My PC is a Windows [Version 10.0.18362.900] and the RADIUS/AD servers are: Windows [Version 6.3.9600]
Most of the users are running dozens of different Widnows 10 versions and in rare cases, Windows 7 too
Recently our comapny sent all employees home, and is very rare to see end users sitting at their desks in the last 3 months
During this time, we have been engaged in some activities, regular daily tasks...
Last week we noticed that a lot of users have been put in the Guest network, instead regular IP network
We have been using the same infrastructure for at least 5 years with some maintenance on the apropriate places
Basically, we have HP/3COM Switchs, configured with 802.1X, evaluating PCs and users and putting into Guest IP network or regular/corp IP network.
All done by PEAP, the RADIUS servers are also our AD/DNS/DHCP Servers, so the single digital certiciate we use is the RADIUS one
Recently, we were working on the update fo the RADIUS server auth certificates, scheduled to expiry in October/2020 and we have changed in advance, before expiry.
So, we discovered that our WebServer custom template on internal CA, configured to 5-years certificates was in danger, because the CA certificate as reaching its end in Oct/2025 and soon, we wouldn´t be able to emit certficaites for 5 years because of the limit of teh CA itself.
Besides, that, the original root certificate dated from 2010 was using SHA-1, so we updated the CA certificate with a new one, now the current CA certificate is signed with SHA256 and valid untill 2030. I´m not sure if is related, but it´s good to mention it
SO, for some reason, all users are unable to get auth acess and be put in the corp IP network and all suers are being rehected and being put in the guest I network
As far as I know, HP/3COM switches are workign well, no reboots, for now, no reason to think the Switchs as responsible for the problem
We restarted RADIUS services and the DCS/RADIUS Servers itselves, several times and no change.
We used the NARTEC application, to check if TLS 1.2 settings were enforced, but no, TLS 1.0 and even MD5 are still in available in the DC/RADIUS, no change
We use MD-5-challange (and its registry key related) to allow our Alcatel IP phones to work at the network and in the NPS policy the PEAP is in place, using the new certificate, signed with SHA256 and valid through the next 5 years, no problem
In the RADIUS packets, i can see: being successfully negotiated: TLSCipherSuite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA { 0xC0,0x14 }
EAPHOST: User Uses Saved Credentials. (no problem at event ID 2088)
The current errors are:
Reason: 0x70004
Reason Text: The network stopped answering authentication requests
Error Code: 0x0
Reason: 0x50005
Reason Text: Network authentication failed\nWindows doesn't have the required authentication method to connect to this network.
Error Code: 0x40420016
Reason: 0x50007
Reason Text: There was no response to the EAP Response Identity packet.
Error Code: 0x0
The profile was applied on the network adapter.
Network Adapter: Intel(R) Ethernet Connection I218-LM
Profile Type: Interface
Profile Content:
AutoConfig Version: 1
802.1x: Enabled
802.1x: Not Enforced
EAP type: Microsoft: Protected EAP (PEAP)
802.1X auth credential: Machine credential
Cache user information: Yes
There has been an NDIS Port state change on this network adapter.
Network Adapter: Intel(R) Ethernet Connection I218-LM
NDIS Control State: UnControlled
NDIS Auth State: UnAuthorized
On RADIUS/AD
Skipping: Unable to add EAP method. Friendly name not present. TypeId(21), AuthorId(311), VendorId(0), VendorType(0)
reg query "HKLM\SYSTEM\CurrentControlSet\services\EapHost\parameters" /v AuthenticatorInstalled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\EapHost\parameters
AuthenticatorInstalled REG_DWORD 0x1