachedCredentials Flags = 0x5460
[1172] 10-25 11:32:05:886: FindNodeInCachedCredList, flags(0x5460), default cached creds(0), check thread token(0)
[1172] 10-25 11:32:05:886: pNode->dwCredFlags = 0x49
[1172] 10-25 11:32:05:886: No Cert Store. Guest Access requested
[1172] 10-25 11:32:05:886: No Cert Name. Guest access requested
[1172] 10-25 11:32:05:886: Will validate server cert
[1172] 10-25 11:32:05:886: MakeReplyMessage
[1172] 10-25 11:32:05:886: SecurityContextFunction
[1172] 10-25 11:32:05:886: InitializeSecurityContext returned 0x90312
[1172] 10-25 11:32:05:886: State change to SentHello
[1172] 10-25 11:32:05:886: BuildPacket
[1172] 10-25 11:32:05:886: << Sending Response (Code: 2) packet: Id: 4, Length: 109, Type: 13, TLS blob length: 99. Flags: L
[1172] 10-25 11:32:05:886: EapPeapCMakeMessage done
[1172] 10-25 11:32:05:886: EapPeapMakeMessage done
[1172] 10-25 11:32:05:902: EapPeapMakeMessage
[1172] 10-25 11:32:05:902: EapPeapCMakeMessage, flags(0x80540)
[1172] 10-25 11:32:05:902: Cloned PPP_EAP_PACKET packet
[1172] 10-25 11:32:05:902: PEAP:PEAP_STATE_TLS_INPROGRESS
[1172] 10-25 11:32:05:902: EapTlsCMakeMessage, state(2) flags (0x5400)
[1172] 10-25 11:32:05:902: MakeReplyMessage
[1172] 10-25 11:32:05:902: Reallocating input TLS blob buffer
[1172] 10-25 11:32:05:902: BuildPacket
[1172] 10-25 11:32:05:902: << Sending Response (Code: 2) packet: Id: 5, Length: 6, Type: 13, TLS blob length: 0. Flags:
[1172] 10-25 11:32:05:902: EapPeapCMakeMessage done
[1172] 10-25 11:32:05:902: EapPeapMakeMessage done
[1172] 10-25 11:32:05:917: EapPeapMakeMessage
[1172] 10-25 11:32:05:917: EapPeapCMakeMessage, flags(0x80540)
[1172] 10-25 11:32:05:917: Cloned PPP_EAP_PACKET packet
[1172] 10-25 11:32:05:917: PEAP:PEAP_STATE_TLS_INPROGRESS
[1172] 10-25 11:32:05:917: EapTlsCMakeMessage, state(2) flags (0x5410)
[1172] 10-25 11:32:05:917: MakeReplyMessage
[1172] 10-25 11:32:05:917: BuildPacket
[1172] 10-25 11:32:05:917: << Sending Response (Code: 2) packet: Id: 6, Length: 6, Type: 13, TLS blob length: 0. Flags:
[1172] 10-25 11:32:05:917: EapPeapCMakeMessage done
[1172] 10-25 11:32:05:917: EapPeapMakeMessage done
[1172] 10-25 11:32:05:933: EapPeapMakeMessage
[1172] 10-25 11:32:05:933: EapPeapCMakeMessage, flags(0x80540)
[1172] 10-25 11:32:05:933: Cloned PPP_EAP_PACKET packet
[1172] 10-25 11:32:05:933: PEAP:PEAP_STATE_TLS_INPROGRESS
[1172] 10-25 11:32:05:933: EapTlsCMakeMessage, state(2) flags (0x5410)
[1172] 10-25 11:32:05:933: MakeReplyMessage
[1172] 10-25 11:32:05:933: SecurityContextFunction
[1172] 10-25 11:32:05:933: InitializeSecurityContext returned 0x90312
[1172] 10-25 11:32:05:933: State change to SentFinished
[1172] 10-25 11:32:05:933: BuildPacket
[1172] 10-25 11:32:05:933: << Sending Response (Code: 2) packet: Id: 7, Length: 144, Type: 13, TLS blob length: 134. Flags: L
[1172] 10-25 11:32:05:933: EapPeapCMakeMessage done
[1172] 10-25 11:32:05:933: EapPeapMakeMessage done
[1172] 10-25 11:32:05:949: EapPeapMakeMessage
[1172] 10-25 11:32:05:949: EapPeapCMakeMessage, flags(0x80540)
[1172] 10-25 11:32:05:949: Cloned PPP_EAP_PACKET packet
[1172] 10-25 11:32:05:949: PEAP:PEAP_STATE_TLS_INPROGRESS
[1172] 10-25 11:32:05:949: EapTlsCMakeMessage, state(3) flags (0x5400)
[1172] 10-25 11:32:05:949: MakeReplyMessage
[1172] 10-25 11:32:05:949: SecurityContextFunction
[1172] 10-25 11:32:05:949: InitializeSecurityContext returned 0x0
[1172] 10-25 11:32:05:949: AuthenticateServer flags: 0x5400
[1172] 10-25 11:32:05:949: DwGetEKUUsage
[1172] 10-25 11:32:05:949: Number of EKUs on the cert are 1
[1172] 10-25 11:32:05:949: FCheckUsage: All-Purpose: 1
[1172] 10-25 11:32:05:949: Checking against the NTAuth store to verify the certificate chain.
