question

DavidParker-3164 avatar image
0 Votes"
DavidParker-3164 asked DarMar-8420 commented

NPS EAP-TLS failure

Hello, I have configured an NPS server in server 2019 standard.

It is authenticating username/password via PEAP and MAC address objects via PAP perfectly.

The only thing failing is EAP-TLS. I have proven that my client-side NIC EAP-TLS configuration is correct as I have had this working in another domain. The only difference is that I am now using a new NPS server which belongs to our new domain.

I can confirm that the test client workstation has the correct new domain CA certificate installed and also that the NPS server has the correct certificates installed and is enabled to perform domain authentication.

I can confirm that the switch NAS configuration is correct because it was working on the old domain with 802.1x. Additionally, I can see the EAP-TLS attempts coming through on the NPS server under the NPS logs.

Does anyone have any ideas as to what might be the problem ?

Here is an example of an EAP-TLS request coming in from a Windows 7 workstation. This is as far as it gets i.e. the client workstation fails authentication and there are no further logs in NPS suggesting what happened:

<Event><Timestamp data_type="4">10/10/2020 12:52:40.359</Timestamp>

<Computer-Name data_type="1">MYNPSSERVER</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<User-Name data_type="1">host/790-GHTTC2S.mydomain.local</User-Name>
<Service-Type data_type="0">2</Service-Type>
<Framed-MTU data_type="0">1500</Framed-MTU>
<Called-Station-Id data_type="1">C4-14-3C-22-E5-27</Called-Station-Id>
<Calling-Station-Id data_type="1">D4-BE-D9-A3-E7-83</Calling-Station-Id>
<NAS-Port-Type data_type="0">15</NAS-Port-Type>
<NAS-Port data_type="0">50239</NAS-Port>
<NAS-Port-Id data_type="1">GigabitEthernet2/0/39</NAS-Port-Id>
<NAS-IP-Address data_type="3">192.168.8.42</NAS-IP-Address>
<Client-IP-Address data_type="3">192.168.8.42</Client-IP-Address>
<Client-Vendor data_type="0">9</Client-Vendor>
<Client-Friendly-Name data_type="1">myswitch</Client-Friendly-Name>
<Proxy-Policy-Name data_type="1">CR-Cisco-Wired</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<SAM-Account-Name data_type="1">MYDOMAIN\790-GHTTC2S$</SAM-Account-Name>
<Fully-Qualifed-User-Name data_type="1">MYDOMAIN\790-GHTTC2S$</Fully-Qualifed-User-Name>
<Class data_type="1">311 1 10.17.0.22 09/25/2020 01:46:19 4894</Class>
<Packet-Type data_type="0">1</Packet-Type>
<Reason-Code data_type="0">0</Reason-Code></Event>

windows-server-infrastructure
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
 
Just want to confirm the current situations.
 
Please feel free to let us know if you need further assistance.
 
Best Regards,
Sunny

0 Votes 0 ·

Hi,

I have the same problem. Have you been able to find a solution?

TIA

0 Votes 0 ·

1 Answer

SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered

Hi,

Thanks for posing in Q&A platform.

In order to better understand your issue, could you please help to provide the Event ID or any error message related to this issue for us further troubleshooting?

Thanks for your understanding.

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.