Question : Configuring Wireless Computer Authentication with Certificates in Windows 7

Howdy All -

I have 10 laptops running Windows 7 Professional I need to deploy.  Laptops will be shared by users and they'll be wireless.  I have Cisco WAP4410N access points which support WPA2-Enterprise and RADIUS authentication.

I would like to use certificates to authenticate the computers to the wireless network before users log in, validate the user logging in just like any other domain computer they would log into.   In the event that the computer is stolen or lost, I want to revoke the certificates issued to the computer so that it cannot be used on my wireless network any more.  I also don't want Joe Q User to be able to bring his laptop from home and get on our company wireless network.     Basically if we don't ship them a wireless device setup for the company wireless network,  i don't want them to use something wirelessly.

I have a Windows Active Directory single forest, single domain at 2003 Native forest and domain functional levels.   I have a Windows 2008 R2 standard edition DC, a Windows 2003 R2 standard edition DC and a Windows 2003 standard edition DC.  FSMO roles are shared on the 2 2003 DC's currently, all 3 are global catalogs.   (doubt this makes a difference for the problem but want to get the details out there, none of these are virtual machines);  currently I have no domain logon problems anywhere on my network, replication is functioning between the 3 DCs.

I have a machine configured as an internal Enterprise Certification Authority which is 2008 R2 Enterprise edition.  The CA is authorized in AD and its self signed certificate's public key is deployed through GPO to the trusted root certificate store on all domain joined machines.  I have setup / allowed the auto issue of the Workstation Authentication V2 certificate which when I request it, seems to work.   The Certification Authority is the only service running on the host (its virtual, but it shouldn't make a difference)

I have setup an instance of Windows Server 2008 R2 Standard with NPS and used the wizard to start the configuration for Wireless 802.1x authentication.   I also issued the NPS server a IAS / Radius certificate from my internal CA.  I have configured one of the access points (the only one I'm setting up so far) as a radius client and ensured that the shared secret matches on the device and the server, the WAP has the proper static IP and vice versa for the NPS radius client.
 
On my NPS connection request policy, i have 2 rules -
Secure Wireless Connections - enabled @priority 1 - NAS port type   wireless - other or wireless IEEE 802.11, local computer as the authentication provider and override authentication is disabled.
Use Windows Authentication for all users - has some day & time restructions that amount of 7 days pwer week 00:00-24:00 with authentication provider on the local computer.




Under Network Policies there are 4 rules:
1 - domain computers - machine groups:   leepdc\domain computers,  user groups leepdc\domain users - granting full network access
2 - secure wireless - NAS port type as wireless other or Wireless IEEE 802.11,  windows groups domain users or domain computers,  auth type = PEAP, allowed EAP:  MS Smart card or certificate, or MS PEAP- smart card or other cert, machine group:  domain computers.   On match, full network access.

No health policies are defined or remediation servers (I'm just looking for RADIUS really, not NAP).

For testing/debugging, the firewalls on the CA and NPS box are completly disabled.  I have ensured communication between the CA and NPS servers in addition to the WAP.  


So now I am trying to configure the windows 7 machines to authentication wirelessly at the machine/computer level and then allow any domain user to log on.   I have ensured that the WLAN auto config service is started and running,  I have created a wireless connection profile with the SSID name on my access point (which is broad casting).  The properties are as follows:
- connect automatically when network in range
connect even if the network is not broadcasting SSID
- Security type:  WPA2-Enterprise
- Encryption Type:  AES
- network authenticaiton method:  MS Protected EAP (PEAP), remember credentials,
-- under settings I am validating the server certificate and have checked my internal CA certificate.   authentication method is smart card or other certificate using a certificate on this computer with use simple certificate selection and again, have selected my internal CA in the trusted root authorities.
- Fast reconnect is checked

Under advanced settings for 802.1x I have tried both computer authentication and "user or computer authentication", when user is selected, I have tried with enable SSO for htis network, perform immediatley before user logon.

Under 802.11 settings, I ahve left the defaults of enable pairewise master key caching


Using the local MMC Certificates snap in, I have a workstation authentication certificate with properties for client authentication in the personal certificates store under the computer context (and have tried under the user context as well), in the case of this test laptop, each context has the certificate.

When I try to connect, I get a baloon pop up telling me that a certificate is required to conneect to my SSID and to contact my administrator.  I am never presented with an option to pick a certificate.

I have tried using   netsh ras set tracing * enabled   during connection atttemtps to grab some extra logging information.   Based on reviewing the log files, the one with the most relevant information (that I can determine) is %systemroot%\tracing\svchost_RASTLS.log which I have included the latest output of below.

The certificate hashes in the log correspond to the issued certificates in the computer store.   So it is finding those but not using them.

I'm really kind of stumped, and not sure where I'm failing - wrong type of certificate, NPS policy mis configured or client misconfigured.    I feel that since the client sees the network and tells me I need a valid certificate, I'm very close and have something very small mis-configured.

I can elabortate further on any of the configurations if needed but hopefully the above has provided enough detail for a summary of the relevant portions of my network.

Suggestions greatly appreciated!

