Singel AP, no controller, EAP authentication problem

I've setup my Windows 2008R2 domain controller according to this document:

I have a singel AP which I've setup to authenticate with the NPS.

The certificates from the CA are distributed to all of my Windows 7 clients.

When I try to connect I see the attempt AP. On the client I get an EAP-TLS authentication box where I can enter a username/password. Even if I enter the correct one, I can't connect.

On the NPS server I get the following message in the application log:

EventID: 1006
Source: EapHost
Info: Negotiation failed. Requested EAP methods not available

I've tried the following EAP types:
Microsoft: Smart Card or other certificate
Microsoft: Protected EAP
Microsoft Secured password (EAP-MSCHAP v2)

neither works.

Does anyone know what I'm doing wrong?
Who is Participating?
computicationConnect With a Mentor Author Commented:
There is some sort of corruption on the server where I installed NPS. I just finished installing NPS on a new server, put in the basic configuration and it works.


I'll just move the NPS to a different server.


Thank you for all your help.


Kind regards,


Jakob DigranesSenior ConsultantCommented:
looks like your client certificate doesn't have the correct OID;
User certificates must contain the Client Authentication EKU (the object identifier).

Please post screen shots of NPS policy and client wireless profile
computicationAuthor Commented:
The client certificate contains the identifier you mentioned.

I've attached screenshot of the settings.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Jakob DigranesSenior ConsultantCommented:
remove check marks for MsChap and MsChapv2 and higjhlight PEAP and choose edit. What inner authentication method have you chosen?
computicationAuthor Commented:
Thank you for the help.

I've disabled them, no result, and I've attached the PEAP properties window.
Craig BeckCommented:
In the Client-PEAPsettings.jpg screenshot you have the 'Validate Server Certificate' box checked, but you don't have a CA checked.  Untick the 'Validate Server Certificate' box and try again.
computicationAuthor Commented:
Tried, same result. I've turned on the NPS tracking. in the IASSAM.log I get the following error:
[5320] 08-20 11:32:16:504: Successfully retrieved session (77) for user DALWEG48\MARTIJNP$.
[5320] 08-20 11:32:16:504: Processing output from EAP: action:2
[5320] 08-20 11:32:16:504: Translating attributes returned by EAPHost.
[5320] 08-20 11:32:16:504: EAP authentication failed.
[5320] 08-20 11:32:16:504: No AUTHENTICATION extensions, continuing
[5320] 08-20 11:32:16:504: No AUTHORIZATION extensions, continuing
[5320] 08-20 11:32:16:504: Inserting outbound EAP-Message of length 4.
computicationAuthor Commented:
installed service on other server and that resolved it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.