Trouble with NPS and EAP - getting errors on server

Hello everyone!

I've been creating a rather large dent in my desk from slamming my head into it over some NPS/RADIUS/WPA-ENTERPRISE/EAP problems. When client computers attempt to connect to our wireless network, they recieve an unable to connect message. The server log shows a problem with EAP.

Server Configuration:
- NPS and AD CS are both running on my secondary domain controller, called AG-ADIR2
- This domain controller is Server 2008 R2 SP1
- Address 172.20.1.6
- Domain is "ag-us.com"

Active Directory:
- I created a user group called "Wireless" which has ALL of our AD user accounts in it
- Modified the "Default Domain Policy" to enable "Certificate Services Client - Auto-Enrollment"

Certificates:
- Created a CA certificate through the AD CS setup wizard, called "ag-us-AG-ADIR2-CA"
- Verified that this certificate DOES show up on the client-end under Trusted Root Certification Authorities > Certificates.

Wireless Access Points:
- Ubiquiti Unifi controller 2.2.1
- Each access point is set to use WPA-Enterprise at 172.20.1.6 with the right password

NPS Configuration:
- NPS (Local) > RADIUS Clients and Servers > RADIUS Clients. Each AP is set up in here at their correct static IP address
- NPS (Local) > Policies > Network Policies > "Secure Wireless Connections". This policy is set in the following ways outside of the defaults:
  - Overview: "Grant access", "Ignore user account dial-in properties"
  - Conditions: "NAS Port Type = Wireless - IEEE 802.11", "Windows Groups = ag-us.com\Wireless"
  - Constraints: Authentication Methods: EAP Types has "Microsoft: Smart Card or other certificate" configured with the "ag-us-AG-ADIR2-CA" certificate.
- NPS (Local) > Policies > Network Request Policies > "Secure Wireless Connections". This policy is set in the following ways outside of the defaults:
  - Conditions: "NAS Port Type = "Wireless - Other OR Wireless - IEEE 802.11"

Problem:
- No clients can connect to the wireless access points
- Each time I try connecting, the following THREE logs appear in NPS:

First log that appears:

      Event ID: 6273
      Authentication Details:
            Connection Request Policy Name:      Secure Wireless Connections
            Network Policy Name: Connections to other access servers
            Authentication Provider: Windows
            Authentication Server: AG-ADIR2.ag-us.com
            Authentication Type: EAP
            EAP Type: -
            Account Session Identifier: -
            Logging Results: Accounting information was written to the local log file.
            Reason Code: 66
            Reason:      The user attempted to use an authentication method that is not enabled on the matching network policy.

Second log that appears:

      Event ID: 6273      
      Authentication Details:
            Connection Request Policy Name:      Secure Wireless Connections
            Network Policy Name: Secure Wireless Connections
            Authentication Provider: Windows
            Authentication Server: AG-ADIR2.ag-us.com
            Authentication Type: EAP
            EAP Type: -
            Account Session Identifier: -
            Logging Results: Accounting information was written to the local log file.
             Reason Code: 22
            Reason:      The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

Third log that appears:

      Event ID: 6273      
      Authentication Details:
            Connection Request Policy Name:      Secure Wireless Connections
            Network Policy Name: Secure Wireless Connections
            Authentication Provider: Windows
            Authentication Server: AG-ADIR2.ag-us.com
            Authentication Type: EAP
            EAP Type: -
            Account Session Identifier: -
            Logging Results: Accounting information was written to the local log file.
            Reason Code: 22
            Reason:      The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

I've omitted a lot of text from those error logs that don't seem to give a lot of detail that would otherwise help someone troublehshoot this problem. I can include the entire error logs if needed.

So.....What am I doing wrong???? Thank you all so much in advance for any help you can provide!
XourqueAsked:
Who is Participating?
 
Jakob DigranesSenior ConsultantCommented:
the error message you get is explains that your clients are tryign to authenticate with an authentication mechanism which the server do not understand/allow.

You've set up your Radius server to only allow clients that authenticate themselves with a valid unique client certificate installed in computer and/or user account.
(  - Constraints: Authentication Methods: EAP Types has "Microsoft: Smart Card or other certificate")
But you mention only that you've deployed AD CA as a Trusted Root CA - not unique client certificate. That would be presenting yourself with your nationality, rather than your name AND nationality when entering a foreign country.

Either you need to enroll unique User and/or computer certificates to ALL users and/or computers - or you need to change constraints to PEAP with PEAP-MsChap V2 - where clients authenticate themselves using username and password in domain,
OR
you need to make sure that unique client certificate are installed in computers machine/user store (mmc - certifiacate - personal) - and still use EAP-TLS
0
 
Jakob DigranesSenior ConsultantCommented:
You've created a certificate for validating the identity of the NPS server to the client. I can't see that you've deployed any certificates to the client computers.

The changing Authentication method on server from smart card or certificate (Which means that the client is authenticating himself by showing an unique client certificate, to Proteced EAP with inner method of MS-Chap V2.
That way clients will encrypt the EAP session (protect it) using NPS servers certificate and authenticate themselves using domain username and password.

make sure you set settings on client computers the same way
0
 
v-2sukumCommented:
Hi Xourque,

I request you to user Chap 2 protocol, even i faced the same situation.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
XourqueAuthor Commented:
I'm having a hard time understanding your replies (both of them). Care trying to explain them again?
0
 
XourqueAuthor Commented:
Thank you Jakob di,

It does work perfectly with PEAP, thanks for that suggestion.

Perhaps in the future I can figure out how to get EAP-TLS working. I've tried running through a few guides out there and they don't show creating unique client certificates. Is there a guide you can link me to?
0
 
Bes4dminCommented:
Hi Xourque, did you manage to get it working with EAP?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.