New CA & WPA2-EAP Wireless Network Using Network Policy Server (NPS), AD and Group Policies

Posted on 2012-08-23
Last Modified: 2012-08-24
I decommisioned the old CA server 2008 SP2 Domain Controller. I also removed all instances of it in AD. I setup a new CA Server 2008 R2 Member server.  But I can't get my laptops to authenticate with the new CA Server. It is a member server running Windows 2008 R2 SP1.  I get this error message when the client attempts to authenticate. "The following fatal alert was generated: 20. The internal error state is 960"
and also on the Event Viewer in Security option. It generates this message also...
Your help is greatly appreciated.

Log Name:      Security
 Source:        Microsoft-Windows-Security-Auditing
 Date:          8/23/2012 9:20:57 AM
 Event ID:      6273
 Task Category: Network Policy Server
 Level:         Information
 Keywords:      Audit Failure
 User:          N/A
 Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
     Security ID:            USER\temp17-L$
     Account Name:            host/
     Account Domain:            USER
     Fully Qualified Account Name:    USER\temp17-L$
Client Machine:
     Security ID:            NULL SID
     Account Name:            -
     Fully Qualified Account Name:    -
     OS-Version:            -
     Called Station Identifier:        00-19-77-31-07-51:CORP-WIFI
     Calling Station Identifier:        00-24-D7-EB-AB-EC
     NAS IPv4 Address:
     NAS IPv6 Address:        -
     NAS Identifier:            AP05
     NAS Port-Type:            Wireless - IEEE 802.11
     NAS Port:            0
RADIUS Client:
     Client Friendly Name:        AP05
     Client IP Address:  
Authentication Details:
     Connection Request Policy Name:    Secure Wireless Connections
     Network Policy Name:        Secure Wireless Connections
     Authentication Provider:        Windows
     Authentication Server:
     Authentication Type:        PEAP
     EAP Type:            -
     Account Session Identifier:        -
     Logging Results:            Accounting information was written to the local log file.
     Reason Code:            23
     Reason:                An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
Event Xml:
 <Event xmlns="">
     <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
     <TimeCreated SystemTime="2012-08-23T14:20:57.065095800Z" />
     <Correlation />
     <Execution ProcessID="484" ThreadID="532" />
     <Security />
     <Data Name="SubjectUserSid">S-1-5-21-350318053-1507942464-6498272-9267</Data>
     <Data Name="SubjectUserName">host/</Data>
     <Data Name="SubjectDomainName">USER</Data>
     <Data Name="FullyQualifiedSubjectUserName">USER\temp17-L$</Data>
     <Data Name="SubjectMachineSID">S-1-0-0</Data>
     <Data Name="SubjectMachineName">-</Data>
     <Data Name="FullyQualifiedSubjectMachineName">-</Data>
     <Data Name="MachineInventory">-</Data>
     <Data Name="CalledStationID">00-19-77-31-07-51:CORP-WIFI</Data>
     <Data Name="CallingStationID">00-24-D7-EB-AB-EC</Data>
     <Data Name="NASIPv4Address"></Data>
     <Data Name="NASIPv6Address">-</Data>
     <Data Name="NASIdentifier">AP05</Data>
     <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
     <Data Name="NASPort">0</Data>
     <Data Name="ClientName">AP05</Data>
     <Data Name="ClientIPAddress"></Data>
     <Data Name="ProxyPolicyName">Secure Wireless Connections</Data>
     <Data Name="NetworkPolicyName">Secure Wireless Connections</Data>
     <Data Name="AuthenticationProvider">Windows</Data>
     <Data Name="AuthenticationServer"></Data>
     <Data Name="AuthenticationType">PEAP</Data>
     <Data Name="EAPType">-</Data>
     <Data Name="AccountSessionIdentifier">-</Data>
     <Data Name="ReasonCode">23</Data>
     <Data Name="Reason">An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.</Data>
     <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
Question by:Atiba
    1 Comment

    Accepted Solution

    I was able to figure it out. It was something to do with the computer certificate not installed on the server.  Go to Start Run type mmc and go to File Add or Remove Snap-ins Add Certificates under Available Snap-ins and hit ok and choose Computer account  and hit Next and hit Finish and OK.  Click on teh + sing on Certificates (Local Computer)--> Personal-->Certificates - Right Click and Chooese All Taks and request a new Certificate - click next and Choose Active Directory Enrollment Policy and Click Next - check box Computer and click on the Enrollment button.
    A computer Certificate is created. And when the laptops are connected via a LAN connection it then pushes down the certs and thereafter they can begin to authenticate the corporate network.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
    This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
    The viewer will learn how to install the Spideroak software to backup files. Start your default browser: In the URL location bar type and press enter: When you see the spideroak site, click the “Try for free” button in the upper ri…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now