Discussion:
Need help with NPS
(too old to reply)
Arch Willingham
2008-06-24 11:09:06 UTC
Permalink
Somehow I missed that IAS is now something new with Win2008 and its now
called NPS. I had to rebuild teh server that runs IAS and used Server 2008
to do so.

I ran through the wireless Wizard but the wirelsss clients will not connect.
I know there are a thousand possibilities but where do I start with
debugging?

Thanks!

Arch
S. Pidgorny <MVP>
2008-06-25 09:14:24 UTC
Permalink
System log entries?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Arch Willingham
Somehow I missed that IAS is now something new with Win2008 and its now
called NPS. I had to rebuild teh server that runs IAS and used Server 2008
to do so.
I ran through the wireless Wizard but the wirelsss clients will not
connect. I know there are a thousand possibilities but where do I start
with debugging?
Thanks!
Arch
Arch Willingham
2008-06-26 02:20:20 UTC
Permalink
Nothing show up there nor in teh log files..no entries...nothing.
Post by S. Pidgorny <MVP>
System log entries?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Arch Willingham
Somehow I missed that IAS is now something new with Win2008 and its now
called NPS. I had to rebuild teh server that runs IAS and used Server
2008 to do so.
I ran through the wireless Wizard but the wirelsss clients will not
connect. I know there are a thousand possibilities but where do I start
with debugging?
Thanks!
Arch
James McIllece [MS]
2008-06-27 16:21:53 UTC
Permalink
"Arch Willingham" <***@tuparks.com> wrote in news:***@TK2MSFTNGP02.phx.gbl:

If that's the case, then NPS is not even receiving connection requests.
Ensure that the APs and NPS are both using the same RADIUS ports, verify
connectivity between NPS and the APs, and ensure the RADIUS shared secrets
are the same as configured on each AP and in NPS RADIUS clients.
Post by Arch Willingham
Nothing show up there nor in teh log files..no entries...nothing.
Post by S. Pidgorny <MVP>
System log entries?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Arch Willingham
Somehow I missed that IAS is now something new with Win2008 and its
now called NPS. I had to rebuild teh server that runs IAS and used
Server 2008 to do so.
I ran through the wireless Wizard but the wirelsss clients will not
connect. I know there are a thousand possibilities but where do I
start with debugging?
Thanks!
Arch
Arch Willingham
2008-07-01 12:34:33 UTC
Permalink
OK...I now at least have them talking to each other (the access points and
the NPS server) and the NPS server is logging the requests. Shown below is
me trying to connect with my Ipaq.

10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,4,10.1.2.10,30,00131019722b,31,000278556e1d,32,00131019722b,5,38,12,1400,61,19,4108,10.1.2.10,4116,0,4128,Wireless
2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,25,311 1
fe80::412b:5577:366c:f668 06/30/2008 15:04:09 19,4127,5,4149,Secure
Wireless,4136,1,4142,0
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,25,311 1
fe80::412b:5577:366c:f668 06/30/2008 15:04:09
19,27,60,4108,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,4127,5,4149,Secure
Wireless,4136,11,4142,0
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,4,10.1.2.10,30,00131019722b,31,000278556e1d,32,00131019722b,5,38,12,1400,61,19,4108,10.1.2.10,4116,0,4128,Wireless
2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,4127,5,4149,Secure
Wireless,25,311 1 fe80::412b:5577:366c:f668 06/30/2008 15:04:09
20,4132,,4136,1,4142,0
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,25,311 1
fe80::412b:5577:366c:f668 06/30/2008 15:04:09
20,4132,,4108,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,4127,5,4149,Secure
Wireless,4136,3,4142,22

Once it tries to connect, it pops up and asks me for my domain password
(like it did with ISA) and but then it comes back with "Cannot log onto the
wireless network. This network requires a personal certificate to positively
identify you.". That's the part I am stuck on. With the old ISA walk
through, you could tell how to export out the wireless certificates for the
clients. I can't tell how or where you do that now.

Also, the point in the NPS setup where you tell it what certificate to use
(under Protected EAP properties > certificate issued), it has a weird
certificate name. Where did it get that and why does it use it?

Thanks!

