Our enviroment is:
Active Directory Windows Server 2008 R2
Primary NPS in Server 2008 R2 Enterprise
Secondary NPS in server 2008 R2 Enterprise
both NPS servers have NPS and AD CS roles [Radius is using Enterprise Certificate which it's Subordinate from DC CA )
NPS is set up to use PEAP-EAP-MSCHAP v2 and The client (Controller MSM765) is set up to use WPA (WPA OR WPA2).
All Domain Machines PC,Laptop,Macbook work fine with radius Server but for non domain machines we have to install the certificate manually to Trusted Root location for Windows machines only to get Radius to works and i'd able to made a connection to my Radius server, using auth method MS-CHAP v2,how it works with iPad ,iPhone and macbook as the cert is popping up after i entered my credentials, and just click to continue of the certificate,
Now suddenly all non domain Windows machines stopped working with Radius and the logs shows this code reason 265
but i have Installed the trusted root certification authority on the client computer as usual and i have checked that the radius cert if it's exist in trused
the root using mmc and i found it there.
these are the logs for windows user that i have installed the cert in trusted root folder:
@@Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: domain\Tim
Account Name: tim
Account Domain: domain
Fully Qualified Account Name: domain1\tim
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-24-A8-9B-1C-81
Calling Station Identifier: 24-77-03-6C-6B-28
NAS:
NAS IPv4 Address: 172.26.4.38
NAS IPv6 Address: -
NAS Identifier: SG0299L160
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 153
RADIUS Client:
Client Friendly Name: Controller1
Client IP Address: 172.26.4.38
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Trusted Machine and Users
Authentication Provider: Windows
Authentication Server: domain
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: 39613065373830302D3030303030306136
Logging Results: Accounting information was written to the local log file.
Reason Code: 265
Reason: The certificate chain was issued by an authority that is not trusted.
2nd log @@Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: PC
Account Domain: Domain
Fully Qualified Account Name: Domain\pc
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-24-A8-9B-1C-81
Calling Station Identifier: 24-77-03-6C-6B-28
NAS:
NAS IPv4 Address: 172.26.4.38
NAS IPv6 Address: -
NAS Identifier: SG0299L160
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 154
RADIUS Client:
Client Friendly Name: Controller1
Client IP Address: 172.26.4.38
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: Domain
Authentication Type: EAP
EAP Type: -
Account Session Identifier: 39613065373830302D3030303030306137
Logging Results: Accounting information was written to the local log file.
Reason Code: 8
Reason: The specified user account does not exist.
But i have found this temporary solution by creating a wireless profile in the user PC and remove validate server cerificate from security tab and enable 802.1x
setting to use user or copmuter authintication in adanaced security then anyone have AD aacount and memeber in wireless group
can authinticate without need to install the Radius cert manually and that is very bad as i need
student to validate cert so after one year this cert will be expired then the students need to come over again next year to get a new cert from IT and this is the
@@this is the log for the user (without need any cert) erver granted full access to a user because the host met the defined health policy.
User:
Security ID: domain\tim
Account Name: 1337
Account Domain: domain
Fully Qualified Account Name: domain\tim
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-24-A8-9B-1C-81
Calling Station Identifier: 24-77-03-6C-6B-28
NAS:
NAS IPv4 Address: 172.26.4.38
NAS IPv6 Address: -
NAS Identifier: SG0299L160
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 124
RADIUS Client:
Client Friendly Name: Controller1
Client IP Address: 172.26.4.38
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Trusted Machine and Users
Authentication Provider: Windows
Authentication Server: domain
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: 37656134383634372D3030303030303839
Quarantine Information:
Result: Full Access
Extended-Result: -
Session Identifier: -
Help URL: -
System Health Validator Result(s): -
2011IT