Windows NAP as RADIUS in a Windows 7 Server 2012 Wireless World

Microsoft, this is why people do not deploy NAP, NAC and other things like this, small little problems that take hours to fix – and then when something goes awry later on, people pull their hair out.

If you are running Windows 2012, with Windows 8 Desktops,  everything is happy in your world.

The same is true for Windows 2008, and Windows 7 Desktops.

However as Microsoft changes things, and starts to deprecate protocols, features and functionality we keep running into cross version funnies, here is one.

A typical wireless network with 802.1X Enterprise Auth requires a few things.

  1. AP’s or a controller that knows where to go for authentication
  2. Some kind of RADIUS server that can respond to auth requests
  3. A certificate that is trusted by everyone involved — trusted and apparently formatted right.

The 1st and 2nd parts are pretty easy, but the 3rd, that’s where things get interesting.  First it’s not totally obvious that Microsoft NPS needs a certificate, and to add insult, you need to use PEAP instead of Password Authenication — but more on that later.

While configuring a clients Wireless for 802.1X authentication, I ran into clients who would refuse to connect, they were Windows 7 clients.    Windows 8 clients, mobile devices were all fine.

Capture3

Ok….. So let’s go check our event log on the NPS server….   We see Error 6273 Reason 16

Capture4

Ok..  so Authentication failed due to a user credentials mismatch.  Either the user name provided does not map to an existing user account or the password is incorrect.      This is easy…  Wait..  is it?     I clicked on the network, it used my WINDOWS CREDENTIALS..  I did log on to this laptop right?    Let’s do the logoff/logon dance, make sure we are wired, and we know the cred’s are right…  Did that.  Logon to another PC — check.  Logon to a DC directly with same test account — check.  Ok we know this user and password are fine.

I wish I could find something that proves why this isn’t working but I ran across this article
https://technet.microsoft.com/en-us/library/cc731363(v=ws.10).aspx

When selecting a certificate for NAP
“Certificates that do not contain a Subject name are not displayed.”

Oh, well in 2012 they are…  That’s because Windows 8 clients are OK with that…   Except Windows 7 clients ARE NOT.

I was also tossed the wrong way by multiple articles that claimed it was something to do with the “validate certificate” checkbox — which by the way, should be checked, why would you EVER turn off certificate validations checking!    If you do that, cred’s are easily stolen by nearby attackers.

http://blogs.catapultsystems.com/jstocker/archive/2013/12/13/mystery-solved-windows-7-and-windows-8-treat-validate-server-certificate-differently-in-802-1x/

So yes, this is a bit of a ranty post, but I want to get down to this…   Let’s make this work.

The key is when you request your machine certificate.

Start your enrollment

Capture5

MAKE SURE YOU SELECT DOMAIN CONTROLLER — Not Authentication or Kerberos — as much as those might sound like what you want.  Those certs would be published, without a subject.   Click Enroll, no need to modify more

Capture9

No go back and open the cert you just created…    Make sure the “Subject” line has something in there,  yes, the yellow bit that I have blacked out, should have the computer name in there.

Capture10
Here is a good guide an example to RADIUS with NAP for Meraki.   It is the same for any other wireless provider.    Use this guide to finish up.

https://shabiryusuf.wordpress.com/2012/12/24/meraki-network-policy-server-nps-and-radius-with-wpa2-enterprise/

In the above guide it calls out the PEAP section, make sure you select the cert you just created.

Capture11

Another common mistake…  In the box below you should see Protected EAP (PEAP)   DO NOT ADD MSCHAPv2 “secured password”  — again, it might sound like what you want, but it is not.

Capture15

So that’s it, yes a little bit ranty.    This needs to be easier, if I was a powershell guy, I am certain I could write a script that just does this for me,  you can even add radius clients with New-NPSRadiusClient and create all the policies in PowerShell, but I am simply not a programmer.

Microsoft — this does not need to be this difficult.

Advertisements

14 thoughts on “Windows NAP as RADIUS in a Windows 7 Server 2012 Wireless World

  1. Thanks man you just saved me a few grey hairs. I was using a server certificate with DNS name in the SAN and no subject name, and authentication by a Windows 7 client was failing. Never would have guessed that was the problem.

    Like

  2. what if I use a public wildcard certificate like DigiCert?
    I am having the same error message, where I am not able to connect to the SSID with Windows 8/10. No issue with Android and IPhone.

    Like

  3. OMG. I’ve just spent 3 hours trying to figure this out. I couldn’t find anything on Google relating to this issue until I stumbled upon your article. It was working fine on my windows 10 computer, but not Win7. Thanks man you saved the day.

    You don’t even have to install the certificate on the client computers like all the other articles were saying…it gets it from the server. At least…that’s what I’ve discovered so far…on to more testing!

    Seriously…WTF Microsoft.

    Like

  4. First of all, Thank You very much for this.
    I ran in the same Problem at our Company. I tried to fix the problem with your solutions but the Thing is
    i can not enroll a domain Controller Certificate because the NPS server is not a domain Controller.
    then i tried a OpenSSL Certificate Web server Cert and a IIS Self Signed Certificate which also did not work out. Any Ideas?

    Like

  5. Hello,
    i setup NPS and CA on same virtual machine, i created local CA and setup correctly NPS.
    For mobile phone or windows 8 it is working correctly, but for Win 7 i still getting message “windows was unable to connect to RADTEST”. In the events log on NPS is “The certificate chain was issued by an authority that is not trusted.”

    Certificate has subject with the local hostname + domain. If i import this certificate directly to device then the connection is working. Why i dont get simple warning about that certificated is not trusted with the choice to continue?

    Could you give me the advice?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s