Arch
Post by James McIllece [MS]
If that's the case, then NPS is not even receiving connection requests.
Ensure that the APs and NPS are both using the same RADIUS ports, verify
connectivity between NPS and the APs, and ensure the RADIUS shared secrets
are the same as configured on each AP and in NPS RADIUS clients.
Post by Arch Willingham
Nothing show up there nor in teh log files..no entries...nothing.
Post by S. Pidgorny <MVP>
System log entries?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Arch Willingham
Somehow I missed that IAS is now something new with Win2008 and its
now called NPS. I had to rebuild teh server that runs IAS and used
Server 2008 to do so.
I ran through the wireless Wizard but the wirelsss clients will not
connect. I know there are a thousand possibilities but where do I
start with debugging?
Thanks!
Arch
James McIllece [MS]
2008-07-03 20:08:38 UTC
Permalink
"Arch Willingham" <***@tuparks.com> wrote in news:#***@TK2MSFTNGP04.phx.gbl:

Your certificate deployment depends on the authentication method and type
you have configured in network policy.

If you want clients to use certificates (rather than user name and
password) you must deploy PEAP-TLS or EAP-TLS. With these auth methods,
both the NPS server and the clients provide a certificate as proof of
identity.

To deploy these auth methods you must install Active Directory Certificate
Services and enroll certificates to the NPS server (server certificates)
and either client or user certificates to clients/users.

There are two papers that provide all the details on how to deploy server
certificates and client and user certificates. They are:

Foundation Network Companion Guide: Deploying Server Certificates
• Available for download in Word format at the Microsoft Download Center:
http://go.microsoft.com/fwlink/?LinkId=108259

• Available in HTML format in the Windows Server 2008 Technical Library:
http://go.microsoft.com/fwlink/?LinkId=108258

Foundation Network Companion Guide: Deploying Computer and User
Certificates
• Available for download in Word format at the Microsoft Download Center:
http://go.microsoft.com/fwlink/?LinkId=115742

• Available in HTML format in the Windows Server 2008 Technical Library:
http://go.microsoft.com/fwlink/?LinkId=113884
Post by Arch Willingham
OK...I now at least have them talking to each other (the access points
and the NPS server) and the NPS server is logging the requests. Shown
below is me trying to connect with my Ipaq.
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,4,10.1.2.1
0,30,00131019722b,31,000278556e1d,32,00131019722b,5,38,12,1400,61,19,41
08,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,25,311 1
fe80::412b:5577:366c:f668 06/30/2008 15:04:09 19,4127,5,4149,Secure
Wireless,4136,1,4142,0
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,25,311 1
fe80::412b:5577:366c:f668 06/30/2008 15:04:09
19,27,60,4108,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,4127,5,4149
,Secure Wireless,4136,11,4142,0
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,4,10.1.2.1
0,30,00131019722b,31,000278556e1d,32,00131019722b,5,38,12,1400,61,19,41
08,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,4127,5,4149
,Secure Wireless,25,311 1 fe80::412b:5577:366c:f668 06/30/2008
15:04:09 20,4132,,4136,1,4142,0
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,25,311 1
fe80::412b:5577:366c:f668 06/30/2008 15:04:09
20,4132,,4108,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,4127,5,4149
,Secure Wireless,4136,3,4142,22
Once it tries to connect, it pops up and asks me for my domain
password (like it did with ISA) and but then it comes back with
"Cannot log onto the wireless network. This network requires a
personal certificate to positively identify you.". That's the part I
am stuck on. With the old ISA walk through, you could tell how to
export out the wireless certificates for the clients. I can't tell how
or where you do that now.
Also, the point in the NPS setup where you tell it what certificate to
use (under Protected EAP properties > certificate issued), it has a
weird certificate name. Where did it get that and why does it use it?
Thanks!
Arch
Post by James McIllece [MS]
If that's the case, then NPS is not even receiving connection
requests. Ensure that the APs and NPS are both using the same RADIUS
ports, verify connectivity between NPS and the APs, and ensure the
RADIUS shared secrets are the same as configured on each AP and in
NPS RADIUS clients.
Post by Arch Willingham
Nothing show up there nor in teh log files..no entries...nothing.
Post by S. Pidgorny <MVP>
System log entries?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Arch Willingham
Somehow I missed that IAS is now something new with Win2008 and
its now called NPS. I had to rebuild teh server that runs IAS and
used Server 2008 to do so.
I ran through the wireless Wizard but the wirelsss clients will
not connect. I know there are a thousand possibilities but where
do I start with debugging?
Thanks!
Arch
Arch Willingham
2008-07-08 16:48:55 UTC
Permalink
10-4 on what you said. The way you describe it is how I had it set before
the change to 2008. The confusing part is where I asked "Also, the point in
the NPS setup where you tell it what certificate to
use (under Protected EAP properties > certificate issued), it has a weird
certificate name. Where did it get that and why does it use it?". Even after
reviewing the info yuo entioned, I still do not understand the answer to my
question.

