none
Help with NPS for RADIUS authentication between Meraki and DC - Reason 22

    Question

  • Hoping someone can help me.  I have 2 Meraki wireless networks in two different offices for the same customer.  Both sites have a Windows 2008 R2 domain controller with NPS installed.  Both DCs have new GeoTrust certificates installed to the Personal Certificate store, and the CA Root Certificate installed to the Intermediate CA store.  Both NPS environments have identical Connection Request and Network Policies.

    RADIUS is working perfectly at Site A, but not Site B.  The access points at Site B are able to authenticate against NPS at Site A over the VPN tunnel, but the APs at either site are unable to authenticate against NPS at Site B.  Event Viewer returns Reason 22 as the error, and I'm stumped as to why.  

    • I’ve confirmed I’m using the correct RADIUS secret on my APs and in NPS.
    • I’ve tried removing EAP-MSCHAP v2 and re-ordering them, without any change
    • I’ve confirmed I have the correct certificate applied to PEAP in the Network Policy
    • I tried removing and re-importing my certificate and the CA Root certificate
    • I’ve restarted NPS multiple times

    What could I be missing?

    Friday, March 9, 2018 2:42 PM

All replies

  •  Hi TeknaDan,

    Thanks for your question.

    The reason code 22 occurs probably when there is an incompatibility in authentication between the client and server.

    Please check the authentication protocol on the client and verify if it’s the same as the authentication protocol configured in your network policy, and make sure that your authentication requests are hitting the same policy on the NPS server.

    In addition, this issue may also because your client didn't have CA certificate of your domain. Please make sure that your client has CA certificate.

    Besides, the error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" may be due to that the default maximum transmission unit that NPS uses for EAP payloads is 1500 bytes. You can lower the maximum size that NPS uses for EAP payloads by adjusting the Framed-MTU attribute in a network policy to a value no greater than 1344:

    Configure the EAP Payload Size

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc755205(v=ws.10)

    Here is a link about a similar case as yours, it may be helpful,

    https://community.arubanetworks.com/t5/Wireless-Access/802-1x-Authentication-with-Microsoft-NPS/td-p/203079

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.  

    Hope the information above helpful.

    I really appreciate your effort. If you have any questions or concerns, don’t hesitate to let me know.

    Wish you have a nice day!

    Best regards, 

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 12, 2018 8:42 AM
  • Hi TeknaDan,

    How are things going on? Was your issue resolved?

    Please let us know if you would like further assistance.

    Wish you have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 14, 2018 10:20 AM