locked
The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server. RRS feed

  • Question

  • I have been trying to setup a Wireless network using EAP-TLS on a Server 2012R2 machine with Win7 and Win 10 clients in a domain environment.  The setup is as follows:

    Cisco WAP321 AP - Configured radius settings, secret and setup an SSID.

    Two tier Internal PKI that auto enrolls both computers and users with certificates via group policy.  The templates they use are duplicates of the computer and user templates with no changes. The NPS server uses the RAS and IAS Server template with no changes. I also push out the Root and Sub CA and NPS certificates using Group Policy to the trusted root.  I have verified that all 3 of these certificates plus the user and computer certs are on the client and host computers.  

    The NPS server is on the the Sub CA server. NPS Settings (changes from default)
    RADIUS Clients
      -Settings: Shared Secret and IP of Cisco WAP321
      -Advanced: Vendor name = Cisco
      -Advanced: Checked Access-Request messages must contain the Message-Authentication attribute

    Connetion Request Policies
      - Conditions: "NAS Port Type = Wireless - Other or Wireless- IEEE 802.11"

    Network Policies
      - Overview: Ignore User account dial-in policies
      - Conditions: "NAS Port Type = Wireless - Other or Wireless- IEEE 802.11"
      - Conditions: "Windows Groups = Domain\Domain Users OR Domain\Domain Computers"
      - Constraints: Authentication Methods: EAP Types has "Microsoft: Smart Card or other certificate" configured with the "NPS Server" certificate. All other methods are unchecked.
      - Settings: Encryption: Strongest Encryption is the only one checked

    Health Policies
      - None


    Wireless settings are pushed out via Group Policy with below settings.

    I am continually getting this error

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          1/23/2017 9:40:44 AM
    Event ID:      6273
    Task Category: Network Policy Server
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      NPSServer2012R2.Domain.local
    Description:
    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
    Security ID: Domain\firstname.lastname
    Account Name: Domain\firstname.lastname
    Account Domain: Domain
    Fully Qualified Account Name: Domain\firstname.lastname

    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: 4C-00-11-E0-10-B8:WifiSSID
    Calling Station Identifier: 58-11-CF-11-F8-B7

    NAS:
    NAS IPv4 Address: 10.10.10.200
    NAS IPv6 Address: -
    NAS Identifier: -
    NAS Port-Type: Wireless - IEEE 802.11
    NAS Port: 0

    RADIUS Client:
    Client Friendly Name: WAP321-Cisco
    Client IP Address: 10.10.10.200

    Authentication Details:
    Connection Request Policy Name: Secure Wireless Connections
    Network Policy Name: Secure Wireless Connections
    Authentication Provider: Windows
    Authentication Server: NPSServer2012R2.Domain.local
    Authentication Type: EAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 22
    Reason: The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{1111-1111-1111-A5BA-11111111111}" />
        <EventID>6273</EventID>
        <Version>1</Version>
        <Level>0</Level>
        <Task>12552</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2017-01-23T15:40:44.836203300Z" />
        <EventRecordID>85335</EventRecordID>
        <Correlation />
        <Execution ProcessID="624" ThreadID="4452" />
        <Channel>Security</Channel>
        <Computer>NPSServer2012R2.Domain.local</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-5-21-1111111111-1526706777-1111111111-7648</Data>
        <Data Name="SubjectUserName">Domain\firstname.lastname</Data>
        <Data Name="SubjectDomainName">Domain</Data>
        <Data Name="FullyQualifiedSubjectUserName">Domain\firstname.lastname</Data>
        <Data Name="SubjectMachineSID">S-1-0-0</Data>
        <Data Name="SubjectMachineName">-</Data>
        <Data Name="FullyQualifiedSubjectMachineName">-</Data>
        <Data Name="MachineInventory">-</Data>
        <Data Name="CalledStationID">4C-00-11-E0-10-B8:WifiSSID</Data>
        <Data Name="CallingStationID">58-11-CF-11-F8-B7</Data>
        <Data Name="NASIPv4Address">10.10.10.200</Data>
        <Data Name="NASIPv6Address">-</Data>
        <Data Name="NASIdentifier">-</Data>
        <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
        <Data Name="NASPort">0</Data>
        <Data Name="ClientName">WAP321-Cisco</Data>
        <Data Name="ClientIPAddress">10.10.10.200</Data>
        <Data Name="ProxyPolicyName">Secure Wireless Connections</Data>
        <Data Name="NetworkPolicyName">Secure Wireless Connections</Data>
        <Data Name="AuthenticationProvider">Windows</Data>
        <Data Name="AuthenticationServer">NPSServer2012R2.Domain.local</Data>
        <Data Name="AuthenticationType">EAP</Data>
        <Data Name="EAPType">-</Data>
        <Data Name="AccountSessionIdentifier">-</Data>
        <Data Name="ReasonCode">22</Data>
        <Data Name="Reason">The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.</Data>
        <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
      </EventData>
    </Event>

    Monday, January 23, 2017 6:46 PM

Answers

  • I am able to now get wifi working using the client computer and the computer certificate. I had the wrong certificate selected in my wifi profiles... However I am still getting this error for the user portion using user certificates. In my NPS log I get a access granted message for the computer account followed by a denied for the user. I would like to be able to use a computer certificate while the machine is on but not logged into to (for administrative purposes) and a user certificate when the user is logged in.  Is this possible?  
    • Marked as answer by BHeshka Tuesday, February 28, 2017 5:48 PM
    Tuesday, January 24, 2017 9:18 PM
  • Hi BHeshka,

    >I would like to be able to use a computer certificate while the machine is on but not logged into to (for administrative purposes) and a user certificate when the user is logged in.  Is this possible?  

    Yes, it is possible, and its a common behavior when we configure user authentication.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by BHeshka Tuesday, February 28, 2017 5:48 PM
    Tuesday, January 31, 2017 6:31 AM

All replies

  • Hi BHeshka,

    This issue is still under research, we'll feedback as soon as we got any useful information.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 24, 2017 7:59 AM
  • I am able to now get wifi working using the client computer and the computer certificate. I had the wrong certificate selected in my wifi profiles... However I am still getting this error for the user portion using user certificates. In my NPS log I get a access granted message for the computer account followed by a denied for the user. I would like to be able to use a computer certificate while the machine is on but not logged into to (for administrative purposes) and a user certificate when the user is logged in.  Is this possible?  
    • Marked as answer by BHeshka Tuesday, February 28, 2017 5:48 PM
    Tuesday, January 24, 2017 9:18 PM
  • Hi BHeshka,

    >I would like to be able to use a computer certificate while the machine is on but not logged into to (for administrative purposes) and a user certificate when the user is logged in.  Is this possible?  

    Yes, it is possible, and its a common behavior when we configure user authentication.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by BHeshka Tuesday, February 28, 2017 5:48 PM
    Tuesday, January 31, 2017 6:31 AM