- This topic has 6 replies, 2 voices, and was last updated 4 years, 8 months ago by jfaure.
-
AuthorPosts
-
December 16, 2019 at 6:30 pm #51419
Hello,
We would like to do a 802.1x authenttication with certificated that are requested by SCEP.
The SCEP request is working fine (ie the certificate is requested and installed in our Wyse 3040).
The EAP-TLS works only under specific conditions thought.
I have to modify the default template used by our ADCS (IPSECIntermediateOffline by default) to a brand new one.
With this, (and after some testing), we finally succeed to authenticate in user mode, after an AD account is created (with name of the user = CN of the certificate)
I would like to do the authentification in machine mode, without a user in the AD.
Can’t succeed to do it.
My lines in the ini file :
SCEP:
ScepAutoEnroll=yes AutoRenew=yes InstallCACert=no CountryName=FR State=IDF Locality=PARIS Organization=DSI OrganizationUnit=XXX CommonName=$TN [email protected] KeyUsage=digitalSignature;keyEncipherment KeyLength=2048 RequestURL=xxx/certsrv/mscep/mscep.dll CACertHashType=MD5 CACertHash=”xxxx” ScepAdminUrl=xxxx/CertSrv/mscep_admin/ ScepUser=scep_user ScepUserPwd=xxx
8021.x :
IEEE8021X=yes network=wired eap=yes eaptype=EAP-TLS tlsauthtype=user tlsclntprikey=$TN.pfx
When I change to user, I have an issue in the Windows NPS.
December 16, 2019 at 6:39 pm #51420The log of the NPS :
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: host/WT8cec4b635ed7
Account Domain: AGRICA
Fully Qualified Account Name: DOMAIN\host/WT8cec4b635ed7Client Machine:
Security ID: NULL SID
Account Name: –
Fully Qualified Account Name: –
OS-Version: –
Called Station Identifier: BC-C4-93-B1-8E-26
Calling Station Identifier: 8C-EC-4B-63-5E-D7NAS:
NAS IPv4 Address: 10.115.192.103
NAS IPv6 Address: –
NAS Identifier: –
NAS Port-Type: Ethernet
NAS Port: 50138RADIUS Client:
Client Friendly Name: xxx
Client IP Address: 10.115.xxx.103Authentication Details:
Connection Request Policy Name: CISCO_SWITCH_802.1X
Network Policy Name: –
Authentication Provider: Windows
Authentication Server: servername.domain
Authentication Type: EAP
EAP Type: –
Account Session Identifier: –
Logging Results: Accounting information was written to the local log file.
Reason Code: 8
Reason: The specified user account does not exist.December 16, 2019 at 6:40 pm #51421When I change to user, I have an issue in the Windows NPS.
I mean =>
When I change to machine, I have an issue in the Windows NPS.
ie :
IEEE8021X=yes network=wired eap=yes eaptype=EAP-TLS tlsauthtype=machine tlsclntprikey=$TN.pfx
December 18, 2019 at 11:17 am #51452Hello,
So nobody is using SCEP for 802.1x certificat authentication with RADIUS Windows NPS? 🙁
December 27, 2019 at 10:14 pm #51486I had to create a computer object.
Make sure you set a spn for the computer account
“setspn -s HOST/$TN.domain.net $TN”
$TN = hostname
Then duplicate the user template, next change the attribute flags to 131706 , this changes it for a machine certificate.
I have this working in production with wireless. It took me a while to figure it out myself.
enjoy!
January 6, 2020 at 4:06 pm #51506Hello,
Thanks for your answer, i will try it.
Thanks!!
January 15, 2020 at 6:26 pm #51561Hello,
After some testing, still ko.
I do not understand this line in your comment “Then duplicate the user template, next change the attribute flags to 131706 , this changes it for a machine certificate.”
My template certificate is already for machine : CT_FLAG_MACHINE_TYPE — 40 (64)
If you could provide any significant details (ini for scep and 802.1x, also the template use and the NPS conf, the detail of the object computers created) , it will be appreciate
Thanks in advance.
-
AuthorPosts
- You must be logged in to reply to this topic.