locked
A certificate could not be found that can be use with this Extensible Authentication Protocol when configuring Authentication Methods for 802.1x RRS feed

  • Question

  • I'm trying to setup a Cisco 1142 AP to use WPA2 Enterprise to authenticate users to our Radius Server (Windows Server 2008 Standard) which also a RODC - domain controller. Our CA is another domain controller. I go to the Radius Server/RODC and open mmc - add certificates - and request a certificate for the local store. It gives me the choice of two types of certificates - Directory Email Replication or Domain Controller Authentication. I choose Domain Controller Authentication. I give the certificate a friendly name of PEAP-Wireless.

    I then go to NPS and start the "scenario wizard". I select "Radius Server for 802.1x Wireless or Wired Connections". Click Configure 802.1x - Select "Secure Wireless Connections" - Next - Add my Radius client which is a Cisco 1142 AP and put in the shared secret - Next - Configure an Authentication Method - select Microsoft: Protecte EAP (PEAP) - click Configure -  and I get a window that says "Cannot confiigure EAP" - "A certificate could not be found that can be used with this Extensible Authentication Protocol."

    Has the process for generating the certificate changed in 2008? Is there an issue doing this on a domain controller or an RODC?

    Tuesday, March 22, 2011 6:10 PM

Answers

  • Hi Customer,

      

      

        According to your description, RODC need to request computer certificate not Domain Controller certificate.

        I recommend that not install RODC with NPS, it not support PEAP-MS-CHAP v2 authentication protocol. Password change scenarios are not supported if NPS is configured to communicate with a Read-only domain controller (RODC) in your network.

     

    PEAP Overview

    http://technet.microsoft.com/en-us/library/cc754179(WS.10).aspx

     

       If you use RODC with NPS, you could only deploy certificate-based authentication. In this case, servers running NPS must have a server certificate(Sub CA of enterprise root CA). During the authentication process, these servers send their server certificate to client computers as proof of identity. Please refer to below articles.   

     

    Deploy a CA and NPS Server Certificate

    http://technet.microsoft.com/en-us/library/cc730811(WS.10).aspx

     

    Deploying Certificates for PEAP and EAP

    http://technet.microsoft.com/en-us/library/cc754367(WS.10).aspx


    Regards, Rick Tan
    • Marked as answer by Rick Tan Wednesday, March 30, 2011 2:17 AM
    Wednesday, March 23, 2011 9:54 AM
  • Hi,

    The certificate for PEAP must have an enhanced key usage of server authentication. The "computer" certificate template has this, but you should be able to use any certificate that does. Of course, NPS will need to have permission to enroll this certificate type.



    • Marked as answer by Rick Tan Wednesday, March 30, 2011 2:17 AM
    Saturday, March 26, 2011 7:54 AM

All replies

  • Hi Customer,

      

      

        According to your description, RODC need to request computer certificate not Domain Controller certificate.

        I recommend that not install RODC with NPS, it not support PEAP-MS-CHAP v2 authentication protocol. Password change scenarios are not supported if NPS is configured to communicate with a Read-only domain controller (RODC) in your network.

     

    PEAP Overview

    http://technet.microsoft.com/en-us/library/cc754179(WS.10).aspx

     

       If you use RODC with NPS, you could only deploy certificate-based authentication. In this case, servers running NPS must have a server certificate(Sub CA of enterprise root CA). During the authentication process, these servers send their server certificate to client computers as proof of identity. Please refer to below articles.   

     

    Deploy a CA and NPS Server Certificate

    http://technet.microsoft.com/en-us/library/cc730811(WS.10).aspx

     

    Deploying Certificates for PEAP and EAP

    http://technet.microsoft.com/en-us/library/cc754367(WS.10).aspx


    Regards, Rick Tan
    • Marked as answer by Rick Tan Wednesday, March 30, 2011 2:17 AM
    Wednesday, March 23, 2011 9:54 AM
  • Hi,

    The certificate for PEAP must have an enhanced key usage of server authentication. The "computer" certificate template has this, but you should be able to use any certificate that does. Of course, NPS will need to have permission to enroll this certificate type.



    • Marked as answer by Rick Tan Wednesday, March 30, 2011 2:17 AM
    Saturday, March 26, 2011 7:54 AM