[1172] 10-25 11:32:05:949: CertVerifyCertificateChainPolicy succeeded but returned 0x800b0112.Continuing with root hash matching.
[1172] 10-25 11:32:05:949: Root CA name: NameOfCa Authority
[1172] 10-25 11:32:05:949: Found Hash
[1172] 10-25 11:32:05:949: Server name: NameOfCa Authority
[1172] 10-25 11:32:05:949: Server name specified:
[1172] 10-25 11:32:05:949: Server name validation is disabled
[1172] 10-25 11:32:05:949: CreateMPPEKeyAttributes
[1172] 10-25 11:32:05:949: State change to RecdFinished
[1172] 10-25 11:32:05:949: BuildPacket
[1172] 10-25 11:32:05:949: << Sending Response (Code: 2) packet: Id: 8, Length: 6, Type: 13, TLS blob length: 0. Flags:
[1172] 10-25 11:32:05:949: EapPeapCMakeMessage done
[1172] 10-25 11:32:05:949: EapPeapMakeMessage done
[1172] 10-25 11:32:05:949: EapPeapMakeMessage
[1172] 10-25 11:32:05:949: EapPeapCMakeMessage, flags(0x80540)
[1172] 10-25 11:32:05:949: Cloned PPP_EAP_PACKET packet
[1172] 10-25 11:32:05:949: PEAP:PEAP_STATE_TLS_INPROGRESS
[1172] 10-25 11:32:05:949: EapTlsCMakeMessage, state(4) flags (0x5408)
[1172] 10-25 11:32:05:949: Negotiation successful
[1172] 10-25 11:32:05:949: SetCachedCredentials Flags = 0x5408
[1172] 10-25 11:32:05:949: AddNodeToCachedCredList, pEapTlsCb->fFlags(0x5408).
[1172] 10-25 11:32:05:949: FindNodeInCachedCredList, flags(0x5408), default cached creds(0), check thread token(0)
[1172] 10-25 11:32:05:949: pNode->dwCredFlags = 0x49
[1172] 10-25 11:32:05:949: GetNewCachedCredListNode
[1172] 10-25 11:32:05:949: Created a new EAPTLS_CACHED_CREDS, pNode->dwCredFlags = 0x4a
[1172] 10-25 11:32:05:949: PeapGetTunnelProperties
[1172] 10-25 11:32:05:949: Successfully negotiated TLS with following parametersdwProtocol = 0x80, Cipher= 0x6610, CipherStrength=0x100, Hash=0x8004
[1172] 10-25 11:32:05:949: PeapGetTunnelProperties done
[1172] 10-25 11:32:05:949: GetTLSSessionCookie
[1172] 10-25 11:32:05:949: IsTLSSessionReconnect
[1172] 10-25 11:32:05:949: Full Tls authentication performed
[1172] 10-25 11:32:05:949: PEAP_STATE_FAST_ROAMING_IDENTITY_REQUEST
[1172] 10-25 11:32:05:949: PeapClientDecryptTunnelData
[1172] 10-25 11:32:05:949: IsDuplicatePacket
[1172] 10-25 11:32:05:949: PeapDecryptTunnelData dwSizeofData = 37, pData = 0x3e771a6
[1172] 10-25 11:32:05:949: Blob length 37
[1172] 10-25 11:32:05:949: PeapDecryptTunnelData completed with status 0x0
[1172] 10-25 11:32:05:949: Buffer length is 5
[1172] 10-25 11:32:05:949: IsMsEapTlvPacket
[1172] 10-25 11:32:05:949: IsEapTLVInsidePEAP
[1172] 10-25 11:32:05:949: PeapEncryptTunnelData
[1172] 10-25 11:32:05:949: Blob length 69
[1172] 10-25 11:32:05:949: PeapEncryptTunnelData completed with status 0x0
[1172] 10-25 11:32:05:949: EapPeapCMakeMessage done
[1172] 10-25 11:32:05:949: EapPeapMakeMessage done
[1172] 10-25 11:32:05:949: EapPeapMakeMessage
[1172] 10-25 11:32:05:949: EapPeapCMakeMessage, flags(0x80540)
[1172] 10-25 11:32:05:949: Cloned PPP_EAP_PACKET packet
