none
The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

    Question

  • Hello,

    i have a well working Radius environment.

    Only one 1 cliënt can still not connect to the Accespoints (also after reïnstall)

    Eventlog on NPS-Server:

    Network Policy Server discarded the request for a user.

    Contact the Network Policy Server administrator for more information.

    User:

    Security ID: NULL SID

    Account Name:   domain\user

    Account Domain:   domain

    Fully Qualified Account Name: domain\user

    Client Machine:

    Security ID: NULL SID

    Account Name: -

    Fully Qualified Account Name: -

    OS-Version: -

    Called Station Identifier: 00-02-6F-9A-B2-C4

    Calling Station Identifier: 24-77-03-5E-62-90

    NAS:

    NAS IPv4 Address: 10.31.10.122

    NAS IPv6 Address: -

    NAS Identifier: -

    NAS Port-Type: Wireless - IEEE 802.11

    NAS Port: 0

    RADIUS Client:

    Client Friendly Name: FDLab1

    Client IP Address: 10.31.10.122

    Authentication Details:

    Connection Request Policy Name: Secure Wireless Connections

    Network Policy Name: -

    Authentication Provider: Windows

    Authentication Server:  Server.local

    Authentication Type: -

    EAP Type: -

    Account Session Identifier: -

    Reason Code: 22

    Reason: The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

    Have tried differtent options...but still no fix.

    Anybody with a option?

    Monday, November 19, 2012 9:25 AM

Answers

  • Hi,

    Thanks for your update.

    As Greg motioned, you need to know which authentication method is deployment in your environment first. Then adjust it in wireless profile on client side. Based on your description, I assume that the authentication method is PEAP-EAP-MSCHAP v2 for non-domain joined computer. If so, please verify this client trust the NPS certificate issuer. And compare the wireless connection configuration between clients.

    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    • Marked as answer by Mvd12345 Wednesday, November 21, 2012 10:42 AM
    Wednesday, November 21, 2012 8:52 AM
    Moderator

All replies

  • Hi,

    Based on your description, this would have to be a client-side configuration problem. What 'options' are you testing?

    What type of authenticaion are you using? EAP or PEAP with MSCHAP (password) or TLS (certificate)?

    -Greg

    Tuesday, November 20, 2012 6:33 AM
    Owner
  • Hi Greg,

    on my configuration there is nothing changed. It are all default settings for windows 7.

    I can make some screenshots of my configuration on the cliënt. Which setings do you need?

    Tuesday, November 20, 2012 7:06 AM
  • Hi,

    I only have a Windows 8 client to show as an example right now, but the screens are just about identical to Windows 7. Are you configured to use 802.1X with these settings?

    PEAP

    Tuesday, November 20, 2012 7:55 AM
    Owner
  • Hi Greg,

    to get into these settings i have to connect First to the specified Network --> but i can`t ...

    Tuesday, November 20, 2012 1:22 PM
  • Hi,

    Please refer to the following blog to choose correct authentication method for the wireless client. Also, you can push this setting via group policy.

    The Cable Guy: Connecting to Wireless Networks with Windows 7
    http://technet.microsoft.com/en-us/magazine/ff847520.aspx


    Best Regards,
    Aiden


    Aiden Cao

    TechNet Community Support

    Wednesday, November 21, 2012 4:25 AM
    Moderator
  • Hi Aiden/Greg,

    i have created a profile like from the post of "cable guy".

    I have used the same settings as in the blog, and also tried with the setting disabled "use windows/user-domain settings".

    I can`t connect to the new created profile because of :

    Some extra info:

    The 802.1x method is used with domain-credentials.

    The cliënt is not joined to the domain.

    When connecting to one of the AP`s the credentials are asked for a domain-user.

    When adding the domain-credentials of different users i get the error message :

    Reason Code: 22

    Reason: The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

    I have also tried other cliënts which are NOT connected to the domain. These cliënts CAN connect after adding the domain-credentials while connecting to a AP.

    So the is something wrong with the cliënt/Wifi-card configuration or something?

    Thx

    Wednesday, November 21, 2012 7:52 AM
  • Hi,

    Thanks for your update.

    As Greg motioned, you need to know which authentication method is deployment in your environment first. Then adjust it in wireless profile on client side. Based on your description, I assume that the authentication method is PEAP-EAP-MSCHAP v2 for non-domain joined computer. If so, please verify this client trust the NPS certificate issuer. And compare the wireless connection configuration between clients.

    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    • Marked as answer by Mvd12345 Wednesday, November 21, 2012 10:42 AM
    Wednesday, November 21, 2012 8:52 AM
    Moderator
  • Hi Aiden,

    thx for the answer.

    What is the best way find out the trust of the NPS certificate issuer?

    Thx

    Wednesday, November 21, 2012 8:56 AM
  • Hi,

    Ensure the Root CA which issues the Certificate for NPS server was trusted on the client computer. Verify the Root CA was listed in MMC -> Certificate -> Certificates (Local Computer) -> Trusted Root Certification Authorities.

    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    Wednesday, November 21, 2012 9:13 AM
    Moderator
  • Hi Aiden,

    i have tested the setup with a non-domain cliënt on another computer. At this cliënt same problem.

    In eventlog on NPS-server :

    Logging Results: Accounting information was written to the local log file.

    Reason Code: 265

    Reason: The certificate chain was issued by an authority that is not trusted.

    How can i determine which certificate is used for NPS/Radius to import to the cliënt? I checked the list on the server...but i need the right one..

    Thx

    Wednesday, November 21, 2012 9:20 AM
  • Hi Aiden,

    i found the solution by exporting the right certificate.

    First time when connecting to the server there is warning message, but after choosing "connect", the non-domain cliënt is able to connect!

    Thx for the support!

    Wednesday, November 21, 2012 10:05 AM

  • Hi,

    We spent many hours trying to solve this problem.

    Our setup:

    Cisco wireless setup, using windows NPS for 802.1x authentication.

    Certificate base auth, with an internal PKI sending out client machine certs, and also the server cert.

    Auth was failing with "reason code 22, The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."

    It turned out to be a GPO setting on the server, that was enforcing key protection.

    There is this note on the below technet article:

    Requiring the use of strong private key protection and user prompting on all new and imported keys will disable some applications, such as Encrypting File System (EFS) and wireless (802.1X) authentication that cannot display UI. For more information, see article 320828 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=115037).

    http://technet.microsoft.com/en-us/library/cc725621(v=WS.10).aspx

    Hopefully this helps someone out, if you have the same annoying error.
    Friday, December 13, 2013 12:00 AM