Posted on 2013-06-06
Last Modified: 2013-07-26
Hi ,

AIM : My AIM is to implement a RADIUS Server using Server 2008 R2 and allow my Cisco Small Business WAP-321 to authenticate clients using domain Credentials.

I want to use EAP-MSCHAP V2 as an authentication protocol to authenticate my wireless clients.

My Setup:
I have a domain controller which is running exchange,DNS and DHCP on it.

And now I have a ESXI Server Box running a SERVER 2008 R2 Enterprise edition, in which I have installed NPS Role and configured the Network Policy Server using the attached document.

Also I have configured my Cisco AP to use this RADIUS Server for Authentication and authentication protocol as WPA Enterprise.


Now the issue is , when i try to connect my wireless clients , the connections is unsucessfull.

I checked the NPS Logs and it says the below
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

	Security ID:			NULL SID
	Account Name:			domain\username
	Account Domain:			domain
	Fully Qualified Account Name:	domain\username

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		D8-67-D9-D1-E9-20:ADRJSLEDFIWMDWOQFDFPE
	Calling Station Identifier:		8C-70-5A-47-B9-AC

	NAS IPv4 Address:
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Wireless - IEEE 802.11
	NAS Port:			0

RADIUS Client:
	Client Friendly Name:		AP-001
	Client IP Address:

Authentication Details:
	Connection Request Policy Name:	Wireless Users
	Network Policy Name:		-
	Authentication Provider:		Windows
	Authentication Server:
	Authentication Type:		EAP
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			22
	Reason:				The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.


I have installed any CA on this server.

So please advice me whether I have implement the set-up properly and do advice me how to fix this NPS Authentication issue , so that I can authenticate our clients.

The Document I used to implement my setup is this link below

Please advice
Question by:nirmal_s19
  • 8
  • 7
LVL 21

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 500 total points
ID: 39225173
The error message you get is most likely due to mismatch between settings on PC and server.
The client tries to use a authentication method that the server haven't configured.

But you have a CA setup internally?

If so - configure policies to use PEAP with MsChap av inner method.
Mschap is broken - so you need a secure PEAP tunnel to exchange the MsChap challenge

and never never use the "less secure authentication methods" as they are --- not secure 

Try this.

Also - you could post settings on client computer ---
and also you can take a screen shot of constraints --- see my attached picture

Author Comment

ID: 39226222

Im getting a error message when i tried to open the CA and the error code is attached for your reference.

Also i have attached the Client and NPS Server side settings for your examination.

Can you please advice me , how to get this working without certificate.

But also is there a way to install a Standalone CA on this server or use a Certificate from an external certificate authority.

Please advice....
LVL 21

Expert Comment

by:Jakob Digranes
ID: 39226406
yes --- you can install CA without public Certificate.
The link I sent included setup of an simple internal CA
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

LVL 21

Expert Comment

by:Jakob Digranes
ID: 39226438
The Certificate error is natural, the service isn't installed. Add Remove roles and you're there.
For the client setup - it looks good.

You clients try to setup a PEAP session, which your server won't allow since it has no certificate to use for the PEAP.

On server side:
- Don't worry with Connection request policies - Those are there for proxying to other servers
- on Network Policies, do the following:
remove Mscap as EAP Type
remove ALL less secure authentication methods
That leaves you with just PEAP - then choose edit PEAP and add MsChap as inner authentication method. But then you need a certificate on NPS server - which you don't have.

quick fix is to use just MsChapV2 as EAP Type (not recommended) - but then your clients must use Mschap only aswell -- in "Choose a network authentication method" --- i must admit that I'm not sure i MsChap is a valid choice there ----

Author Comment

ID: 39227616
can i install a standalone CA on this Radius Server box and i dont want an domain based CA.

Author Comment

ID: 39227763
Also will there be an issue if i happen to install an Enterprise CA or how should i find out whether there are any CA already installed in the Domain.