[1172] 10-25 11:32:05:949: PEAP:PEAP_STATE_IDENTITY_RESPONSE_SENT
[1172] 10-25 11:32:05:949: PeapClientDecryptTunnelData
[1172] 10-25 11:32:05:949: IsDuplicatePacket
[1172] 10-25 11:32:05:949: PeapDecryptTunnelData dwSizeofData = 85, pData = 0x5b288e6
[1172] 10-25 11:32:05:949: Blob length 85
[1172] 10-25 11:32:05:949: PeapDecryptTunnelData completed with status 0x0
[1172] 10-25 11:32:05:949: Buffer length is 49
[1172] 10-25 11:32:05:949: IsMsEapTlvPacket
[1172] 10-25 11:32:05:949: IsEapTLVInsidePEAP
[1172] 10-25 11:32:05:949: PeapEncryptTunnelData
[1172] 10-25 11:32:05:949: Blob length 117
[1172] 10-25 11:32:05:949: PeapEncryptTunnelData completed with status 0x0
[1172] 10-25 11:32:05:949: EapPeapCMakeMessage done
[1172] 10-25 11:32:05:949: EapPeapMakeMessage done
[1172] 10-25 11:32:05:964: EapPeapMakeMessage
[1172] 10-25 11:32:05:964: EapPeapCMakeMessage, flags(0x80540)
[1172] 10-25 11:32:05:964: Cloned PPP_EAP_PACKET packet
[1172] 10-25 11:32:05:964: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
[1172] 10-25 11:32:05:964: PeapClientDecryptTunnelData
[1172] 10-25 11:32:05:964: IsDuplicatePacket
[1172] 10-25 11:32:05:964: PeapDecryptTunnelData dwSizeofData = 37, pData = 0x3e6f816
[1172] 10-25 11:32:05:964: Blob length 37
[1172] 10-25 11:32:05:964: PeapDecryptTunnelData completed with status 0x0
[1172] 10-25 11:32:05:964: Buffer length is 11
[1172] 10-25 11:32:05:964: IsEapTLVInsidePEAP
[1172] 10-25 11:32:05:964: IsEapTLVInsidePEAP returned true
[1172] 10-25 11:32:05:964: CheckForUnsupportedMandatoryTLV
[1172] 10-25 11:32:05:964: GetPEAPTLVStatusMessageValue
[1172] 10-25 11:32:05:964: Found a result TLV 2
[1172] 10-25 11:32:05:964: PeapSetTypeUserAttributes
[1172] 10-25 11:32:05:964: Sending PEAP_Failure
[1172] 10-25 11:32:05:964: CreatePEAPTLVStatusMessage
[1172] 10-25 11:32:05:964: PeapEncryptTunnelData
[1172] 10-25 11:32:05:964: Blob length 37
[1172] 10-25 11:32:05:964: PeapEncryptTunnelData completed with status 0x0
[1172] 10-25 11:32:05:964: EapPeapCMakeMessage done
[1172] 10-25 11:32:05:964: EapPeapMakeMessage done
[1172] 10-25 11:32:06:963: EapPeapMakeMessage
[1172] 10-25 11:32:06:963: EapPeapCMakeMessage, flags(0x80540)
[1172] 10-25 11:32:06:963: Cloned PPP_EAP_PACKET packet
[1172] 10-25 11:32:06:963: PEAP:PEAP_STATE_PEAP_FAIL_SEND
[1172] 10-25 11:32:06:963: SetTLSFastReconnect
[1172] 10-25 11:32:06:963: IsTLSSessionReconnect
[1172] 10-25 11:32:06:963: Full Tls authentication performed
[1172] 10-25 11:32:06:963: The session is not setup for fast reconnects. No need to disable.
[1172] 10-25 11:32:06:963: RasEapAuthAttributeRemove: received NULL attributeArray, returning
[1172] 10-25 11:32:06:963: FreeCachedCredentials
[1172] 10-25 11:32:06:963: FindNodeInCachedCredList, flags(0x5408), default cached creds(0), check thread token(0)
[1172] 10-25 11:32:06:963: pNode->dwCredFlags = 0x4a
[1172] 10-25 11:32:06:963: RemoveNodeFromCachedCredList.
