Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, November 29, 2017 4:33 PM
Hello,
I am configuring wired dot1x using EAP-TLS on the dot1x supplicant, and each time when supplicant attempts to authenticate, I receive auth fail.
Here is the authentication details:
Authentication Details:
Connection Request Policy Name: dot1x_EC
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: adds1.lab1025.net
Authentication Type: EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 269
Reason: The client and server cannot communicate, because they do not possess a common algorithm.
Could somebody recommend me the way how to fix it? Or at least how to diagnose it.
Thanks in advance
All replies (5)
Friday, December 1, 2017 2:52 AM ✅Answered
Hi Yury,
>>*As I understand Microsoft NPS does not support sha512. Is there any way to bypass this restriction? I am using Windows Server 2016 DC Edition. *
Based on my research, SHA512 is disabled in Windows when you use TLS 1.2.After you apply the following update, you could use SHA512 certificates on your computer. But the update is not apply to server 2016, for your reference:
SHA512 is disabled in Windows when you use TLS 1.2
https://support.microsoft.com/en-us/help/2973337/sha512-is-disabled-in-windows-when-you-use-tls-1-2
I did not find some related information about this issue in server 2016.
You might try to renew the certificate with SHA256 Signature hash algorithm:
SHA-256 Self Signed Certificate for Windows Server 2012 R2
Best Regards,
Candy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, December 1, 2017 10:12 AM ✅Answered
I have configured new NPS on Windows 2012 R2 server.
Now dot1x authentication works perfectly with ECCDSA\SHA512.
So it was a problem in the Windows server 2016. I hope that Microsoft will fix it soon and issue update.
BR
Yury
Thursday, November 30, 2017 5:41 AM
Hi ,
Please also check the event logs to see if there are something related for us to troubleshooting.
>>The client and server cannot communicate, because they do not possess a common algorithm.
When a Client and Server communicate via SSL/TLS, they must use a common cipher algorithm. If they are unable to find a common algorithm, the SSL/TLS connection will fail with the exception.
If the server’s certificate KeySpec poperty is set to 2 (AT_SIGNATURE).A certificate with this KeySpec is only good for signing.
The cipher suites of choice using the RSA key exchange is for the KeySpec to be set to 1 (AT_KEYEXCHANGE).
For your reference:
Encountering "The client and server cannot communicate, because they do not possess a common algorithm" or SEC_E_ALGORITHM_MISMATCH (0x80090331)
Best Regards,
Candy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, November 30, 2017 9:32 AM
I've checked event viewer.
In System log I see a lot of following errors:
TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed.
I have used Wireshark to check RADIUS messages between switch (authenticator) and NPS. And found that supplicant offers a lot of cipher suites (86)
How to check why windows server can't accept one of the suites from the list?
By the way, probably it is important that supplicant uses OpenSSL library.
Best Regards,
Yury
Thursday, November 30, 2017 3:50 PM
It seems that my problem is in the following:
I am using EAP-TLS on the supplicant. And there is a certificate installed on the supplicant.
My problem that I am using a certificate with SHA512 hash algorithm and sha512ECDSA as the signature algorithm.
As I understand Microsoft NPS does not support sha512. Is there any way to bypass this restriction? I am using Windows Server 2016 DC Edition.
Thanks in advance,
Yury