[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now



Posted on 2013-06-06
Medium Priority
Last Modified: 2013-07-26
Hi ,

AIM : My AIM is to implement a RADIUS Server using Server 2008 R2 and allow my Cisco Small Business WAP-321 to authenticate clients using domain Credentials.

I want to use EAP-MSCHAP V2 as an authentication protocol to authenticate my wireless clients.

My Setup:
I have a domain controller which is running exchange,DNS and DHCP on it.

And now I have a ESXI Server Box running a SERVER 2008 R2 Enterprise edition, in which I have installed NPS Role and configured the Network Policy Server using the attached document.

Also I have configured my Cisco AP to use this RADIUS Server for Authentication and authentication protocol as WPA Enterprise.


Now the issue is , when i try to connect my wireless clients , the connections is unsucessfull.

I checked the NPS Logs and it says the below
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

	Security ID:			NULL SID
	Account Name:			domain\username
	Account Domain:			domain
	Fully Qualified Account Name:	domain\username

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		D8-67-D9-D1-E9-20:ADRJSLEDFIWMDWOQFDFPE
	Calling Station Identifier:		8C-70-5A-47-B9-AC

	NAS IPv4 Address:
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Wireless - IEEE 802.11
	NAS Port:			0

RADIUS Client:
	Client Friendly Name:		AP-001
	Client IP Address:

Authentication Details:
	Connection Request Policy Name:	Wireless Users
	Network Policy Name:		-
	Authentication Provider:		Windows
	Authentication Server:		radius.domain.net
	Authentication Type:		EAP
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			22
	Reason:				The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.


I have installed any CA on this server.

So please advice me whether I have implement the set-up properly and do advice me how to fix this NPS Authentication issue , so that I can authenticate our clients.

The Document I used to implement my setup is this link below


Please advice
Question by:nirmal_s19
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
LVL 22

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 1500 total points
ID: 39225173
The error message you get is most likely due to mismatch between settings on PC and server.
The client tries to use a authentication method that the server haven't configured.

But you have a CA setup internally?

If so - configure policies to use PEAP with MsChap av inner method.
Mschap is broken - so you need a secure PEAP tunnel to exchange the MsChap challenge

and never never use the "less secure authentication methods" as they are --- not secure


Try this.

Also - you could post settings on client computer ---
and also you can take a screen shot of constraints --- see my attached picture

Author Comment

ID: 39226222

Im getting a error message when i tried to open the CA and the error code is attached for your reference.

Also i have attached the Client and NPS Server side settings for your examination.

Can you please advice me , how to get this working without certificate.

But also is there a way to install a Standalone CA on this server or use a Certificate from an external certificate authority.

Please advice....
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39226406
yes --- you can install CA without public Certificate.
The link I sent included setup of an simple internal CA
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

LVL 22

Expert Comment

by:Jakob Digranes
ID: 39226438
The Certificate error is natural, the service isn't installed. Add Remove roles and you're there.
For the client setup - it looks good.

You clients try to setup a PEAP session, which your server won't allow since it has no certificate to use for the PEAP.

On server side:
- Don't worry with Connection request policies - Those are there for proxying to other servers
- on Network Policies, do the following:
remove Mscap as EAP Type
remove ALL less secure authentication methods
That leaves you with just PEAP - then choose edit PEAP and add MsChap as inner authentication method. But then you need a certificate on NPS server - which you don't have.

quick fix is to use just MsChapV2 as EAP Type (not recommended) - but then your clients must use Mschap only aswell -- in "Choose a network authentication method" --- i must admit that I'm not sure i MsChap is a valid choice there ----

Author Comment

ID: 39227616
can i install a standalone CA on this Radius Server box and i dont want an domain based CA.

Author Comment

ID: 39227763
Also will there be an issue if i happen to install an Enterprise CA or how should i find out whether there are any CA already installed in the Domain.

Author Comment

ID: 39227898
any help please
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39228149
you can have a stand alone CA - but then you'd run into trust issues all the time. You must add root certificate to all PCs then.

No problem having several Enterprise CAs in the domain - other than it might be hard to keep track of all certificates and templates if you have many CAs --- but you don't mess up anything - Just one thing.... Do not add many certificate templates to the new server, and the templates you add - make sure that you create new groups for auto enrollment of certificates, to make sure you don't enroll your test certificates to all domain users... but as long as you make sure no groups other than your new group is set fr autoenrollment, your safe. You set this in your certificate templates when you duplicate and add them to certificate server.
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39228180
here's a nice guide for a basic CA installation


This is based on one CA both root and issuing.

Is your company large or in some special branches, you might need  an ofline root and then subordinate issuing CAs... but for just issuing a certificate to a NPS - you only need the easy setup.
This setup includes bith CA and NPS setup: http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/

Author Comment

ID: 39228479
I managed to install a standalone CA and got a server certificate issued.

But the NAP server give the same error that "The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server".

My AD is running on Server 2003 R2 Servers and this VM Machine which I have installed Server 2008 R2 is a Domain Member Server.

We also have server Exchange 2003 server running on another Server 2003 Box.

I run a command called "certutil -config - -ping" to check whether there are any CA installed and it said "No Active Certificate Authorities Found"

Now...... Do you recommend that I can still Install a CA on this VM with Server 2008 R2 and will my outlook clients or the workstations will they have ahy issues if i install this Entrephrise Root CA.

Should I go ahead installing ENterphrise CA on this VM Box

Author Comment

ID: 39228498
Also I forgot to tell you that I've installed Vsphere Server 5.1 on this same VM in which i have planned to install Enterprise CA.
LVL 22

Accepted Solution

Jakob Digranes earned 1500 total points
ID: 39228527
OK --- we'll sort this out.
Could probably have written several pages on how certification works --- but this is the essentials that you need.

Error 1: I run a command called "certutil -config - -ping" to check whether there are any CA installed and it said "No Active Certificate Authorities Found"
That is as expected since you installed a stand-alone certificate server no one is aware that it exists, other than you and the stand-alone server. When an Enterprise CA is setup, it adds quite a few settings in directory container - so that clients looking for a Certificate can find it through a SCP. A stand alone doesn't create a SCP so no one can find it. You could create this manually - but don't bother

ERROR2: But the NAP server give the same error that "The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server".
To get PEAP working you need to make sure that both the NPS server trust the certificate the it has, make sure that root certificate for the issued certificate is installed as well, and that the server has the private key to the certificate. But this is not an issue when using Enterprise CA

When you install an Enterprise CA - the only thing (expect design (!)) is not having any templates to begin with, that can start auto enrolling. Depending on what people have done to GPOs in your domain earlier - they might have turned on auto enrollment on entire domain.... if you have templates set up for auto enrollment, all users and computer MIGHT get certificates. But just getting certificates will not break anything - it'll could be a bit troublesome if you later on decide on authenticating clients based on EAP-TLS and certificates ...

Go ahead and install an Enterprise CA, all you need is one certificate for the NPS...

And remember, in a year or so - the certificate expires ans you need to enroll for a new one :-)

Author Comment

ID: 39228554
I have checked the GPO Settings on the AD for Domain Default Policy and under User Configuration , Auto Enrolment settings , it is been configured to Enrol for Certificates Automatically"

Should I Disable this Auto Enrolment Feature off before I install this new Root Enterprise CA.
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39228560
Yes -- please do
Do the same for Computer Configuration as well
LVL 23

Expert Comment

ID: 39228955
I know this is not addressing the an answer to the issue at hand, but this link has some good how to videos and labs for setting up NPS  


Author Closing Comment

ID: 39357297

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question