We are deploying MS ForeFront UAG 2010 SP1 with Direct Access with NAP enabled.
Having troubles with interoperation of WiFi EAP authentication, DirectAccess IPSec negotiation and NAP.
The problem is the following: 1. While the computer is in corpnet over WiFi connection everything goes right. It authenticates successfully, using its enterprise CA issued certificate and EAP auth. method. There is only one computer certificate in Certificates(Local Computer)/Personal/Certificates Enhanced Key Usage for this certificate is Client Authentication.
2. When I bring this same computer away from the corpnet and connect over the DirectAccess I receive another certificate Which is issued by a standalone subordinate CA, dedicated to the NAP processing, as advised in manuals. The Enhanced Key Usage of this certificate is System Health Authentication + Client Authentication. The NAP procedure works fine. The only NAP Enforcement Agent enabled on this computer is IPSec relying party
3. When I bring this same computer back to the corp network it fails to authenticate in WiFi enterprise network with the
ReasonCode: Explicit Eap Failure received (0x50005)
I guess it is because of the new Health Authentication certificate. Am I right? What is wrong in this configuration? What am I to do to make it work?
By the way, I've tried to uncheck ClientAuthentication checkbox in the Health Authentication certificate properties. After that WiFi starts to work fine, but it begins to use NAP as well as DA connections, even though EAP enforcement agent is not enabled.
Is it the right behavior? Is it possible to use Health Enforcement procedure only in DA environment, not using it on wired Ethernet and WiFi?
Thanks in advance. With respect and kind regards. Ilya Serov.
Is it the right behavior? Is it possible to use Health Enforcement procedure only in DA environment, not using it on wired Ethernet and WiFi?
You can choose 5 enforcement policies: - DHCP - Remote Access Quarantine - IPSEC - TS Gateway - EAP known as 8021.x In addition to that, you have to configure the enforcement points.
For 802.1x you can use an enforcement point for both wireless and wired clients, but it has to be configured as a radius client to the NAP server. On your 802.1x switch, you need to define VLANs to create compliant and non-compliant networks. Then identify the VLANs that corresponds to the compliant and non compliant network.
Yesterday I've made a few more tests. As a result I see, that after bringing the DA client computer back to the corpnet it stops authenticating with WiFi.
After rebooting th computer I see, thet WiFi authentication begins to work well, but it still continues using NAP enforcement.
As the matter of fact I do not want to use NAP and health enforcement for EAP authentication at all yet. I need it for DirectAccess clients only. I guess that it is reached by enabling only one "IPSecRelying party" enforcement agent. Unfortunately it seems to work in different way. If NAP is enabled for !ONE! specific enforcement agent it seems to begin working for all of them (including EAP) and my task id to configure it to only work with one IPSec relying party agent.
Can You tell me is it possible to do so?
Thanks in advance for Your support. With respect and kind regards, Ilya Serov.
1. When I get into the problem it can be solved by restarting the Network Access Protection Agent service.
2. When the antivirus software is completely removed from the client computer the problem seems not to reproduce. (this is actually happening during the reboot).
3. Changing the antivirus software does not help.
4. Installing all updates + SP1 on Windows 7 does not help either.
Maybe this information will be helpful to find the root of the problem.