• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Health Auth Certs and EAP auth. interferarion.

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> Health Auth Certs and EAP auth. interferarion. Page: [1]
Login
Message << Older Topic   Newer Topic >>
Health Auth Certs and EAP auth. interferarion. - 31.Mar.2011 10:15:38 AM   
ilya7b6

 

Posts: 7
Joined: 14.Jan.2011
Status: offline
Hi, Dear friends.

We are deploying MS ForeFront UAG 2010 SP1 with Direct Access with NAP enabled.

Having troubles with interoperation of WiFi EAP authentication, DirectAccess IPSec negotiation and NAP.

The problem is the following:
1. While the computer is in corpnet over WiFi connection everything goes right.
It authenticates successfully, using its enterprise CA issued certificate and EAP auth. method.
There is only one computer certificate in Certificates(Local Computer)/Personal/Certificates
Enhanced Key Usage for this certificate is Client Authentication.

2. When I bring this same computer away from the corpnet and connect over the DirectAccess I receive
another certificate Which is issued by a standalone subordinate CA, dedicated to the NAP processing, as
advised in manuals.
The Enhanced Key Usage of this certificate is System Health Authentication + Client Authentication.
The NAP procedure works fine. The only NAP Enforcement Agent enabled on this computer is IPSec relying party

3. When I bring this same computer back to the corp network it fails to authenticate in WiFi enterprise
network with the

ReasonCode: Explicit Eap Failure received (0x50005)

I guess it is because of the new Health Authentication certificate. Am I right? What is wrong in this configuration?
What am I to do to make it work?


By the way, I've tried to uncheck ClientAuthentication checkbox in the Health Authentication certificate properties.
After that WiFi starts to work fine, but it begins to use NAP as well as DA connections, even though EAP enforcement
agent is not enabled.

Is it the right behavior? Is it possible to use Health Enforcement procedure only in DA environment, not using it
on wired Ethernet and WiFi?

Thanks in advance.
With respect and kind regards.
Ilya Serov.
Post #: 1
RE: Health Auth Certs and EAP auth. interferarion. - 31.Mar.2011 5:33:03 PM   
stevenrix

 

Posts: 101
Joined: 16.Feb.2011
Status: offline
By any chance is there anything in the event ID? it would help a lot to troubleshoot your 802.1x

(in reply to ilya7b6)
Post #: 2
RE: Health Auth Certs and EAP auth. interferarion. - 31.Mar.2011 6:02:44 PM   
stevenrix

 

Posts: 101
Joined: 16.Feb.2011
Status: offline
Is it the right behavior? Is it possible to use Health Enforcement procedure only in DA environment, not using it on wired Ethernet and WiFi?


You can choose 5 enforcement policies:
- DHCP
- Remote Access Quarantine
- IPSEC
- TS Gateway
- EAP known as 8021.x
In addition to that, you have to configure the enforcement points.

For 802.1x you can use an enforcement point for both wireless and wired clients, but it has to be configured as a radius client to the NAP server.
On your 802.1x switch, you need to define VLANs to create compliant and non-compliant networks.
Then identify the VLANs that corresponds to the compliant and non compliant network.

(in reply to ilya7b6)
Post #: 3
RE: Health Auth Certs and EAP auth. interferarion. - 1.Apr.2011 5:12:01 AM   
ilya7b6

 

Posts: 7
Joined: 14.Jan.2011
Status: offline
Hi, Steven. Hi Everybody.

Yesterday I've made a few more tests. As a result I see, that after bringing the DA client computer back to the corpnet it stops authenticating with WiFi.

After rebooting th computer I see, thet WiFi authentication begins to work well, but it still continues using NAP enforcement.

  As the matter of fact I do not want to use NAP and health enforcement for EAP authentication at all yet. I need it for DirectAccess clients only. I guess that it is reached by enabling only one "IPSecRelying party" enforcement agent. Unfortunately it seems to work in different way. If NAP is enabled for !ONE! specific enforcement agent it seems to begin working for all of them (including EAP) and my task id to configure it to only work with one IPSec relying party agent.

Can You tell me is it possible to do so?

Thanks in advance for Your support.
With respect and kind regards,
Ilya Serov.

(in reply to stevenrix)
Post #: 4
RE: Health Auth Certs and EAP auth. interferarion. - 8.Apr.2011 9:00:27 AM   
ilya7b6

 

Posts: 7
Joined: 14.Jan.2011
Status: offline
Here You are the diagnostics example. Hope it will help.

-    System

-     Provider
   [ Name]     Microsoft-Windows-Security-Auditing
   [ Guid]     {54849625-5478-4994-A5BA-3E3B0328C30D}
   EventID     5632
   Version     1
   Level     0
   Task     12551
   Opcode     0
   Keywords     0x8010000000000000

-     TimeCreated
   [ SystemTime]     2011-04-08T11:50:33.964290300Z
   EventRecordID     67122
   Correlation

-     Execution
   [ ProcessID]     488
   [ ThreadID]     4224
   Channel     Security
   Computer     NTB.corp.net
   Security

-     EventData
   SSID     ps
   Identity     host/NTB.corp.net
   SubjectUserName     -
   SubjectDomainName     -
   SubjectLogonId     0x0
   PeerMac     00:0B:85:8A:97:6F
   LocalMac     00:16:6F:13:27:73
   IntfGuid     {81E2AE29-0781-4ADC-ACE8-4B3362D9423C}
   ReasonCode     0x50005
   ReasonText     Explicit Eap failure received
   ErrorCode     0x8009030c
   EAPReasonCode     0x8009030c
   EapRootCauseString     
   EAPErrorCode     0x80420101

With respect and kind regards.
Ilya Serov.

(in reply to stevenrix)
Post #: 5
RE: Health Auth Certs and EAP auth. interferarion. - 11.Apr.2011 6:44:11 AM   
ilya7b6

 

Posts: 7
Joined: 14.Jan.2011
Status: offline
Hi, Everybody.

I have some news on the discussed topic.

1. When I get into the problem it can be solved by restarting the Network Access Protection Agent service.

2. When the antivirus software is completely removed from the client computer the problem seems not to reproduce. (this is actually happening during the reboot).

3. Changing the antivirus software does not help.

4. Installing all updates + SP1 on Windows 7 does not help either.      

Maybe this information will be helpful to find the root of the problem.

With respect and kind regards.
Serov Ilya.

(in reply to ilya7b6)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> Health Auth Certs and EAP auth. interferarion. Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts