?
Solved

New CA & WPA2-EAP Wireless Network Using Network Policy Server (NPS), AD and Group Policies

Posted on 2012-08-23
1
Medium Priority
?
1,268 Views
Last Modified: 2012-08-24
I decommisioned the old CA server 2008 SP2 Domain Controller. I also removed all instances of it in AD. I setup a new CA Server 2008 R2 Member server.  But I can't get my laptops to authenticate with the new CA Server. It is a member server running Windows 2008 R2 SP1.  I get this error message when the client attempts to authenticate. "The following fatal alert was generated: 20. The internal error state is 960"
 
and also on the Event Viewer in Security option. It generates this message also...
Your help is greatly appreciated.
 

Log Name:      Security
 Source:        Microsoft-Windows-Security-Auditing
 Date:          8/23/2012 9:20:57 AM
 Event ID:      6273
 Task Category: Network Policy Server
 Level:         Information
 Keywords:      Audit Failure
 User:          N/A
 Computer:      CERTSERV.domain1.com
 Description:
 Network Policy Server denied access to a user.
 
Contact the Network Policy Server administrator for more information.
 
User:
     Security ID:            USER\temp17-L$
     Account Name:            host/temp17-L.domain1.com
     Account Domain:            USER
     Fully Qualified Account Name:    USER\temp17-L$
 
Client Machine:
     Security ID:            NULL SID
     Account Name:            -
     Fully Qualified Account Name:    -
     OS-Version:            -
     Called Station Identifier:        00-19-77-31-07-51:CORP-WIFI
     Calling Station Identifier:        00-24-D7-EB-AB-EC
 
NAS:
     NAS IPv4 Address:        10.1.0.87
     NAS IPv6 Address:        -
     NAS Identifier:            AP05
     NAS Port-Type:            Wireless - IEEE 802.11
     NAS Port:            0
 
RADIUS Client:
     Client Friendly Name:        AP05
     Client IP Address:            10.1.0.87
 
Authentication Details:
     Connection Request Policy Name:    Secure Wireless Connections
     Network Policy Name:        Secure Wireless Connections
     Authentication Provider:        Windows
     Authentication Server:        CERTSERV.domain1.com
     Authentication Type:        PEAP
     EAP Type:            -
     Account Session Identifier:        -
     Logging Results:            Accounting information was written to the local log file.
     Reason Code:            23
     Reason:                An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
 
Event Xml:
 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
   <System>
     <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
     <EventID>6273</EventID>
     <Version>1</Version>
     <Level>0</Level>
     <Task>12552</Task>
     <Opcode>0</Opcode>
     <Keywords>0x8010000000000000</Keywords>
     <TimeCreated SystemTime="2012-08-23T14:20:57.065095800Z" />
     <EventRecordID>49173</EventRecordID>
     <Correlation />
     <Execution ProcessID="484" ThreadID="532" />
     <Channel>Security</Channel>
     <Computer>CERTSERV.domain1.com</Computer>
     <Security />
   </System>
   <EventData>
     <Data Name="SubjectUserSid">S-1-5-21-350318053-1507942464-6498272-9267</Data>
     <Data Name="SubjectUserName">host/temp17-L.domain1.com</Data>
     <Data Name="SubjectDomainName">USER</Data>
     <Data Name="FullyQualifiedSubjectUserName">USER\temp17-L$</Data>
     <Data Name="SubjectMachineSID">S-1-0-0</Data>
     <Data Name="SubjectMachineName">-</Data>
     <Data Name="FullyQualifiedSubjectMachineName">-</Data>
     <Data Name="MachineInventory">-</Data>
     <Data Name="CalledStationID">00-19-77-31-07-51:CORP-WIFI</Data>
     <Data Name="CallingStationID">00-24-D7-EB-AB-EC</Data>
     <Data Name="NASIPv4Address">10.1.0.87</Data>
     <Data Name="NASIPv6Address">-</Data>
     <Data Name="NASIdentifier">AP05</Data>
     <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
     <Data Name="NASPort">0</Data>
     <Data Name="ClientName">AP05</Data>
     <Data Name="ClientIPAddress">10.1.0.87</Data>
     <Data Name="ProxyPolicyName">Secure Wireless Connections</Data>
     <Data Name="NetworkPolicyName">Secure Wireless Connections</Data>
     <Data Name="AuthenticationProvider">Windows</Data>
     <Data Name="AuthenticationServer">CERTSERV.domain1.com</Data>
     <Data Name="AuthenticationType">PEAP</Data>
     <Data Name="EAPType">-</Data>
     <Data Name="AccountSessionIdentifier">-</Data>
     <Data Name="ReasonCode">23</Data>
     <Data Name="Reason">An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.</Data>
     <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
   </EventData>
 </Event>
0
Comment
Question by:Atiba
1 Comment
 

Accepted Solution

by:
Atiba earned 0 total points
ID: 38329518
I was able to figure it out. It was something to do with the computer certificate not installed on the server.  Go to Start Run type mmc and go to File Add or Remove Snap-ins Add Certificates under Available Snap-ins and hit ok and choose Computer account  and hit Next and hit Finish and OK.  Click on teh + sing on Certificates (Local Computer)--> Personal-->Certificates - Right Click and Chooese All Taks and request a new Certificate - click next and Choose Active Directory Enrollment Policy and Click Next - check box Computer and click on the Enrollment button.
A computer Certificate is created. And when the laptops are connected via a LAN connection it then pushes down the certs and thereafter they can begin to authenticate the corporate network.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Experts Exchange expands question security options for members.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question