locked
Using NPS with 2003 AD CS Certs RRS feed

  • Question

  • We've upgraded an IAS server with Windows Server 2008R2 and installed the new NPS server. The import using IASMIGREADER seemed to work fine. However, we've enountered problems with the authentication methods needed for our access points. With IAS we've been using EAP-MSCHAP-V2 combined with PEAP, and have been using a certificate from AD CS running under Windows Server 2003. When I try to configure PEAP, I get the error "A certificate cannot be found that can be used with this Extensible Authentication Protocol". The same certificate works fine with IAS. I've been doing a lot of google searches on this topic and thought I was making some progress, but in the end I've hit a wall.

    Should NPS work with certificates supplied by a 2003 Certicate Server?

    I should add that the error that shows up in the NPS event log is "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server".

    Is there something that needs to be done to make NPS process EAP requests?


    Thanks!

     


    Tuesday, July 19, 2011 1:51 PM

Answers

  • Hi Paul,

    Please try following suggestions:
    1. Check your NPS server trusted root CA certificate in CA MMC trusted root CA store
    2. Check your NPS server certificate template is computer  in CA MMC Personal store
    3. Set up GPO for auto request computer CA & trusted root CA 
    4. Remove old NPS certificate and get new CA from gp update or server reboot

    If there are more inquiries on this issue, please feel free to let us know.


    Regards,
    Rick Tan


    • Marked as answer by Paul Steele Friday, July 22, 2011 1:40 PM
    Thursday, July 21, 2011 2:46 AM

All replies

  • I'm not sure that the certificate issue is what's causing my problem. I installed our Digicert wildcard certificate on the NPS server and that allowed be to complete the configuration of the NPS server authentication requirements, but wireless connections are still failing and the NPS event log still gives the error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server". The access points are Cisco 1130 series, and I have NPS set up to use PEAP-EAP-MSCHAPV2.

    Any suggestions would be greatly appreciated.

    Tuesday, July 19, 2011 6:57 PM
  • Hi Paul,

    Thank you for your post.

    NPS work with Windows 2003 CA supports PEAP-MSCHAP-V2 authentication.

    The error means no certificate meet the minimum server certificate requirements.
    To solve this issue, please try the following steps below:
    1. Ensure NPS has registered in Active Directory Domain Services
    2. Create NPS policies using 802.1x wizard refer to this article
    3. Revoke NPS server certificate and request new computer certificate to NPS server

    If there are more inquiries on this issue, please feel free to let us know.


    Regards,
    Rick Tan
    Wednesday, July 20, 2011 8:50 AM
  • I went through the steps outlined in the article, but unfortunately I'm still getting the certificate error trying to configure PEAP. I can see the NPS certificate created by the proper template in the Personal section of Certificate Manager and it looks correct, but NPS doesn't like it. There were a couple of places in the article that didn't match my environment exactly because the article assumes a 2008 AD CS, while I have a 2003 AD CS. I think I dealt with the changes properly but perhaps that is why I'm still having problems.

    Any other suggestions?

     

    Thanks!

     

     

    Wednesday, July 20, 2011 11:15 PM
  • Hi Paul,

    Please try following suggestions:
    1. Check your NPS server trusted root CA certificate in CA MMC trusted root CA store
    2. Check your NPS server certificate template is computer  in CA MMC Personal store
    3. Set up GPO for auto request computer CA & trusted root CA 
    4. Remove old NPS certificate and get new CA from gp update or server reboot

    If there are more inquiries on this issue, please feel free to let us know.


    Regards,
    Rick Tan


    • Marked as answer by Paul Steele Friday, July 22, 2011 1:40 PM
    Thursday, July 21, 2011 2:46 AM
  • That appears to have solved the certificate problem. I was able to complete the PEAP configuration which had been failing. Unfortunately a new problem has appeared. When I change my access point to use the new NPS server, connections from wireless clients do not appear to generate a Radius request to the NPS server (or at least nothing shows up in the NPS logs). I tried using a Radius client simulator and requests from it do arrive at the NPS server and are processed as valid requests. If I change the access point to use the old IAS server it works, but the new NPS server does not. I even tried setting up a new IAS server and it also fails. Very bizarre. There's obviously something wrong somewhere.

    At least the certificate problem is resolved. Thanks for your help.

     

    Thursday, July 21, 2011 6:41 PM
  • Hi Paul,
     
    Glad to hear your certificate problem is resolved.

    To the new issue, have you configured a Wireless Access Point as an NPS RADIUS Client or  use Wireless Network (IEEE 802.11) Policies to Configure Wireless Client Computers? Please check your settings refer to the Deploying 802.1X Authenticated Wireless Access guide.

    If there are more inquiries on this issue, please feel free to let us know.


    Regards,
    Rick Tan

    Friday, July 22, 2011 3:20 AM
  • I am familiar with the basic process of setting up NPS clients. Our existing IAS server works fine. I even tried to import the settings from the IAS server to NPS to see if that helped, but still no luck. We've checked the logs on the access point and it's definitely generating the radius request but isn't getting a response. I tried using a radius client simulater using the same settings as our access points and it does work, making the situation even more confusing. Unfortunately there are no entries in any event log on the NPS server that might explain what's going on. Is there any way to increase the logging level for NPS so that it reports all requests, even ones that have incorrect information? If we knew why NPS was rejecting the radius request we probably could figure out what we're doing wrong.

    Thanks!


    Friday, July 22, 2011 1:39 PM
  • Solved the problem. As it turned out, the web GUI for the Cisco access point wasn't configuring things correctly. Making the changes from the command line interface resolved the issue. A lot of wasted time!

    Thanks!

     

    Friday, July 22, 2011 6:31 PM