[1172] 10-25 11:32:06:963: RasAuthAttributeConcat
[1172] 10-25 11:32:06:963: EapPeapCMakeMessage done
[1172] 10-25 11:32:06:963: EapPeapMakeMessage done
[1172] 10-25 11:32:06:963: EapPeapEnd
[1172] 10-25 11:32:06:963: EapTlsEnd
[1172] 10-25 11:32:06:963: EapTlsEnd(host/ComputerAccount.domain.tld)
[1172] 10-25 11:32:06:963: EapPeapEnd done
[5260] 10-25 11:32:10:847: EAP-TLS using All-purpose cert
[5260] 10-25 11:32:10:847: Self Signed Certificates will not be selected.
[5260] 10-25 11:32:10:847: EAP-TLS will accept the All-purpose cert
[5260] 10-25 11:32:10:847: EapTlsInitialize2: PEAP using All-purpose cert
[5260] 10-25 11:32:10:847: PEAP will accept the All-purpose cert
[5260] 10-25 11:32:10:847: EapTlsInvokeIdentityUI
[5260] 10-25 11:32:10:847: GetCertInfo flags: 0xa2
[5260] 10-25 11:32:10:847: GetDefaultClientMachineCert
[5260] 10-25 11:32:10:847: FCheckTimeValidity
[5260] 10-25 11:32:10:847: FCheckUsage: All-Purpose: 1
[5260] 10-25 11:32:10:847: DwGetEKUUsage
[5260] 10-25 11:32:10:847: Number of EKUs on the cert are 2
[5260] 10-25 11:32:10:847: Cert do have CDP but do not have AIA OCSP extension
[5260] 10-25 11:32:10:847: Found Machine Cert based on machinename, client auth, time validity.
[5260] 10-25 11:32:10:847: GetDefaultClientMachineCert done.
[5260] 10-25 11:32:10:847: Got the default Machine Cert
[5260] 10-25 11:32:10:847: Successfully got certificate. Hash follows
[5260] 11:32:10:847: 83 C5 4B C6 EA CF 5D 36 11 C9 CC 27 F5 AA 89 E5 |..K...]6...'....|
[5260] 11:32:10:847: 28 C0 5F A4 00 00 00 00 00 00 00 00 00 00 00 00 |(._.............|
[5260] 10-25 11:32:10:847: EAP-TLS using All-purpose cert
[5260] 10-25 11:32:10:847: Self Signed Certificates will not be selected.
[5260] 10-25 11:32:10:847: EAP-TLS will accept the All-purpose cert
[5260] 10-25 11:32:10:847: EapTlsInitialize2: PEAP using All-purpose cert
[5260] 10-25 11:32:10:847: PEAP will accept the All-purpose cert
[5260] 10-25 11:32:10:847: EAP-TLS using All-purpose cert
[5260] 10-25 11:32:10:847: Self Signed Certificates will not be selected.
[5260] 10-25 11:32:10:847: EAP-TLS will accept the All-purpose cert
[5260] 10-25 11:32:10:847: EapTlsInitialize2: PEAP using All-purpose cert
[5260] 10-25 11:32:10:847: PEAP will accept the All-purpose cert
[5260] 10-25 11:32:10:847: EapTlsInvokeIdentityUI
[5260] 10-25 11:32:10:847: GetCertInfo flags: 0xa2
[5260] 10-25 11:32:10:847: GetDefaultClientMachineCert
[5260] 10-25 11:32:10:847: FCheckTimeValidity
[5260] 10-25 11:32:10:847: FCheckUsage: All-Purpose: 1
[5260] 10-25 11:32:10:847: DwGetEKUUsage
[5260] 10-25 11:32:10:847: Number of EKUs on the cert are 2
[5260] 10-25 11:32:10:847: Cert do have CDP but do not have AIA OCSP extension
[5260] 10-25 11:32:10:847: Found Machine Cert based on machinename, client auth, time validity.
[5260] 10-25 11:32:10:847: GetDefaultClientMachineCert done.
[5260] 10-25 11:32:10:847: Got the default Machine Cert
[5260] 10-25 11:32:10:847: Successfully got certificate. Hash follows
[5260] 11:32:10:847: 83 C5 4B C6 EA CF 5D 36 11 C9 CC 27 F5 AA 89 E5 |..K...]6...'....|
[5260] 11:32:10:847: 28 C0 5F A4 00 00 00 00 00 00 00 00 00 00 00 00 |(._.............|
[5260] 10-25 11:32:10:847: EAP-TLS using All-purpose cert
[5260] 10-25 11:32:10:847: Self Signed Certificates will not be selected.
