Tuesday, December 18, 2012

Root Certificates Update from December 2012 breaks dot1x authentication

Oh No, I can't Authenticate on dot1x!!!

Ran updates on our domain controllers this morning, installed everything like usual, because I'm trusting like that.  Anyway, after the reboot of our DCs no computers were able to authenticate on the network!  After some digging and research of the event logs I noticed a forum thread was pretty active Titled: Root Certificates Optional Windows Update December 2012 - KB931125 triggers Event ID 36885 - SCHANNEL


I followed the recommendation given by user Michael DAngelo, and used Method 3 to modify the registry of the DC's. http://support.microsoft.com/kb/2464556


To set this registry entry, follow these steps:

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
  3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
  4. On the Edit menu, point to New, and then click DWORD Value.
  5. Type SendTrustedIssuerList, and then press Enter to name the registry entry.
  6. Right-click SendTrustedIssuerList, and then click Modify.
  7. In the Value data box, type 0 if that value is not already displayed, and then click OK.
  8. Exit Registry Editor.
Immediately after putting in the value it started to work.

Event Logs on Domain Controllers

Error Schannel 36887 The following fatal alert was received: 47.

Warning Schannel 36685 When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.


Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: DOMAIN\COMPUTERNAME$
Account Name: host/computername.domain.local
Account Domain: DOMAIN
Fully Qualified Account Name: domain.local/OU/COMPUTERNAME

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00000000000
Calling Station Identifier: 00000000000

NAS:
NAS IPv4 Address: 172.16.2.2
NAS IPv6 Address: -
NAS Identifier: 172.16.2.2
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 2

RADIUS Client:
Client Friendly Name: radiusserver
Client IP Address: 192.168.1.4

Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: 802.1x-Wireless
Authentication Provider: Windows
Authentication Server: DC2.domain.local
Authentication Type: EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 266
Reason: The message received was unexpected or badly formatted.

Event Logs on Radius Proxy

Warning IAS 2

User host/COMPUTERNAME.domain.local was denied access.
 Fully-Qualified-User-Name = <undetermined> 
 NAS-IP-Address = 172.16.2.2
 NAS-Identifier = 172.16.2.2
 Called-Station-Identifier = 000000000000
 Calling-Station-Identifier = 000000000000
 Client-Friendly-Name = AccessPoints-172.16.2.0/24
 Client-IP-Address = 172.16.2.2
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 1
 Proxy-Policy-Name = Dot1x_Proxy
 Authentication-Provider = RADIUS Proxy 
 Authentication-Server = 192.168.1.7
 Policy-Name = <undetermined> 
 Authentication-Type = <undetermined> 
 EAP-Type = <undetermined> 
 Reason-Code = 112
 Reason = The remote RADIUS (Remote Authentication Dial-In User Service) server did not process the authentication request. 

For more information, see Help and Support Center at