NPS - The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

  • 1
  • Question
  • Updated 7 months ago
I have been trying to validate my computer through a NPS Windows 2012 R2 radius server but I'm failing on the following error each and every time:

Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

We have 10 domain controllers, one of them (DC-01) is the certificate authority.
The radius server i'm setting up (RAD-05) is on another subnet, it has another domain controller that it may verify credentials by (DC-05).

I currently have the following configured in NPS. I have added all possible authentication methods in the network policy settings. The selected certificate is that of our CA, the same certificate that is deployed by our domain controller to our clients.



I have activated this radius server on an Aerohive BR100 wireless policy and tried to connect using my Windows 10 Enterprise domain joined computer while logged in.

While connecting, it asks for my user & password OR a certificate. Both fail but I would like to automatically use the certificate.

This is the result in the NPS event log:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.

User:
Security ID: MYDOMAIN\MYDOMAIN-0650$
Account Name: host/MYDOMAIN-0650.MYDOMAIN.local
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAIN.local/Some/OU/Computers/MYDOMAIN-0650

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 08-EA-44-0B-13-4C:Company Name
Calling Station Identifier: 4C-34-88-3D-A1-3A

NAS:
NAS IPv4 Address: 172.18.120.1
NAS IPv6 Address: -
NAS Identifier: BR100-HOSTNAME
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0

RADIUS Client:
Client Friendly Name: Aerohive Branch Routing
Client IP Address: 172.18.120.1

Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Domain Computers
Authentication Provider: Windows
Authentication Server: RAD-01.MYDOMAIN.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

What is causing this error? I've been searching and reading up all day but I haven't found any article that matches my .. simple .. case.
Photo of Tiele Declercq

Tiele Declercq

  • 28 Posts
  • 2 Reply Likes
  • frustrated

Posted 2 years ago

  • 1
Photo of Rodrigo

Rodrigo

  • 19 Posts
  • 4 Reply Likes
You can check with Aerohive verification tool if the radius is working?

Photo of Tiele Declercq

Tiele Declercq

  • 28 Posts
  • 2 Reply Likes
When adding a 'Domain Users' network policy, I manage to get my VLAN returned in the aerohive radius test.

NPS Log states the following:

Network Policy Server granted access to a user.

User:
Security ID: MYDOMAIN\Tiele.Declercq
Account Name: MYDOMAIN\tiele.declercq
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAIN.local/Some/OU/Users/Tiele Declercq

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -

NAS:
NAS IPv4 Address: 172.18.120.1
NAS IPv6 Address: -
NAS Identifier: BR100-HOST
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: -

RADIUS Client:
Client Friendly Name: Aerohive Branch Routing
Client IP Address: 172.18.120.1

Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Domain Users
Authentication Provider: Windows
Authentication Server: RAD-01.MYDOMAIN.local
Authentication Type: MS-CHAPv2
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.

Quarantine Information:
Result: Full Access
Session Identifier: -

BUT, when I try to authenticate using my windows computer it fails with this:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: MYDOMAIN\Tiele.Declercq
Account Name: MYDOMAIN\Tiele.Declercq
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAIN.local/Some/OU/Users/Tiele Declercq

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 08-EA-44-0B-13-4C:Company Name
Calling Station Identifier: 4C-34-88-3D-A1-3A

NAS:
NAS IPv4 Address: 172.18.120.1
NAS IPv6 Address: -
NAS Identifier: BR100-HOST
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0

RADIUS Client:
Client Friendly Name: Aerohive Branch Routing
Client IP Address: 172.18.120.1

Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Domain Users
Authentication Provider: Windows
Authentication Server: RAD-01.MYDOMAIN.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
Photo of Tiele Declercq

Tiele Declercq

  • 28 Posts
  • 2 Reply Likes
My windows computer tries to authenticate using EAP but it's failing to do so.. but WHY? I would suspect it has something to do with a certificate but i'm using the CA certificate of our only CA server that is pushed on all our clients. It has the same date and everything..
Photo of Rodrigo

Rodrigo

  • 19 Posts
  • 4 Reply Likes
It is the only pc with problems? He has tried to make the domain your computer and re-enter?
Photo of Tiele Declercq

Tiele Declercq

  • 28 Posts
  • 2 Reply Likes
I have just tested with an iPhone using my credentials, a windows 7 domain joined laptop and a windows 10 non-domain joined laptop.

All of these devices give me the same error:
Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
Photo of Tiele Declercq

Tiele Declercq

  • 28 Posts
  • 2 Reply Likes
Problem solved.

In my EAP configuration we had selected our trusted root certificate thinking that clients would match their certificate against this one.

Instead I had to clone the RAS certificate template on our CA and apply it to my NPS server by certificate > personal > request new... and selecting that cloned certificate template.
Photo of Matthias Schulte

Matthias Schulte

  • 4 Posts
  • 3 Reply Likes
Could please give some more details about what you changed? Did you change the option "Certificate issued" in the EAP properties? We are currently using a certificate dedicated to the NPS server. The certificate is on another template as the Wireless device received.

We are currently experiencing the same issues with BlackBerry-Android devices and EAP-TLS.
(Edited)
Photo of Tiele Declercq

Tiele Declercq

  • 1 Post
  • 1 Reply Like
Matthias,

Be sure to use a certificate for RAS and IAS servers. This guide may help: NPS Server Certificate: Configure the Template and Autoenrollment (https://technet.microsoft.com/en-us/library/cc754198(v=ws.10).aspx)