none
The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server. RRS feed

  • Question

  • After days of troubleshooting, I need some assistance. We are using a wifi SSID to pass Radius credentials to our AD server (Windows 2008 R2) via EAP. We are trying to access this SSID mostly via iPhone devices. Our NPS Network Policy has the proper network policy on top of the list. Under "Authentication Methods" this policy has "Microsoft: Protected EAP (PEAP)" selected under EAP Types. We are not using certs to these devises not being on the domain. Can we please have some assistance with the below error?

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
     Security ID:   NULL SID
     Account Name:   user.name
     Account Domain:   CORP
     Fully Qualified Account Name: CORP\user.name

    Client Machine:
     Security ID:   NULL SID
     Account Name:   -
     Fully Qualified Account Name: -
     OS-Version:   -
     Called Station Identifier:  00-0F-7D-BA-68-61:LatP4
     Calling Station Identifier:  08-70-45-D1-45-BB

    NAS:
     NAS IPv4 Address:  10.1.1.13
     NAS IPv6 Address:  -
     NAS Identifier:   -
     NAS Port-Type:   Wireless - IEEE 802.11
     NAS Port:   497

    RADIUS Client:
     Client Friendly Name:  10.1.1.13
     Client IP Address:   10.1.1.13

    Authentication Details:
     Connection Request Policy Name: Secure Wireless Connections
     Network Policy Name:  -
     Authentication Provider:  Windows
     Authentication Server:  servername.corp.company.com
     Authentication Type:  EAP
     EAP Type:   -
     Account Session Identifier:  -
     Logging Results:   Accounting information was written to the local log file.
     Reason Code:   22
     Reason:    The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

    Wednesday, June 25, 2014 1:52 AM

Answers

  • It finally works. Below is what needed to happen. Hope this helps for the next newbie.

    * Be sure you have Microsoft CA server setup. The links above show how to do this.

    * On the NPS server, be sure to request a computer cert. I pulled one from the "Domain Controller" template as it had the proper attributes by default.

    * Under your NPS profile, be sure PEAP is setup to use the newly generated 'computer' cert.

    Saturday, July 5, 2014 6:05 PM
  • Hi,

    Have you tried it with a windows client? If all devices fail to authenticate, it means that there is something wrong with your server configuration.

    A certificate with the server authentication purpose and correct subject alternative name must be installed on NPS. Note: This procedure must be completed prior to configuring PEAP on NPS.

    Verifies that the certificate meets either of two requirements:

    1. The certificate is found in the Enterprise NTAuth store.
    2. The certificate is found in the client's Trusted Root Certification Authorities container, and it is marked as trusted.

    If the certificate is found in the Trusted Root Certification Authorities container (but not NTAuth) and it is not marked as trusted, the client device receives a warning. The warning message is intended to provide the client an opportunity to mark the CA as trusted. The client should only receive this message once, provided the certificate is marked as trusted.

    If the certificate is not found in the Trusted Root Certification Authorities Container or the Enterprise NTAuth store, a PEAP error is generated and authentication fails.

    For detailed information, please view the link below,

    Get PEAP with MSCHAP v2 working with NPS on Windows Server 2008 and 2012

    http://curah.microsoft.com/39626/get-peap-with-mschap-v2-working-with-nps-on-windows-server-2008-and-2012

    Hope this helps.



    Steven Lee

    TechNet Community Support


    Thursday, June 26, 2014 9:47 AM
    Moderator
  • This error can be caused by issues with the private key of the NPS certificate (see e.g. here). How exactly did you create the key and certificate request for the NPS server?

    Even if there are no issues with the key as such problem could occur if the wrong crypto provider had been selected. I have seen similar issues with SSL web servers configured - with certificates using CNG providers instead of a classical RSA SChannel CSP.

    The popup message on the device re confirmation of the NPS certificate unfortunately cannot be "configured away" - there have been some related thread on these forums recently.

    Elke

    Thursday, July 3, 2014 6:32 AM

All replies

  • Hi,

    Have you tried it with a windows client? If all devices fail to authenticate, it means that there is something wrong with your server configuration.

    A certificate with the server authentication purpose and correct subject alternative name must be installed on NPS. Note: This procedure must be completed prior to configuring PEAP on NPS.

    Verifies that the certificate meets either of two requirements:

    1. The certificate is found in the Enterprise NTAuth store.
    2. The certificate is found in the client's Trusted Root Certification Authorities container, and it is marked as trusted.

    If the certificate is found in the Trusted Root Certification Authorities container (but not NTAuth) and it is not marked as trusted, the client device receives a warning. The warning message is intended to provide the client an opportunity to mark the CA as trusted. The client should only receive this message once, provided the certificate is marked as trusted.

    If the certificate is not found in the Trusted Root Certification Authorities Container or the Enterprise NTAuth store, a PEAP error is generated and authentication fails.

    For detailed information, please view the link below,

    Get PEAP with MSCHAP v2 working with NPS on Windows Server 2008 and 2012

    http://curah.microsoft.com/39626/get-peap-with-mschap-v2-working-with-nps-on-windows-server-2008-and-2012

    Hope this helps.



    Steven Lee

    TechNet Community Support


    Thursday, June 26, 2014 9:47 AM
    Moderator
  • How exactly did you configure PEAP at the client?