Arch
Post by James McIllece [MS]
Your certificate deployment depends on the authentication method and type
you have configured in network policy.
If you want clients to use certificates (rather than user name and
password) you must deploy PEAP-TLS or EAP-TLS. With these auth methods,
both the NPS server and the clients provide a certificate as proof of
identity.
To deploy these auth methods you must install Active Directory Certificate
Services and enroll certificates to the NPS server (server certificates)
and either client or user certificates to clients/users.
There are two papers that provide all the details on how to deploy server
Foundation Network Companion Guide: Deploying Server Certificates
http://go.microsoft.com/fwlink/?LinkId=108259
http://go.microsoft.com/fwlink/?LinkId=108258
Foundation Network Companion Guide: Deploying Computer and User
Certificates
http://go.microsoft.com/fwlink/?LinkId=115742
http://go.microsoft.com/fwlink/?LinkId=113884
Post by Arch Willingham
OK...I now at least have them talking to each other (the access points
and the NPS server) and the NPS server is logging the requests. Shown
below is me trying to connect with my Ipaq.
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,4,10.1.2.1
0,30,00131019722b,31,000278556e1d,32,00131019722b,5,38,12,1400,61,19,41
08,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,25,311 1
fe80::412b:5577:366c:f668 06/30/2008 15:04:09 19,4127,5,4149,Secure
Wireless,4136,1,4142,0
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,25,311 1
fe80::412b:5577:366c:f668 06/30/2008 15:04:09
19,27,60,4108,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,4127,5,4149
,Secure Wireless,4136,11,4142,0
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,4,10.1.2.1
0,30,00131019722b,31,000278556e1d,32,00131019722b,5,38,12,1400,61,19,41
08,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,4127,5,4149
,Secure Wireless,25,311 1 fe80::412b:5577:366c:f668 06/30/2008
15:04:09 20,4132,,4136,1,4142,0
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,25,311 1
fe80::412b:5577:366c:f668 06/30/2008 15:04:09
20,4132,,4108,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,4127,5,4149
,Secure Wireless,4136,3,4142,22
Once it tries to connect, it pops up and asks me for my domain
password (like it did with ISA) and but then it comes back with
"Cannot log onto the wireless network. This network requires a
personal certificate to positively identify you.". That's the part I
am stuck on. With the old ISA walk through, you could tell how to
export out the wireless certificates for the clients. I can't tell how
or where you do that now.
Also, the point in the NPS setup where you tell it what certificate to
use (under Protected EAP properties > certificate issued), it has a
weird certificate name. Where did it get that and why does it use it?
Thanks!
Arch
Post by James McIllece [MS]
If that's the case, then NPS is not even receiving connection
requests. Ensure that the APs and NPS are both using the same RADIUS
ports, verify connectivity between NPS and the APs, and ensure the
RADIUS shared secrets are the same as configured on each AP and in
NPS RADIUS clients.
Post by Arch Willingham
Nothing show up there nor in teh log files..no entries...nothing.
Post by S. Pidgorny <MVP>
System log entries?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Arch Willingham
Somehow I missed that IAS is now something new with Win2008 and
its now called NPS. I had to rebuild teh server that runs IAS and
used Server 2008 to do so.
I ran through the wireless Wizard but the wirelsss clients will
not connect. I know there are a thousand possibilities but where
do I start with debugging?
Thanks!
Arch
James McIllece [MS]
2008-07-10 02:56:26 UTC
Permalink
"It has a weird certificate name. Where did it get that and why does it use
it?"