Author Comment

ID: 39227898
any help please
LVL 21

Expert Comment

by:Jakob Digranes
ID: 39228149
you can have a stand alone CA - but then you'd run into trust issues all the time. You must add root certificate to all PCs then.

No problem having several Enterprise CAs in the domain - other than it might be hard to keep track of all certificates and templates if you have many CAs --- but you don't mess up anything - Just one thing.... Do not add many certificate templates to the new server, and the templates you add - make sure that you create new groups for auto enrollment of certificates, to make sure you don't enroll your test certificates to all domain users... but as long as you make sure no groups other than your new group is set fr autoenrollment, your safe. You set this in your certificate templates when you duplicate and add them to certificate server.
LVL 21

Expert Comment

by:Jakob Digranes
ID: 39228180
here's a nice guide for a basic CA installation

This is based on one CA both root and issuing.

Is your company large or in some special branches, you might need  an ofline root and then subordinate issuing CAs... but for just issuing a certificate to a NPS - you only need the easy setup.
This setup includes bith CA and NPS setup:

Author Comment

ID: 39228479
I managed to install a standalone CA and got a server certificate issued.

But the NAP server give the same error that "The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server".

My AD is running on Server 2003 R2 Servers and this VM Machine which I have installed Server 2008 R2 is a Domain Member Server.

We also have server Exchange 2003 server running on another Server 2003 Box.

I run a command called "certutil -config - -ping" to check whether there are any CA installed and it said "No Active Certificate Authorities Found"

Now...... Do you recommend that I can still Install a CA on this VM with Server 2008 R2 and will my outlook clients or the workstations will they have ahy issues if i install this Entrephrise Root CA.

Should I go ahead installing ENterphrise CA on this VM Box

Author Comment

ID: 39228498
Also I forgot to tell you that I've installed Vsphere Server 5.1 on this same VM in which i have planned to install Enterprise CA.
LVL 21

Accepted Solution

Jakob Digranes earned 500 total points
ID: 39228527
OK --- we'll sort this out.
Could probably have written several pages on how certification works --- but this is the essentials that you need.

Error 1: I run a command called "certutil -config - -ping" to check whether there are any CA installed and it said "No Active Certificate Authorities Found"
That is as expected since you installed a stand-alone certificate server no one is aware that it exists, other than you and the stand-alone server. When an Enterprise CA is setup, it adds quite a few settings in directory container - so that clients looking for a Certificate can find it through a SCP. A stand alone doesn't create a SCP so no one can find it. You could create this manually - but don't bother

ERROR2: But the NAP server give the same error that "The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server".
To get PEAP working you need to make sure that both the NPS server trust the certificate the it has, make sure that root certificate for the issued certificate is installed as well, and that the server has the private key to the certificate. But this is not an issue when using Enterprise CA

When you install an Enterprise CA - the only thing (expect design (!)) is not having any templates to begin with, that can start auto enrolling. Depending on what people have done to GPOs in your domain earlier - they might have turned on auto enrollment on entire domain.... if you have templates set up for auto enrollment, all users and computer MIGHT get certificates. But just getting certificates will not break anything - it'll could be a bit troublesome if you later on decide on authenticating clients based on EAP-TLS and certificates ...

Go ahead and install an Enterprise CA, all you need is one certificate for the NPS...

And remember, in a year or so - the certificate expires ans you need to enroll for a new one :-)

Author Comment

ID: 39228554
I have checked the GPO Settings on the AD for Domain Default Policy and under User Configuration , Auto Enrolment settings , it is been configured to Enrol for Certificates Automatically"

Should I Disable this Auto Enrolment Feature off before I install this new Root Enterprise CA.
LVL 21

Expert Comment

by:Jakob Digranes
ID: 39228560
Yes -- please do
Do the same for Computer Configuration as well
LVL 22

Expert Comment

ID: 39228955
I know this is not addressing the an answer to the issue at hand, but this link has some good how to videos and labs for setting up NPS

Author Closing Comment

ID: 39357297

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Monitor Internet Edge Router behind Firewall 2 22
Configure BGP 22 14
Ping in Fortigate 2 11
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question