    I don't have an iPhone to test right now but from this article it seems that it can support 6 different EAP types and you should select only PEAP in order to make PEAP-MS-CHAPv2 work.

    Do the iPhone clients trust the CA that issued your NPS server certificate? I have seen the same error message reported for non-domain joined clients not validating the NPS server certificate correctly.

    Elke

    Thursday, June 26, 2014 12:24 PM
  • Prior to this response, we did not have our DC configured as CA Server. We now have this configured. Now in our NPS Policy -> Network Policy -> Authentication Methods, we have selected "Microsoft: Protected EAP (PEAP). Under these properties we now have our cert associated with this, along with "Secured password (EAP MS-CHAP v2).

    Once back onsite I will test once again. I am hoping to avoid needing to push any type of custom profile to users iPhones to connect. I will post my results...

    Thursday, June 26, 2014 2:29 PM
  • After we installed a CA cert, and applied it the NPS server (which is actually also the CA server) a new error is appearing after trying to login. We see the cert showing up on the client asking for it to be accepted, but after doing so, we are denied with the below appearing in the logs. We do not need for this cert to appear on the client if possible. We also noticed the "Authentication Type" has changed to "PEAP". Good news is we are now seeing the proper Network Policy Name being triggered "Wi-Fi Admin"

    Any help is greatly appreciated....

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
     Security ID:   CORP\name
     Account Name:   name
     Account Domain:   CORP
     Fully Qualified Account Name: domain/Users/name

    Client Machine:
     Security ID:   NULL SID
     Account Name:   -
     Fully Qualified Account Name: -
     OS-Version:   -
     Called Station Identifier:  00-0F-7D-BA-68-61:LatP4
     Calling Station Identifier:  08-70-45-D1-45-BB

    NAS:
     NAS IPv4 Address:  10.1.1.13
     NAS IPv6 Address:  -
     NAS Identifier:   -
     NAS Port-Type:   Wireless - IEEE 802.11
     NAS Port:   499

    RADIUS Client:
     Client Friendly Name:  10.1.1.13
     Client IP Address:   10.1.1.13

    Authentication Details:
     Connection Request Policy Name: Use Windows authentication for all users
     Network Policy Name:  Wi-Fi Admin
     Authentication Provider:  Windows
     Authentication Server:  server.com
     Authentication Type:  PEAP
     EAP Type:   -
     Account Session Identifier:  -
     Logging Results:   Accounting information was written to the local log file.
     Reason Code:   23
     Reason:    An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

    Wednesday, July 2, 2014 7:12 PM
  • This error can be caused by issues with the private key of the NPS certificate (see e.g. here). How exactly did you create the key and certificate request for the NPS server?

    Even if there are no issues with the key as such problem could occur if the wrong crypto provider had been selected. I have seen similar issues with SSL web servers configured - with certificates using CNG providers instead of a classical RSA SChannel CSP.

    The popup message on the device re confirmation of the NPS certificate unfortunately cannot be "configured away" - there have been some related thread on these forums recently.

    Elke

    Thursday, July 3, 2014 6:32 AM
  • Thanks for the article. Our Certificate Service is installed as an Enterprise CA. This is also installed on our DC. The root CA cert is seen and configured to use our PEAP policy for NPS. During the wizard, we had the system create a private key. For the crypto provider, we picked the default. I'm not sure how to go back and verify the exact option.

    From the posts above, and other posts I've been reading, it always to be something with the cert causing the issue. I'm not sure where to go from here, but I'd be more than happy to provide any logs or screenshots that might help us move to some closure.

    Thanks in advance everyone.

    Thursday, July 3, 2014 7:53 PM
  • Do you mean you used the CA's cert also as the NPS server's certificate configured in the Network Policy? I wouldn't expect that this works as CA certificates don't have any specific Extended Key Usages. CA certificates also don't work as web server SSL certificates.

    And the default CA crypto provider suffers from the issue I had described - not intended to be used for SSL.

    In case my guess it true: You need to create a dedicated server certificate even if CA = DC = NPS, e.g. by using the IAS template or the Domain Controller template. The requirement is that Client Authentication and Server Authentication are both included, and you use an RSA SChannel provider - and a CA certificate does not meet that requirement.

    I would advise to pick a template that has the Subject Common Name populated not to get into troubles with non-Windows 802.1x clients (Domain Controller Authentication has not, for example)

    Elke

    Edit: You might also see SChannel related errors in the Windows System Event log - this indicated crypto provider / key not suitable for SSL.

    Thursday, July 3, 2014 8:06 PM
  • I believe you are correct. So far we've created the root CA, and associated it with PEAP under the proper NPS policy.

    Even though the CA and NPS is actually the same server, NPS needs it's own server cert? I will look into creating a dedicated server certificate and associate it instead. I will report back. thanks for the quick reply.

    Thursday, July 3, 2014 8:12 PM
  • It finally works. Below is what needed to happen. Hope this helps for the next newbie.

    * Be sure you have Microsoft CA server setup. The links above show how to do this.

    * On the NPS server, be sure to request a computer cert. I pulled one from the "Domain Controller" template as it had the proper attributes by default.

    * Under your NPS profile, be sure PEAP is setup to use the newly generated 'computer' cert.

    Saturday, July 5, 2014 6:05 PM
  • it solved my problem

    گر صبر کنی، زقوره حلوا سازی

    Tuesday, May 7, 2019 9:53 AM