OK Arch, you tell ME why I provided no response at all to that "question."
Post by Arch Willingham
10-4 on what you said. The way you describe it is how I had it set
before the change to 2008. The confusing part is where I asked "Also,
the point in the NPS setup where you tell it what certificate to
use (under Protected EAP properties > certificate issued), it has a
weird certificate name. Where did it get that and why does it use
it?". Even after reviewing the info yuo entioned, I still do not
understand the answer to my question.
Arch
Post by James McIllece [MS]
Your certificate deployment depends on the authentication method and
type you have configured in network policy.
If you want clients to use certificates (rather than user name and
password) you must deploy PEAP-TLS or EAP-TLS. With these auth
methods, both the NPS server and the clients provide a certificate as
proof of identity.
To deploy these auth methods you must install Active Directory
Certificate Services and enroll certificates to the NPS server
(server certificates) and either client or user certificates to
clients/users.
There are two papers that provide all the details on how to deploy
Foundation Network Companion Guide: Deploying Server Certificates
. Available for download in Word format at the Microsoft Download
Center: http://go.microsoft.com/fwlink/?LinkId=108259
. Available in HTML format in the Windows Server 2008 Technical
Library: http://go.microsoft.com/fwlink/?LinkId=108258
Foundation Network Companion Guide: Deploying Computer and User
Certificates
. Available for download in Word format at the Microsoft Download
Center: http://go.microsoft.com/fwlink/?LinkId=115742
. Available in HTML format in the Windows Server 2008 Technical
Library: http://go.microsoft.com/fwlink/?LinkId=113884
Post by Arch Willingham
OK...I now at least have them talking to each other (the access
points and the NPS server) and the NPS server is logging the
requests. Shown below is me trying to connect with my Ipaq.
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,4,10.1.2
.1
0,30,00131019722b,31,000278556e1d,32,00131019722b,5,38,12,1400,61,19,
41 08,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,25,311 1
fe80::412b:5577:366c:f668 06/30/2008 15:04:09 19,4127,5,4149,Secure
Wireless,4136,1,4142,0
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,25,311
1 fe80::412b:5577:366c:f668 06/30/2008 15:04:09
19,27,60,4108,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,4127,5,41
49 ,Secure Wireless,4136,11,4142,0
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,4,10.1.2
.1
0,30,00131019722b,31,000278556e1d,32,00131019722b,5,38,12,1400,61,19,
41 08,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,4127,5,41
49 ,Secure Wireless,25,311 1 fe80::412b:5577:366c:f668 06/30/2008
15:04:09 20,4132,,4136,1,4142,0
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,25,311
1 fe80::412b:5577:366c:f668 06/30/2008 15:04:09
20,4132,,4108,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,4127,5,41
49 ,Secure Wireless,4136,3,4142,22
Once it tries to connect, it pops up and asks me for my domain
password (like it did with ISA) and but then it comes back with
"Cannot log onto the wireless network. This network requires a
personal certificate to positively identify you.". That's the part I
am stuck on. With the old ISA walk through, you could tell how to
export out the wireless certificates for the clients. I can't tell
how or where you do that now.
Also, the point in the NPS setup where you tell it what certificate
to use (under Protected EAP properties > certificate issued), it has
a weird certificate name. Where did it get that and why does it use
it?
Thanks!
Arch
Post by James McIllece [MS]
If that's the case, then NPS is not even receiving connection
requests. Ensure that the APs and NPS are both using the same
RADIUS ports, verify connectivity between NPS and the APs, and
ensure the RADIUS shared secrets are the same as configured on each
AP and in NPS RADIUS clients.
Post by Arch Willingham
Nothing show up there nor in teh log files..no entries...nothing.
Post by S. Pidgorny <MVP>
System log entries?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Arch Willingham
Somehow I missed that IAS is now something new with Win2008 and
its now called NPS. I had to rebuild teh server that runs IAS
and used Server 2008 to do so.
I ran through the wireless Wizard but the wirelsss clients will
not connect. I know there are a thousand possibilities but where
do I start with debugging?
Thanks!
Arch
Arch Willingham
2008-07-14 16:57:09 UTC
Permalink
I am sure you answered it completely and succinctly to the majority of users
who are much more knowledgeable than me. Also, seeing that all answers on
this newsgroup are on a voluntary basis, what you provided was above and
beyond the call of duty -especially since you have the "MS" extension on
the back of your name. Hopefully, your last question was not intentionally
worded in such a way as to sound adversarial as my question to the newsgroup
was also not intended to be that way.

