locked
Win2k8 R2 RADIUS 802.1x PEAP with Windows XP SP3 RRS feed

  • Question

  • Hi,

    We have Win2k8 R2 NPS configured for RADIUS 802.1x authentication and client machines are running WinXP SP3. The RADIUS server is also the Certification Authority. The DC is a Windows 2003 Std machine. The certificate was already loaded on the testing xp machine, after we connect the cable for 802.1x and enter the username and password and domain on XP PC, the xp machine can't seem to get a DHCP address from the server.

    Upon checking the event logs from RADIUS server, there's always an event failure from security logs (NPS denied access to a user - Event 6273)

    Reason Code:      23
    Reason:            An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

    Not sure if there's misconfiguration or missing something here. Any help will be much appreciated. Thanks in advance!
    • Moved by Aiden_Cao Tuesday, November 20, 2012 5:05 AM right forum (From:Platform Networking)
    Monday, November 19, 2012 10:33 AM

Answers

  • Hi,

    The error you found is somewhat generic. A list of reason codes is here: http://technet.microsoft.com/en-us/library/dd197464(WS.10).aspx. This article gives you the EAP log file location as %windir%\System32\Logfiles.

    Since you mentioned a Certification Authority, I assume you are using PEAP or EAP-TLS. Is this true? Perhaps you are only using the CA for a server certificate. A certificate problem can cause the error you see, such as when a certificate is expired or not trusted. It's hard to know which problem you have without knowing more about the configuration.

    Event 6273 should also tell you what connection request policy and network policy were matched. What EAP configuration is used in these policies?

    It will also help to know if other clients are connecting OK and only some clients are failing. The probable reason that the client cannot get a DHCP address is that when the client fails 802.1X authentication, the line protocol is dropped.

    -Greg

    • Proposed as answer by Aiden_Cao Thursday, November 22, 2012 2:08 AM
    • Marked as answer by Aiden_Cao Monday, November 26, 2012 3:01 AM
    Tuesday, November 20, 2012 9:02 AM