ilya7b6 -> Health Auth Certs and EAP auth. interferarion. (31.Mar.2011 10:15:38 AM)
Hi, Dear friends.
We are deploying MS ForeFront UAG 2010 SP1 with Direct Access with NAP enabled.
Having troubles with interoperation of WiFi EAP authentication, DirectAccess IPSec negotiation and NAP.
The problem is the following:
1. While the computer is in corpnet over WiFi connection everything goes right.
It authenticates successfully, using its enterprise CA issued certificate and EAP auth. method.
There is only one computer certificate in Certificates(Local Computer)/Personal/Certificates
Enhanced Key Usage for this certificate is Client Authentication.
2. When I bring this same computer away from the corpnet and connect over the DirectAccess I receive
another certificate Which is issued by a standalone subordinate CA, dedicated to the NAP processing, as
advised in manuals.
The Enhanced Key Usage of this certificate is System Health Authentication + Client Authentication.
The NAP procedure works fine. The only NAP Enforcement Agent enabled on this computer is IPSec relying party
3. When I bring this same computer back to the corp network it fails to authenticate in WiFi enterprise
network with the
ReasonCode: Explicit Eap Failure received (0x50005)
I guess it is because of the new Health Authentication certificate. Am I right? What is wrong in this configuration?
What am I to do to make it work?
By the way, I've tried to uncheck ClientAuthentication checkbox in the Health Authentication certificate properties.
After that WiFi starts to work fine, but it begins to use NAP as well as DA connections, even though EAP enforcement
agent is not enabled.
Is it the right behavior? Is it possible to use Health Enforcement procedure only in DA environment, not using it
on wired Ethernet and WiFi?
Thanks in advance.
With respect and kind regards.