none
WLAN authentication failure: "Explicit EAP failure received"

    Question

  • Hi,

    I recently performed troubleshooting of the same issue in two different Active Directory forests in a short period of time, and would like to investigate the root cause.

    The following is true for both environments:
    Wireless clients: Windows 7 Enterprise with SP1
    NPS Server: Windows Server 2008 R2 Standard with SP1
    Domain Controllers: Mix of Windows Server 2003 R2 Standard SP2 and Windows Server 2008 R2 Standard with SP1
    Certification Authorities: Single-tier CA running Windows Server 2008 R2 Standard with SP1
    Wireless authentication: "EAP: Microsoft Smard Card or other certificate"

    The problem was wireless clients suddenly being unable to connect to the wireless network, without any known changes being made to the infrastructure.

    In the WLAN-Autoconfig eventlog on the client computers we received the following event:
    Event ID 8002 — 802.11 Wireless Connectivity
    http://technet.microsoft.com/en-us/library/cc735927(v=ws.10).aspx


    The reason code we received is not mentioned in the article: "Explicit EAP failure received".

    In the first case I went through a few hours of troubleshooting on a client that was also connected to the network through a wired connection.
    I used Network Monitor to investigate, and saw that the client sent several "EAP Request, Type=PEAP", and received "EAP:Failure" after 5 retries.
    Using Network Monitor on the NPS server I also saw EAP Requests and Responses which ended with "EAP: Failure" in the end.
    The issue was resolved by changing EAP Types on both the NPS Server and in the client settings (using GPO) from "Microsoft: Protected EAP (PEAP)" to "EAP: Microsoft Smard Card or other certificate".


    In the second event in the other environment the problem was resolved by rebooting the NPS server.

    I know it`s hard to troubleshoot a problem that has been resolved, but what I`m looking for is basically the possible reasons for the "Explicit EAP failure received", and some guidelines on how to troubleshoot the issue if it occurs again.


    Jan Egil Ring

    Blog: http://blog.powershell.no
    Twitter: http://twitter.com/janegilring

    Monday, April 16, 2012 10:43 AM

Answers

All replies

  • Hi Jan Egil Ring,

    Thanks for posting here.

    So which authentication methods did we set to use in network or connection request policies that we defined in NPS server ? what OS is running on client ?

    There are many reasons could cause “Explicit EAP failure received”. Usually we will first to collect the wireless logs by enabling logging with command “netsh ras set tracing * enable” and “netsh wlan set tracing mode=yes” at client when this issue be reproduced and analyze entries in its corresponding logging file.

    The detail troubleshooting and diagnostics methods and procedures could be acquired from the links bleow:

    Troubleshooting Windows Vista 802.11 Wireless Connections

    http://technet.microsoft.com/en-us/library/cc766215(WS.10).aspx

    A Support Guide for Wireless Diagnostics and Troubleshooting

    http://technet.microsoft.com/en-us/library/bb457018.aspx

    Authentication Problem on a 802.1x Wireless Network

    http://blogs.technet.com/b/yuridiogenes/archive/2008/04/18/authentication-problem-on-a-802-1x-wireless-network.aspx

    And the links below should help us to perform the authenticated wireless network deployment :

    802.1X Authenticated Wireless Access

    http://technet.microsoft.com/en-us/library/cc771455(WS.10).aspx

    Wireless Networking

    http://technet.microsoft.com/en-us/network/bb530679.aspx

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Tiger Li

    TechNet Community Support

    Tuesday, April 17, 2012 3:07 AM
  • Thanks for your guidance, very useful.

    In terms of authentication methods, this is the client settings (deployed in a GPO):
    Authentication: WPA2-Enterprise
    Encryption: TKIP

    Network authentication method: Microsoft: Smart Card or other certificate
    Authentication mode: Computer authentication

    Specified in the Connection request policy on the NPS server:

    EAP Types: Microsoft: Smart Card or other certificate
    Conditions: NAS Port Type = Wireless - IEEE 802.11 and membership for an Active Directory security group

    The clients is running Windows 7 Enterprise with SP1.


    Jan Egil Ring

    Blog: http://blog.powershell.no
    Twitter: http://twitter.com/janegilring

    Tuesday, April 17, 2012 7:19 PM
  • Hi,

    Thanks for update.

    > Specified in the Connection request policy on the NPS server:

    >EAP Types: Microsoft: Smart Card or other certificate

    OK, so we were select to use digital certificate authentication method (EAP-TLS). So incorrect user and computer certificate might will be a potential issue. Try to follow the steps in the checklist below in order to ensure all these settings have been properly set in case any misconfiguration:

    Checklist: Implementing 802.1X Authenticate Wireless Access

    http://technet.microsoft.com/en-us/library/dd283023(WS.10).aspx

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Tiger Li

    TechNet Community Support

    Wednesday, April 18, 2012 7:43 AM
  • Hi,

    Please feel free to let us know if the information was helpful to you.

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Tiger Li

    TechNet Community Support

    Thursday, April 19, 2012 10:29 AM
  • Thank you for your assistance, it was very helpful.

    Jan Egil Ring

    Blog: http://blog.powershell.no
    Twitter: http://twitter.com/janegilring

    Thursday, April 19, 2012 10:10 PM