Pushed Certificate to Laptop but Still Asking to Continue to Connect to Wireless
Issue with WIFI authentication using RADIUS setup (server 2012)
Recently setup 802.1x RADIUS based authentication so wireless devices can authenticate using a computer certificate. I am using NPS on a Server 2012 domain controller and also have a ROOT CA for the certificates. AD seems to have pushed out the certs to all computers, as I see it in the cert store of all machines including desktops. This was done using a GPO. I use a windows security group for the computers that will have access to join the WIFI, and the NPS server looks at this group as part of the processing rules to determine whether they can get on. It all worked fine last week. I am pointing my D-link DAP-2660's to the NPS server.
The problem I am having is that upon reboot, many devices (laptops) are unable to auto-reconnect to the said WIFI. I get the message "cannot connect to the network, and the WIFI icon has a small circle with an "X" through it. The workaround is to "forget" the network in WIFI setting and re-join it. I have not been able to figure out what is causing this. The accounting logs on the NPS server are not the most useful.
Any ideas as to what might be failing or where to look to get a better idea as to why devices are failing to re-connect on their own after a reboot?
thanks,
O.C
FOUND IT.
go to network and sharing center, click on the "Wireless network connection (your_WiFi)" -> wireless properties -> security -> advanced. change the specified authentication mode to computer authentication.
Also under the authentication method settings -> configure. There is an option to "Automatically use my Windows logon..."
Was this post helpful? thumb_up thumb_down
View Best Answer in replies below
21 Replies
-
What do the logs show? Do you see the authentication attempt on either the NPS or APs?
Was this post helpful? thumb_up thumb_down
-
check the event logs on the server running NPS and AD for authentication requests, and also check the logs on the client machines for errors and warnings related to networking.
Do you have a self signed cert? or an externally signed one? Is it expired?
Was this post helpful? thumb_up thumb_down
-
Under "Windows Logs" > "Security" ? Don't see WIFI authentication attempts or failures there for any of the machines in question. in Accounting, it doesn't show anything very useful.
Was this post helpful? thumb_up thumb_down
-
Under "Windows Logs" > "Security" ? Don't see WIFI authentication attempts or failures there for any of the machines in question. in Accounting, it doesn't show anything very useful.
It won't say it's WIFI, just check for the accounts that are being used, and it might be under system. It will just show up as an AD authentication.
Was this post helpful? thumb_up thumb_down
-
I have my own internal CA, and the CERT is not expired. It's good until next year this time. It appears on the machines in question and the NPS/DC.
Was this post helpful? thumb_up thumb_down
-
I have my own internal CA, and the CERT is not expired. It's good until next year this time. It appears on the machines in question and the NPS/DC.
Have you tried adding the cert to the trusted certs on the clients?
Was this post helpful? thumb_up thumb_down
-
Seeing a ton of errors when I search my own PC (also having the issue). The errors are DHCP-Server related.
PTR record registration for IPv4 address (192.168.15.35) and FQDN name.mydomain.com failed with error 9017 (DNS bad key).
I have TONS of these and this IP matches up with the WIFI segment.... may not be NPS after all
Was this post helpful? thumb_up thumb_down
-
Seeing a ton of errors when I search my own PC (also having the issue). The errors are DHCP-Server related.
PTR record registration for IPv4 address (192.168.15.35) and FQDN name.mydomain.com failed with error 9017 (DNS bad key).
I have TONS of these and this IP matches up with the WIFI segment.... may not be NPS after all
What are you using for DNS? You need to have dynamic updates enabled.
Was this post helpful? thumb_up thumb_down
-
Using DNS on the same machine (DC). I have the following setup on the scope handling WIFI.
Was this post helpful? thumb_up thumb_down
-
I have my own internal CA, and the CERT is not expired. It's good until next year this time. It appears on the machines in question and the NPS/DC.
Have you tried adding the cert to the trusted certs on the clients?
Hi, I already see the cert in the folder of one of the suspect machines. It's in the folder "Trusted Root Certification Authorities/Certificates" when I go into local computer certificates. Is this the folder you are referring to?
Was this post helpful? thumb_up thumb_down
-
I have my own internal CA, and the CERT is not expired. It's good until next year this time. It appears on the machines in question and the NPS/DC.
Have you tried adding the cert to the trusted certs on the clients?
Hi, I already see the cert in the folder of one of the suspect machines. It's in the folder "Trusted Root Certification Authorities/Certificates" when I go into local computer certificates. Is this the folder you are referring to?
Yes that's it. Sounds like DNS/DHCP issues though from what you said before. Try changing that setting to Always.
Was this post helpful? thumb_up thumb_down
-
Did that, no change. Have to constantly "forget" the network upon restart or logoff/logon in order to join the network. Any idea what could be stored in this profile that only seems to work for the existing session, and not allow the machine to connect automatically on reboot or logon? It's immediately upon authenticating at the Windows prompt that it DROPS the WIFI (it's connected before that, even after a reboot).
O.C
Was this post helpful? thumb_up thumb_down
-
Is the user your logging into the same one your are using to login to the wifi via RADIUS? it could be attempting to re authenticate with the wifi using the domain user account you are logging into on the computer.
