Singel AP, no controller, EAP authentication problem

Posted on 2012-08-16
Last Modified: 2012-12-11
I've setup my Windows 2008R2 domain controller according to this document:

I have a singel AP which I've setup to authenticate with the NPS.

The certificates from the CA are distributed to all of my Windows 7 clients.

When I try to connect I see the attempt AP. On the client I get an EAP-TLS authentication box where I can enter a username/password. Even if I enter the correct one, I can't connect.

On the NPS server I get the following message in the application log:

EventID: 1006
Source: EapHost
Info: Negotiation failed. Requested EAP methods not available

I've tried the following EAP types:
Microsoft: Smart Card or other certificate
Microsoft: Protected EAP
Microsoft Secured password (EAP-MSCHAP v2)

neither works.

Does anyone know what I'm doing wrong?
Question by:computication
    LVL 20

    Expert Comment

    by:Jakob Digranes
    looks like your client certificate doesn't have the correct OID;
    User certificates must contain the Client Authentication EKU (the object identifier).

    Please post screen shots of NPS policy and client wireless profile
    LVL 3

    Author Comment

    The client certificate contains the identifier you mentioned.

    I've attached screenshot of the settings.
    LVL 20

    Expert Comment

    by:Jakob Digranes
    remove check marks for MsChap and MsChapv2 and higjhlight PEAP and choose edit. What inner authentication method have you chosen?
    LVL 3

    Author Comment

    Thank you for the help.

    I've disabled them, no result, and I've attached the PEAP properties window.
    LVL 44

    Expert Comment

    by:Craig Beck
    In the Client-PEAPsettings.jpg screenshot you have the 'Validate Server Certificate' box checked, but you don't have a CA checked.  Untick the 'Validate Server Certificate' box and try again.
    LVL 3

    Author Comment

    Tried, same result. I've turned on the NPS tracking. in the IASSAM.log I get the following error:
    [5320] 08-20 11:32:16:504: Successfully retrieved session (77) for user DALWEG48\MARTIJNP$.
    [5320] 08-20 11:32:16:504: Processing output from EAP: action:2
    [5320] 08-20 11:32:16:504: Translating attributes returned by EAPHost.
    [5320] 08-20 11:32:16:504: EAP authentication failed.
    [5320] 08-20 11:32:16:504: No AUTHENTICATION extensions, continuing
    [5320] 08-20 11:32:16:504: No AUTHORIZATION extensions, continuing
    [5320] 08-20 11:32:16:504: Inserting outbound EAP-Message of length 4.
    LVL 3

    Accepted Solution

    There is some sort of corruption on the server where I installed NPS. I just finished installing NPS on a new server, put in the basic configuration and it works.


    I'll just move the NPS to a different server.


    Thank you for all your help.


    Kind regards,


    LVL 3

    Author Closing Comment

    installed service on other server and that resolved it.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
    This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
    This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now