Mark L.
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
[5112] 06-13 16:47:42:673: EAP-TLS using All-purpose cert
[5112] 06-13 16:47:42:673:  Self Signed Certificates will not be selected.
[5112] 06-13 16:47:42:673: EAP-TLS will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: EapTlsInitialize2: PEAP using All-purpose cert
[5112] 06-13 16:47:42:673: PEAP will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: PeapGetIdentity returned the identity as host/LAPTOPT
EST.lmfj.com
[5112] 06-13 16:47:42:673: EAP-TLS using All-purpose cert
[5112] 06-13 16:47:42:673:  Self Signed Certificates will not be selected.
[5112] 06-13 16:47:42:673: EAP-TLS will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: EapTlsInitialize2: PEAP using All-purpose cert
[5112] 06-13 16:47:42:673: PEAP will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: PeapReadConnectionData
[5112] 06-13 16:47:42:673: IsIdentityPrivacyInPeapConnPropValid
[5112] 06-13 16:47:42:673: PeapReadUserData
[5112] 06-13 16:47:42:673: No Credentails passed
[5112] 06-13 16:47:42:673: RasEapGetInfo
[5112] 06-13 16:47:42:673: EAP-TLS using All-purpose cert
[5112] 06-13 16:47:42:673:  Self Signed Certificates will not be selected.
[5112] 06-13 16:47:42:673: EAP-TLS will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: EapTlsInitialize2: PEAP using All-purpose cert
[5112] 06-13 16:47:42:673: PEAP will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: PeapReDoUserData
[5112] 06-13 16:47:42:673: EAP-TLS using All-purpose cert
[5112] 06-13 16:47:42:673:  Self Signed Certificates will not be selected.
[5112] 06-13 16:47:42:673: EAP-TLS will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: EapTlsInitialize2: PEAP using All-purpose cert
[5112] 06-13 16:47:42:673: PEAP will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: EapTlsInvokeIdentityUI
[5112] 06-13 16:47:42:673: GetCertInfo flags: 0x100a2
[5112] 06-13 16:47:42:673: GetDefaultClientMachineCert
[5112] 06-13 16:47:42:673: FCheckTimeValidity
[5112] 06-13 16:47:42:673: FCheckUsage: All-Purpose: 1
[5112] 06-13 16:47:42:673: DwGetEKUUsage
[5112] 06-13 16:47:42:673: Number of EKUs on the cert are 1
[5112] 06-13 16:47:42:673: Cert do have CDP but do not have AIA OCSP extension
[5112] 06-13 16:47:42:673: FCheckTimeValidity
[5112] 06-13 16:47:42:673: FCheckUsage: All-Purpose: 1
[5112] 06-13 16:47:42:673: DwGetEKUUsage
[5112] 06-13 16:47:42:673: Number of EKUs on the cert are 3
[5112] 06-13 16:47:42:673: Cert do have CDP but do not have AIA OCSP extension
[5112] 06-13 16:47:42:673: Found Machine Cert based on machinename, client auth,
 time validity.
[5112] 06-13 16:47:42:673: GetDefaultClientMachineCert done.
[5112] 06-13 16:47:42:673: Got the default Machine Cert
[5112] 06-13 16:47:42:673: Successfully got certificate. Hash follows
[5112] 16:47:42:673: D9 41 67 6B 1C 1E 1E 5A B0 01 12 99 1E 43 5D 82 |.Agk...Z..
...C].|
[5112] 16:47:42:673: 9A 45 1E EC 00 00 00 00 00 00 00 00 00 00 00 00 |.E........
......|
[5112] 06-13 16:47:42:673: EAP-TLS using All-purpose cert
[5112] 06-13 16:47:42:673:  Self Signed Certificates will not be selected.
[5112] 06-13 16:47:42:673: EAP-TLS will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: EapTlsInitialize2: PEAP using All-purpose cert
[5112] 06-13 16:47:42:673: PEAP will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: PeapGetIdentity returned the identity as host/LAPTOPT
EST.lmfj.com
[5112] 06-13 16:47:42:673: EAP-TLS using All-purpose cert
[5112] 06-13 16:47:42:673:  Self Signed Certificates will not be selected.
[5112] 06-13 16:47:42:673: EAP-TLS will accept the  All-purpose cert
[5112] 06-13 16:47:42:673: EapTlsInitialize2: PEAP using All-purpose cert
[5112] 06-13 16:47:42:673: PEAP will accept the  All-purpose cert

Answer : Configuring Wireless Computer Authentication with Certificates in Windows 7

Technically there is no such thing as user autoenrollment. But there are hoops you can jump through to get something very similar. In most cases though, I find that you can get away without user certificates altogether. See if this works:

On your NPS server, take your network policy and remove the users security group. That policy will *only* apply to workstations.

Create another policy that is a duplicate of the one above, but add *only* the user security group. In the PEAP authentication section, remove smart cards and add MS-CHAP v2. That will allow password authentication for users.

finally, on the clients, in the PEAP advanced settings, allow both certificates and MS-CHAP v2. Since NPS won't allow MS-CHAPv2 for computer accounts (because of the network policy above) and NPS won't allow certificate authentication for user accounts (because of the new policy we created) you get the net effect of the two authenticaton schemes being mutually exclusive, even though they are both selected on the client.

If everything is working smoothly, that should give you the desired effect without requiring nasty certificate management scenarios.

Random Solutions  
 
programming4us programming4us