none
Problem connecting XP WiFi to Server 2008 R2 with PEAP

    Question

  • I recently upgraded my Server 2003 DC to Server 2008 R2. On 2003, everything was working fine for RADIUS, the CA, and private WiFi via PEAP authentication. Now I've set it all up again on 2008 R2 with NPS, etc. Our VPN is still working fine, but the wireless is giving me fits. I have a Vista laptop that can connect just fine. However, the XP laptop will not connect.

    I get the following two events repeatedly in the System Log:

     

    Event ID: 36874
    Source: Schannel
    Description:
    An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

    Event ID: 36888
    Source: Schannel
    Description:
    The following fatal alert was generated: 40. The internal error state is 1205.

     

    And I get the following Audit Failure in the Security Log:

    Event ID 6273
    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
    Security ID: domain\user
    Account Name: domain\user
    Account Domain: domain
    Fully Qualified Account Name: domain\user

    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: 000FB57A11CE:Private WiFi
    Calling Station Identifier: 001DE0474B05

    NAS:
    NAS IPv4 Address: 192.168.XX.XX
    NAS IPv6 Address: -
    NAS Identifier: wpap4
    NAS Port-Type: Wireless - IEEE 802.11
    NAS Port: 2

    RADIUS Client:
    Client Friendly Name: WPAP4
    Client IP Address: 192.168.XX.XX

    Authentication Details:
    Connection Request Policy Name: Secure Wireless Connections
    Network Policy Name: Secure Wireless Connections
    Authentication Provider: Windows
    Authentication Server: server.domain.local
    Authentication Type: PEAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 269
    Reason: The client and server cannot communicate, because they do not possess a common algorithm.

    Thursday, July 15, 2010 12:54 PM

All replies

  • Hi,

    Please check if the hotfix KB 969111 can help:

    A Windows XP Service Pack 3-based client computer cannot use the IEEE 802.1x authentication when you use PEAP with PEAP-MSCHAPv2 in a domain
    http://support.microsoft.com/kb/969111

     


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, July 16, 2010 8:11 AM
    Moderator
  • Hello,

     

    can you please check the following setting in the Local Policy on the NPS server

    Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options, System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing,

    and check for it's status? (enabled/disabled)?

    I'm not sure if this the answer to your problem but you can give it a try

    Sunday, July 18, 2010 6:55 PM
  • Hi,

    How's everything going? I want to check if the suggestion has helped. If you need further assistance, please do not hesitate to respond back.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, July 26, 2010 2:08 AM
    Moderator
  • Thanks for checking in. Neither suggestion helped. Still get the same error from all the XP laptops. However, we are rolling out Windows 7 in a few months so we've decided to just use a workaround for the time being since this problem doesn't seem to affect Vista or 7. I have a suspicion that it might have to do with our self-signed certificate, but I'm not sure.
    Monday, July 26, 2010 9:54 PM
  • Hi,

    Thanks for your update. I am sorry to hear that the suggestions do not help. If you need any assistance in the future, please do not hesitate to post in our forums.

    Have a nice day.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, July 27, 2010 2:19 AM
    Moderator
  • Make sure your server certificate is using the AT_KEYEXCHANGE keyspec.  If not, it may not be able to negotiate a ciphersuite between the client and server, because if you are using AT_SIGNATURE in your server certificate, you exempt yourself from using any of the *RSA* TLS ciphersuites available to downlevel XP clients.

    I saw this when using an OpenSSL client and Windows 2008 R2 server when rolling my own SSL Server certificates with an incorrect keyspec.   Newer clients (Win7, Vista) work because they can agree on ECDH ciphersuites and ignore the key spec.

    • Proposed as answer by kxx Tuesday, November 09, 2010 6:20 PM
    Tuesday, November 09, 2010 6:18 PM
  • Hi,

     

    having the same issue, is there a fix ? windows 7 works, windows xp sp3 client does not work.

    got the following errors:

     

    Logging Results: Accounting information was written to the local log file.

     Reason Code: 269
     Reason: The client and server cannot communicate, because they do not possess a common algorithm.
    JOe
    Saturday, September 17, 2011 7:51 AM
  • problem fixed. the CA cert was import to the NPS server instead. Fixed by enroll a cert from the CA to NPS server.

     

    JOe

    • Proposed as answer by piloteight Tuesday, September 27, 2011 2:48 PM
    Friday, September 23, 2011 3:51 AM