Oh No, I can't Authenticate on dot1x!!!
Ran updates on our domain controllers this morning, installed everything like usual, because I'm trusting like that. Anyway, after the reboot of our DCs no computers were able to authenticate on the network! After some digging and research of the event logs I noticed a forum thread was pretty active Titled: Root Certificates Optional Windows Update December 2012 - KB931125 triggers Event ID 36885 - SCHANNEL
I followed the recommendation given by user Michael DAngelo, and used Method 3 to modify the registry of the DC's. http://support.microsoft.com/kb/2464556
To set this registry entry, follow these steps:
To set this registry entry, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry subkey:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
- On the Edit menu, point to New, and then click DWORD Value.
- Type SendTrustedIssuerList, and then press Enter to name the registry entry.
- Right-click SendTrustedIssuerList, and then click Modify.
- In the Value data box, type 0 if that value is not already displayed, and then click OK.
- Exit Registry Editor.
Immediately after putting in the value it started to work.
Event Logs on Domain Controllers
Error Schannel 36887 The following fatal alert was received: 47.Warning Schannel 36685 When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: DOMAIN\COMPUTERNAME$
Account Name: host/computername.domain.local
Account Domain: DOMAIN
Fully Qualified Account Name: domain.local/OU/COMPUTERNAME
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00000000000
Calling Station Identifier: 00000000000
NAS:
NAS IPv4 Address: 172.16.2.2
NAS IPv6 Address: -
NAS Identifier: 172.16.2.2
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 2
RADIUS Client:
Client Friendly Name: radiusserver
Client IP Address: 192.168.1.4
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: 802.1x-Wireless
Authentication Provider: Windows
Authentication Server: DC2.domain.local
Authentication Type: EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 266
Reason: The message received was unexpected or badly formatted.
Event Logs on Radius Proxy
Warning IAS 2
User host/COMPUTERNAME.domain.local was denied access.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 172.16.2.2
NAS-Identifier = 172.16.2.2
Called-Station-Identifier = 000000000000
Calling-Station-Identifier = 000000000000
Client-Friendly-Name = AccessPoints-172.16.2.0/24
Client-IP-Address = 172.16.2.2
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Dot1x_Proxy
Authentication-Provider = RADIUS Proxy
Authentication-Server = 192.168.1.7
Policy-Name = <undetermined>
Authentication-Type = <undetermined>
EAP-Type = <undetermined>
Reason-Code = 112
Reason = The remote RADIUS (Remote Authentication Dial-In User Service) server did not process the authentication request.
For more information, see Help and Support Center at
No comments:
Post a Comment