802.1X wired with EAP-TLS does'nt work with NPS / NDES (windows radius server)

Issues related to configuring your network
Post Reply
oustalnau
Posts: 1
Joined: 2019/06/28 12:20:16

802.1X wired with EAP-TLS does'nt work with NPS / NDES (windows radius server)

Post by oustalnau » 2019/06/28 13:38:54

Hi,

My environnement : 1 windows 2016 AD, 1 windows 2016 ADCS (2 tier hierarchy), 1 windows 2016 NPS with NDS
I'm searching to authenticate Centos 7.6 Computer in my LAN with computer certificate generated by my ADCS.

With Windows computer, it works fine
To enroll certificate provide by my PKI, I follow instructions given by articles :
- "LINUX Certificate Enrollment and Automated Renewal Using NDES (Updated)" : https://blogs.technet.microsoft.com/jef ... 12/16/236/
- and https://social.technet.microsoft.com/wi ... -ndes.aspx

We used wpa_supplicant with EAP_TLS.

CA chain certificate are presents in the Centos computers.
With the command "sscep enrol", a certificate is create.

openssl x509 -text -noout -in <my_cert>.crt give :

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
XX:XX:XX:..................:XX

Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=com, DC=XXX, DC=XXX, CN=ONLINE-SEC-CA2
Validity
Not Before: Jun 28 09:25:55 2019 GMT
Not After : Jun 27 09:25:55 2020 GMT

Subject: C=FR, ST=XXX, L=XXX, O=XXX, OU=XXX, CN=<fqdn>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
XX:XX:XX:..................:XX
Exponent: 65537 (0x10001)

X509v3 extensions:
X509v3 Subject Alternative Name: critical
DNS:<fdqn>.com, DNS:<hostname>
X509v3 Subject Key Identifier:
XX:XX:XX:..................:XX
X509v3 Authority Key Identifier:
keyid:XX:XX:XX:..................:XX
X509v3 CRL Distribution Points:
Full Name:
URI:http://XXX.com/ONLINE-SEC-CA2.crl
Authority Information Access:
CA Issuers - URI:http://XXX.com/ONLINE-SEC-CA2.crt
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
1.3.6.1.4.1.311.21.7:
0..&+.....7.....6...J.......
............a..d...
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
1.3.6.1.4.1.311.21.10:
0.0
..+.......0
..+.......
Signature Algorithm: sha256WithRSAEncryption
XX:XX:XX:..................:XX[/size][/i]

[/i]


When I start a session on Centos Computer, I find an evenement n° 6273 in the windows server hosting NPS server.
"Reason code 8, the specified user account doesn't exist"

It seeam then NPS is waiting for an user certificate or I expect that NPS contgrol the presence of the computer certificate

If I control certificate for a windows supplicant, X509v3 Extended Key Usage contains : "Server Authentication 1.3.6.1.5.5.7.3.1
Client Authentication 1.3.6.1.5.5.7.3.2"


What are the prerequis for certificate template witch is used by NDS ?

Cordialy

Christophe

Post Reply