I'll try to rephrase my original question another way so as not to further
raise anyone's ire.

As you are following the wizards in setting up NPS, where you tell it what
certificate to use (under Protected EAP properties > certificate issued).
Mine came up with a weird certificate name - one that I did not previously
set up. Also, when you pick the drop down list, it does not let you pick any
other certificates (I.E. one you generate from the internal certificate
server). I am confused as to where it gets the original certificate that
appears in the drop down box and how you get a certificate you made to be
available from the drop down box.

Again, if this question upset anyone, offended anyone, bothered anyone, etc,
I apologize, will just bag it and I'll try to figure out another way of
solving the problem.

Thanks!

Arch
Post by James McIllece [MS]
"It has a weird certificate name. Where did it get that and why does it use
it?"
OK Arch, you tell ME why I provided no response at all to that "question."
Post by Arch Willingham
10-4 on what you said. The way you describe it is how I had it set
before the change to 2008. The confusing part is where I asked "Also,
the point in the NPS setup where you tell it what certificate to
use (under Protected EAP properties > certificate issued), it has a
weird certificate name. Where did it get that and why does it use
it?". Even after reviewing the info yuo entioned, I still do not
understand the answer to my question.
Arch
Post by James McIllece [MS]
Your certificate deployment depends on the authentication method and
type you have configured in network policy.
If you want clients to use certificates (rather than user name and
password) you must deploy PEAP-TLS or EAP-TLS. With these auth
methods, both the NPS server and the clients provide a certificate as
proof of identity.
To deploy these auth methods you must install Active Directory
Certificate Services and enroll certificates to the NPS server
(server certificates) and either client or user certificates to
clients/users.
There are two papers that provide all the details on how to deploy
Foundation Network Companion Guide: Deploying Server Certificates
. Available for download in Word format at the Microsoft Download
Center: http://go.microsoft.com/fwlink/?LinkId=108259
. Available in HTML format in the Windows Server 2008 Technical
Library: http://go.microsoft.com/fwlink/?LinkId=108258
Foundation Network Companion Guide: Deploying Computer and User
Certificates
. Available for download in Word format at the Microsoft Download
Center: http://go.microsoft.com/fwlink/?LinkId=115742
. Available in HTML format in the Windows Server 2008 Technical
Library: http://go.microsoft.com/fwlink/?LinkId=113884
Post by Arch Willingham
OK...I now at least have them talking to each other (the access
points and the NPS server) and the NPS server is logging the
requests. Shown below is me trying to connect with my Ipaq.
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,4,10.1.2
.1
0,30,00131019722b,31,000278556e1d,32,00131019722b,5,38,12,1400,61,19,
41 08,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,25,311 1
fe80::412b:5577:366c:f668 06/30/2008 15:04:09 19,4127,5,4149,Secure
Wireless,4136,1,4142,0
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,25,311
1 fe80::412b:5577:366c:f668 06/30/2008 15:04:09
19,27,60,4108,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,4127,5,41
49 ,Secure Wireless,4136,11,4142,0
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,4,10.1.2
.1
0,30,00131019722b,31,000278556e1d,32,00131019722b,5,38,12,1400,61,19,
41 08,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,4127,5,41
49 ,Secure Wireless,25,311 1 fe80::412b:5577:366c:f668 06/30/2008
15:04:09 20,4132,,4136,1,4142,0
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,25,311
1 fe80::412b:5577:366c:f668 06/30/2008 15:04:09
20,4132,,4108,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,4127,5,41
49 ,Secure Wireless,4136,3,4142,22
Once it tries to connect, it pops up and asks me for my domain
password (like it did with ISA) and but then it comes back with
"Cannot log onto the wireless network. This network requires a
personal certificate to positively identify you.". That's the part I
am stuck on. With the old ISA walk through, you could tell how to
export out the wireless certificates for the clients. I can't tell
how or where you do that now.
Also, the point in the NPS setup where you tell it what certificate
to use (under Protected EAP properties > certificate issued), it has
a weird certificate name. Where did it get that and why does it use
it?
Thanks!
Arch
Post by James McIllece [MS]
If that's the case, then NPS is not even receiving connection
requests. Ensure that the APs and NPS are both using the same
RADIUS ports, verify connectivity between NPS and the APs, and
ensure the RADIUS shared secrets are the same as configured on each
AP and in NPS RADIUS clients.
Post by Arch Willingham
Nothing show up there nor in teh log files..no entries...nothing.
Post by S. Pidgorny <MVP>
System log entries?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Arch Willingham
Somehow I missed that IAS is now something new with Win2008 and
its now called NPS. I had to rebuild teh server that runs IAS
and used Server 2008 to do so.
I ran through the wireless Wizard but the wirelsss clients will
not connect. I know there are a thousand possibilities but where
do I start with debugging?
Thanks!
Arch
James McIllece [MS]
2008-07-14 20:04:11 UTC
Permalink
Hi Arch --

