none
An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP).

    Question

  • Hello everyone:

    I know this question have been asked in these forums quite a few times. I apologize if it is a repeat telecast but I was not able to find a suitable solution pertaining to my problem.

    I have a AP/SM setup that is configured to get EAP-PEAP authentication from Windows 2012 Server. I have setup everything and have verified that the EAP-PEAP authentication works fine on AP/SM by getting authentication from FreeRADIUS server. Now, when I try to get authentication from Windows Server, I am getting a reject. The Event log shows this generic message:

    Reason Code: 23
    Reason:     An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.



    There is nothing in the EAP logs that is obvious too:

    "USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1 07/11/2014 00:05:57 4927",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
    "USIL01PMPTST01","IAS",07/11/2014,11:59:44,11,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1 07/11/2014 00:05:57 4927",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
    "USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1 07/11/2014 00:05:57 4928",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
    "USIL01PMPTST01","IAS",07/11/2014,11:59:44,11,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1 07/11/2014 00:05:57 4928",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
    "USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,11,"PEAP_TEST",0,"311 1 10.120.133.1 07/11/2014 00:05:57 4929",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
    "USIL01PMPTST01","IAS",07/11/2014,11:59:44,3,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,11,"PEAP_TEST",23,"311 1 10.120.133.1 07/11/2014 00:05:57 4929",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,

    So, basically, the sequence is this:

    request , challenge, request , challenge, request, reject


    Any idea what might be happening?

    Thank you.

    Friday, July 11, 2014 5:59 PM

Answers

  • Hi,

    Have you installed certificates on the NPS server properly? Have you selected the proper certificate in the properties of PEAP?

    Here is an article about the Certificate requirements of PEAP,

    Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS

    http://support.microsoft.com/kb/814394

    If your certificate matches the requirement, you may try to reinstall the certificate by export and import.

    To export a certificate, please follow the steps below,

    1. Open the Certificates snap-in for a user, computer, or service.
    2. In the console tree under the logical store that contains the certificate to export, click Certificates.
    3. In the details pane, click the certificate that you want to export.
    4. On the Action menu, point to All Tasks, and then click Export.
    5. In the Certificate Export Wizard, click No, do not export the private key. (This option will appear only if the private key is marked as exportable and you have access to the private key.)
    6. Provide the following information in the Certificate Export Wizard:
      • Click the file format that you want to use to store the exported certificate: a DER-encoded file, a Base64-encoded file, or a PKCS #7 file.
      • If you are exporting the certificate to a PKCS #7 file, you also have the option to include all certificates in the certification path.
    7. If required, in Password, type a password to encrypt the private key you are exporting. In Confirm password, type the same password again, and then click Next.
    8. In File name, type a file name and path for the PKCS #7 file that will store the exported certificate and private key. Click Next, and then click Finish.

    To import a certificate, please follow the steps below,

    1. Open the Certificates snap-in for a user, computer, or service.
    2. In the console tree, click the logical store where you want to import the certificate.
    3. On the Action menu, point to All Tasks, and then click Import to start the Certificate Import Wizard.
    4. Type the file name containing the certificate to be imported. (You can also click Browse and navigate to the file.)
    5. If it is a PKCS #12 file, do the following:
      • Type the password used to encrypt the private key.
      • (Optional) If you want to be able to use strong private key protection, select the Enable strong private key protection check box.
      • (Optional) If you want to back up or transport your keys at a later time, select the Mark key as exportable check box.
    6. Do one of the following:
      • If the certificate should be automatically placed in a certificate store based on the type of certificate, click Automatically select the certificate store based on the type of certificate.
      • If you want to specify where the certificate is stored, select Place all certificates in the following store, click Browse, and choose the certificate store to use.

    If issue persists, you may try to re-issue the certificate.

    For detailed procedure, you may refer to the similar threads below,

    Having issues getting PEAP with EAP-MSCHAP v2 working on Windows 2008 R2

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/c66cf0a8-24dd-4ccd-b5bb-16bd28ad8d4c/having-issues-getting-peap-with-eapmschap-v2-working-on-windows-2008-r2?forum=winserverNAP

    Hope this helps.



    Steven Lee

    TechNet Community Support

    Monday, July 14, 2014 9:45 AM
    Moderator