Was this post helpful? thumb_up thumb_down
-
My intention is to use computer authentication only, via a security group. Had it working, but yes, it seems like the user account is interfering. I saw a post on SpiceWorks by some others indicating that NPS can either authenticate using machine cert or user cert but not both, so it doesn't make sense that it would do that. I am pushing out machine certs using GPO.
Was this post helpful? thumb_up thumb_down
-
My intention is to use computer authentication only, via a security group. Had it working, but yes, it seems like the user account is interfering. I saw a post on SpiceWorks by some others indicating that NPS can either authenticate using machine cert or user cert but not both, so it doesn't make sense that it would do that. I am pushing out machine certs using GPO.
You can disable this I believe in the settings somewhere. I have no way of looking for it right now but you might have to add the connection manually via the network and sharing center to do this. I will check on it in a few hours and let you know if I find it.
Was this post helpful? thumb_up thumb_down
-
FOUND IT.
go to network and sharing center, click on the "Wireless network connection (your_WiFi)" -> wireless properties -> security -> advanced. change the specified authentication mode to computer authentication.
Also under the authentication method settings -> configure. There is an option to "Automatically use my Windows logon..."
Was this post helpful? thumb_up thumb_down
-
Hi, thanks for digging around for this.
I tried your steps, and all looks the same for options/checkboxes. The connection was already setup on "Computer Authentication" for the network/SSID in question. Unfortunately, if I logoff and logon, or restart, it drops the connection as soon as the password goes into windows. Only way to get back on is to "forget" the network and rejoin.
This may or may not shed some light:
Before seeing this post - I enabled a wireless GPO to push out a PEAP wireless profile to all clients for this network, and this seems to work really well with the NPS server. Not sure if this is an old fashioned method of doing it. The one downside I see is that it makes a custom wireless SSID and injects it into the list of available networks on the user device. The name of the SSID I am broadcasting from the AP's is not something I want to deviate from, so I was actually able to name the SSID that the GPO injects with the same name. It just shows the one network, and it works pretty darn well. I'm still trying to find a fault, but so far, none.
Thoughts?
O.C
O.C
Was this post helpful? thumb_up thumb_down
-
For the benefit of others: Here is a link to an article I followed to push out information about the Wireless Network to a group of clients, using GPO. It pushes out an 802.1x NPS authenticated wireless access point profile to users using Group Policy.
https://dailysysadmin.com/KB/Article/714/create-a-group-policy-to-deploy-a-company-wireless-access-p...
I've tried everything: logoff, restart, etc - and the WIFI just reconnects quickly each time. This is especially desired when a user unplugs from a docking station or wired connection and wishes to roam on WIFI.
O.C
Was this post helpful? thumb_up thumb_down
-
Also wanted to include this Meraki AP guide which led me down the path of deploying the PEAP wireless profile. It states:
Deploy a PEAP Wireless Profile using Group Policy
For a seamless user experience, it may be ideal to deploy a PEAP wireless profile to domain computers so users can easily associate with the SSID. Though optional for user auth, this is strongly recommended for machine authentication .
Here is the link to this guide:
https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...
Was this post helpful? thumb_up thumb_down
-
I suppose you could change it to computer and/or user authentication and just allow the users to logon to the WiFi using Radius, that way after they logon it will just use there account for the WiFi. If you have a AD aware firewall/router you can use this to track internet usage by user which can be helpful.
Was this post helpful? thumb_up thumb_down
Read these next...
-
Snap! Right-to-repair, Job search, Ultra-Realistic Chat, Orionids, and more
Spiceworks OriginalsYour daily dose of tech news, in brief. Welcome to the Snap! Happy Wednesday. Flashback: Back on October 19, 1973, John Vincent Atanasoff was named the official inventor of the computer. (Read more HERE.) You need to hear this. Manufactur...
-
Antivirus Product Recommendations
SecurityDear Experts,We are a recently formed small IT team of 3 in a company that is turning into a group, aquiring new businesses at a high rate, currenty sitting somewhere around 250 endpoinds including approximately 30 serversUntil now we've been predominantl...
-
Spark! Pro series - 19th October 2022
Spiceworks OriginalsToday in History: 2020 Peru announces rediscovered 37m figure of a cat, completed 500 BC to 200 AD, a geoglyph outline in the Nazca DesertThe figure of a relaxing cat has been discovered in the Nazca desert in Peru.The Nazca lines, a Unesco World Heritage...
-
How do you organize pictures? Is there a hierarchical sorting app?
CollaborationBeen looking for years for an app to organize our personal pics. I may be wrong on what I want to be able to do, but it's this:Say I want to find a picture of my son at Walt Disney World in 2010.I envision going into the app, bring up search and it'd be ...
-
Building IT department from the ground up. I would like your advice.
Industry-Specific ITSo, I just got hired as an "IT Specialist" at a non-profit. I have little networking experience outside of installing switches, etc. (Fieldnation). They did not have a IT person before me. I am starting mostly starting from scratch. What I would like...
Source: https://community.spiceworks.com/topic/2153777-issue-with-wifi-authentication-using-radius-setup-server-2012
0 Response to "Pushed Certificate to Laptop but Still Asking to Continue to Connect to Wireless"
Post a Comment