Trouble with NPS and EAP - getting errors on server

Hello everyone!

I've been creating a rather large dent in my desk from slamming my head into it over some NPS/RADIUS/WPA-ENTERPRISE/EAP problems. When client computers attempt to connect to our wireless network, they recieve an unable to connect message. The server log shows a problem with EAP.

Server Configuration:
- NPS and AD CS are both running on my secondary domain controller, called AG-ADIR2
- This domain controller is Server 2008 R2 SP1
- Address 172.20.1.6
- Domain is "ag-us.com"

Active Directory:
- I created a user group called "Wireless" which has ALL of our AD user accounts in it
- Modified the "Default Domain Policy" to enable "Certificate Services Client - Auto-Enrollment"

Certificates:
- Created a CA certificate through the AD CS setup wizard, called "ag-us-AG-ADIR2-CA"
- Verified that this certificate DOES show up on the client-end under Trusted Root Certification Authorities > Certificates.

Wireless Access Points:
- Ubiquiti Unifi controller 2.2.1
- Each access point is set to use WPA-Enterprise at 172.20.1.6 with the right password

NPS Configuration:
- NPS (Local) > RADIUS Clients and Servers > RADIUS Clients. Each AP is set up in here at their correct static IP address
- NPS (Local) > Policies > Network Policies > "Secure Wireless Connections". This policy is set in the following ways outside of the defaults:
  - Overview: "Grant access", "Ignore user account dial-in properties"
  - Conditions: "NAS Port Type = Wireless - IEEE 802.11", "Windows Groups = ag-us.com\Wireless"
  - Constraints: Authentication Methods: EAP Types has "Microsoft: Smart Card or other certificate" configured with the "ag-us-AG-ADIR2-CA" certificate.
- NPS (Local) > Policies > Network Request Policies > "Secure Wireless Connections". This policy is set in the following ways outside of the defaults:
  - Conditions: "NAS Port Type = "Wireless - Other OR Wireless - IEEE 802.11"

Problem:
- No clients can connect to the wireless access points
- Each time I try connecting, the following THREE logs appear in NPS:

First log that appears:

      Event ID: 6273
      Authentication Details:
            Connection Request Policy Name:      Secure Wireless Connections
            Network Policy Name: Connections to other access servers
            Authentication Provider: Windows
            Authentication Server: AG-ADIR2.ag-us.com
            Authentication Type: EAP
            EAP Type: -
            Account Session Identifier: -
            Logging Results: Accounting information was written to the local log file.
            Reason Code: 66
            Reason:      The user attempted to use an authentication method that is not enabled on the matching network policy.

Second log that appears:

      Event ID: 6273      
      Authentication Details:
            Connection Request Policy Name:      Secure Wireless Connections
            Network Policy Name: Secure Wireless Connections
            Authentication Provider: Windows
            Authentication Server: AG-ADIR2.ag-us.com
            Authentication Type: EAP
            EAP Type: -
            Account Session Identifier: -
            Logging Results: Accounting information was written to the local log file.
             Reason Code: 22
            Reason:      The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

Third log that appears:

      Event ID: 6273      
      Authentication Details:
            Connection Request Policy Name:      Secure Wireless Connections
            Network Policy Name: Secure Wireless Connections
            Authentication Provider: Windows
            Authentication Server: AG-ADIR2.ag-us.com
            Authentication Type: EAP
            EAP Type: -
            Account Session Identifier: -
            Logging Results: Accounting information was written to the local log file.
            Reason Code: 22
            Reason:      The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

I've omitted a lot of text from those error logs that don't seem to give a lot of detail that would otherwise help someone troublehshoot this problem. I can include the entire error logs if needed.

So.....What am I doing wrong???? Thank you all so much in advance for any help you can provide!
XourqueAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jakob DigranesSenior ConsultantCommented:
You've created a certificate for validating the identity of the NPS server to the client. I can't see that you've deployed any certificates to the client computers.

The changing Authentication method on server from smart card or certificate (Which means that the client is authenticating himself by showing an unique client certificate, to Proteced EAP with inner method of MS-Chap V2.
That way clients will encrypt the EAP session (protect it) using NPS servers certificate and authenticate themselves using domain username and password.

make sure you set settings on client computers the same way
0
v-2sukumCommented:
Hi Xourque,

I request you to user Chap 2 protocol, even i faced the same situation.
0
XourqueAuthor Commented:
I'm having a hard time understanding your replies (both of them). Care trying to explain them again?
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

Jakob DigranesSenior ConsultantCommented:
the error message you get is explains that your clients are tryign to authenticate with an authentication mechanism which the server do not understand/allow.

You've set up your Radius server to only allow clients that authenticate themselves with a valid unique client certificate installed in computer and/or user account.
(  - Constraints: Authentication Methods: EAP Types has "Microsoft: Smart Card or other certificate")
But you mention only that you've deployed AD CA as a Trusted Root CA - not unique client certificate. That would be presenting yourself with your nationality, rather than your name AND nationality when entering a foreign country.

Either you need to enroll unique User and/or computer certificates to ALL users and/or computers - or you need to change constraints to PEAP with PEAP-MsChap V2 - where clients authenticate themselves using username and password in domain,
OR
you need to make sure that unique client certificate are installed in computers machine/user store (mmc - certifiacate - personal) - and still use EAP-TLS
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
XourqueAuthor Commented:
Thank you Jakob di,

It does work perfectly with PEAP, thanks for that suggestion.

Perhaps in the future I can figure out how to get EAP-TLS working. I've tried running through a few guides out there and they don't show creating unique client certificates. Is there a guide you can link me to?
0
Bes4dminCommented:
Hi Xourque, did you manage to get it working with EAP?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.