[5260] 10-25 11:32:10:847: EAP-TLS will accept the All-purpose cert
[5260] 10-25 11:32:10:847: EapTlsInitialize2: PEAP using All-purpose cert
[5260] 10-25 11:32:10:847: PEAP will accept the All-purpose cert
[5260] 10-25 11:32:14:950: EAP-TLS using All-purpose cert
[5260] 10-25 11:32:14:950: Self Signed Certificates will not be selected.
[5260] 10-25 11:32:14:950: EAP-TLS will accept the All-purpose cert
[5260] 10-25 11:32:14:950: EapTlsInitialize2: PEAP using All-purpose cert
[5260] 10-25 11:32:14:950: PEAP will accept the All-purpose cert
[5260] 10-25 11:32:14:950: EapTlsInvokeIdentityUI
[5260] 10-25 11:32:14:950: GetCertInfo flags: 0xa2
[5260] 10-25 11:32:14:950: GetDefaultClientMachineCert
[5260] 10-25 11:32:14:950: FCheckTimeValidity
[5260] 10-25 11:32:14:950: FCheckUsage: All-Purpose: 1
[5260] 10-25 11:32:14:950: DwGetEKUUsage
[5260] 10-25 11:32:14:950: Number of EKUs on the cert are 2
[5260] 10-25 11:32:14:950: Cert do have CDP but do not have AIA OCSP extension
[5260] 10-25 11:32:14:950: Found Machine Cert based on machinename, client auth, time validity.
[5260] 10-25 11:32:14:950: GetDefaultClientMachineCert done.
[5260] 10-25 11:32:14:950: Got the default Machine Cert
[5260] 10-25 11:32:14:950: Successfully got certificate. Hash follows
[5260] 11:32:14:950: 83 C5 4B C6 EA CF 5D 36 11 C9 CC 27 F5 AA 89 E5 |..K...]6...'....|
[5260] 11:32:14:950: 28 C0 5F A4 00 00 00 00 00 00 00 00 00 00 00 00 |(._.............|
[5260] 10-25 11:32:14:950: EAP-TLS using All-purpose cert
[5260] 10-25 11:32:14:950: Self Signed Certificates will not be selected.
[5260] 10-25 11:32:14:950: EAP-TLS will accept the All-purpose cert
[5260] 10-25 11:32:14:950: EapTlsInitialize2: PEAP using All-purpose cert
[5260] 10-25 11:32:14:950: PEAP will accept the All-purpose cert
[1172] 10-25 11:32:14:950: EAP-TLS using All-purpose cert
[1172] 10-25 11:32:14:950: Self Signed Certificates will not be selected.
[1172] 10-25 11:32:14:950: EAP-TLS will accept the All-purpose cert
[1172] 10-25 11:32:14:950: EapTlsInitialize2: PEAP using All-purpose cert
[1172] 10-25 11:32:14:950: PEAP will accept the All-purpose cert
[1172] 10-25 11:32:14:950: EapTlsInvokeIdentityUI
[1172] 10-25 11:32:14:950: GetCertInfo flags: 0xa2
[1172] 10-25 11:32:14:950: GetDefaultClientMachineCert
[1172] 10-25 11:32:14:950: FCheckTimeValidity
[1172] 10-25 11:32:14:950: FCheckUsage: All-Purpose: 1
[1172] 10-25 11:32:14:950: DwGetEKUUsage
[1172] 10-25 11:32:14:950: Number of EKUs on the cert are 2
[1172] 10-25 11:32:14:950: Cert do have CDP but do not have AIA OCSP extension
[1172] 10-25 11:32:14:950: Found Machine Cert based on machinename, client auth, time validity.
[1172] 10-25 11:32:14:950: GetDefaultClientMachineCert done.
[1172] 10-25 11:32:14:950: Got the default Machine Cert
[1172] 10-25 11:32:14:950: Successfully got certificate. Hash follows
[1172] 11:32:14:950: 83 C5 4B C6 EA CF 5D 36 11 C9 CC 27 F5 AA 89 E5 |..K...]6...'....|
[1172] 11:32:14:950: 28 C0 5F A4 00 00 00 00 00 00 00 00 00 00 00 00 |(._.............|
[1172] 10-25 11:32:14:950: EAP-TLS using All-purpose cert
[1172] 10-25 11:32:14:950: Self Signed Certificates will not be selected.
[1172] 10-25 11:32:14:950: EAP-TLS will accept the All-purpose cert
[1172] 10-25 11:32:14:950: EapTlsInitialize2: PEAP using All-purpose cert
[1172] 10-25 11:32:14:950: PEAP will accept the All-purpose cert
Thanks to everyone how has ideas ;-)
Regards,
Frank