I was attempting to say (with humor that obviously didn't come across as
humor, so sorry about that) that the description "weird certificate name"
doesn't tell me anything, so I can't help you. To provide feedback to you
about the certificate name and where it came from, I would need to know
what you expected the name to be, what the name actually is, and why you
feel the name is weird.

I've never seen your network, your IAS server, or your CA -- so I don't
know where the cert came from that you are discussing.

I can tell you that IAS will not display any certificates for your
selection when you are configuring PEAP and EAP if the certificates do not
meet the minimum server certificate requirements. These can be found in the
IAS Help topic "Network access authentication and certificates."

So if you have autoenrolled a server certificate to the IAS server but it
isn't appearing in the IAS UI when you configure authentication, it means
that the certificate does not meet the minimum cert requirements, so IAS is
not displaying the certificate.

Hope that helps --

James
Post by Arch Willingham
I am sure you answered it completely and succinctly to the majority of
users who are much more knowledgeable than me. Also, seeing that all
answers on this newsgroup are on a voluntary basis, what you provided
was above and beyond the call of duty -especially since you have the
"MS" extension on the back of your name. Hopefully, your last question
was not intentionally worded in such a way as to sound adversarial as
my question to the newsgroup was also not intended to be that way.
I'll try to rephrase my original question another way so as not to
further raise anyone's ire.
As you are following the wizards in setting up NPS, where you tell it
what certificate to use (under Protected EAP properties > certificate
issued). Mine came up with a weird certificate name - one that I did
not previously set up. Also, when you pick the drop down list, it does
not let you pick any other certificates (I.E. one you generate from
the internal certificate server). I am confused as to where it gets
the original certificate that appears in the drop down box and how you
get a certificate you made to be available from the drop down box.
Again, if this question upset anyone, offended anyone, bothered
anyone, etc, I apologize, will just bag it and I'll try to figure out
another way of solving the problem.
Thanks!
Arch
Post by James McIllece [MS]
"It has a weird certificate name. Where did it get that and why does it use
it?"
OK Arch, you tell ME why I provided no response at all to that "question."
Post by Arch Willingham
10-4 on what you said. The way you describe it is how I had it set
before the change to 2008. The confusing part is where I asked
"Also, the point in the NPS setup where you tell it what certificate
to use (under Protected EAP properties > certificate issued), it has
a weird certificate name. Where did it get that and why does it use
it?". Even after reviewing the info yuo entioned, I still do not
understand the answer to my question.
Arch
Post by James McIllece [MS]
Your certificate deployment depends on the authentication method
and type you have configured in network policy.
If you want clients to use certificates (rather than user name and
password) you must deploy PEAP-TLS or EAP-TLS. With these auth
methods, both the NPS server and the clients provide a certificate
as proof of identity.
To deploy these auth methods you must install Active Directory
Certificate Services and enroll certificates to the NPS server
(server certificates) and either client or user certificates to
clients/users.
There are two papers that provide all the details on how to deploy
Foundation Network Companion Guide: Deploying Server Certificates
. Available for download in Word format at the Microsoft Download
Center: http://go.microsoft.com/fwlink/?LinkId=108259
. Available in HTML format in the Windows Server 2008 Technical
Library: http://go.microsoft.com/fwlink/?LinkId=108258
Foundation Network Companion Guide: Deploying Computer and User
Certificates
. Available for download in Word format at the Microsoft Download
Center: http://go.microsoft.com/fwlink/?LinkId=115742
. Available in HTML format in the Windows Server 2008 Technical
Library: http://go.microsoft.com/fwlink/?LinkId=113884
Post by Arch Willingham
OK...I now at least have them talking to each other (the access
points and the NPS server) and the NPS server is logging the
requests. Shown below is me trying to connect with my Ipaq.
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,4,10.1
.2 .1
0,30,00131019722b,31,000278556e1d,32,00131019722b,5,38,12,1400,61,1
9, 41 08,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,25,311
1 fe80::412b:5577:366c:f668 06/30/2008 15:04:09
19,4127,5,4149,Secure Wireless,4136,1,4142,0
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,25,311
1 fe80::412b:5577:366c:f668 06/30/2008 15:04:09
19,27,60,4108,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,4127,5,
41 49 ,Secure Wireless,4136,11,4142,0
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,4,10.1
.2 .1
0,30,00131019722b,31,000278556e1d,32,00131019722b,5,38,12,1400,61,1
9, 41 08,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,4127,5,
41 49 ,Secure Wireless,25,311 1 fe80::412b:5577:366c:f668
06/30/2008 15:04:09 20,4132,,4136,1,4142,0
10.1.2.10,ourdomain\auburn,07/01/2008,08:04:14,IAS,NPSSERVER,25,311
1 fe80::412b:5577:366c:f668 06/30/2008 15:04:09
20,4132,,4108,10.1.2.10,4116,0,4128,Wireless 2,4154,Secure
Wireless,4155,1,4129,ourdomain\auburn,4130,ourdomain\auburn,4127,5,
41 49 ,Secure Wireless,4136,3,4142,22
Once it tries to connect, it pops up and asks me for my domain
password (like it did with ISA) and but then it comes back with
"Cannot log onto the wireless network. This network requires a
personal certificate to positively identify you.". That's the part
I am stuck on. With the old ISA walk through, you could tell how
to export out the wireless certificates for the clients. I can't
tell how or where you do that now.
Also, the point in the NPS setup where you tell it what
certificate to use (under Protected EAP properties > certificate
issued), it has a weird certificate name. Where did it get that
and why does it use it?
Thanks!
Arch
Post by James McIllece [MS]
If that's the case, then NPS is not even receiving connection
requests. Ensure that the APs and NPS are both using the same
RADIUS ports, verify connectivity between NPS and the APs, and
ensure the RADIUS shared secrets are the same as configured on
each AP and in NPS RADIUS clients.
Post by Arch Willingham
Nothing show up there nor in teh log files..no
entries...nothing.
Post by S. Pidgorny <MVP>
System log entries?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Arch Willingham
Somehow I missed that IAS is now something new with Win2008
and its now called NPS. I had to rebuild teh server that runs
IAS and used Server 2008 to do so.
I ran through the wireless Wizard but the wirelsss clients
will not connect. I know there are a thousand possibilities
but where do I start with debugging?
Thanks!
Arch
James McIllece [MS]
2008-06-27 16:23:39 UTC
Permalink
"Arch Willingham" <***@tuparks.com> wrote in news:***@TK2MSFTNGP02.phx.gbl:

Also, just FYI, NPS documentation is on the computer and here:

http://technet2.microsoft.com/windowsserver2008/en/library/457d659e-ec21-
4ff4-8961-8729d06664901033.mspx
Post by Arch Willingham
Nothing show up there nor in teh log files..no entries...nothing.
Post by S. Pidgorny <MVP>
System log entries?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Arch Willingham
Somehow I missed that IAS is now something new with Win2008 and its
now called NPS. I had to rebuild teh server that runs IAS and used
Server 2008 to do so.
I ran through the wireless Wizard but the wirelsss clients will not
connect. I know there are a thousand possibilities but where do I
start with debugging?
Thanks!
Arch
Loading...