NPS Authentication Methods - EAP Types

We are moving from IAS to NPS and are configuring the policy like it was in IAS.  When we click on the Constraints tab > Authentication Methods > and then highlight Microsoft: Protected EAP (PEAP) and click Edit we get an error "The data is
invalid".  How do we fix this error?  There are no errors in the event viewer for NPS.

Hi MarkNDOR,
Thanks for posting here.
We’d suggest to smoothly migrate IAS to NPS with following the guide in the link below without manually recreate all polices, it was also included the
Iasmigreader.exe utility which will help to transfer the IAS policies to NPS compatible file type:
NPS Migration Guide
http://technet.microsoft.com/en-us/library/ee791849(WS.10).aspx
Thanks.
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Similar Messages

  • The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server

    wireless authentication not working 
    I found the following in the radius
    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          1/15/2014 2:07:57 AM
    Event ID:      6273
    Task Category: Network Policy Server
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:     NAP01.test.local
    Description:
    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
     Security ID:   doamin \user.a
     Account Name:   user.a
    Client Machine:
     Security ID:   NULL SID
     Account Name:   -
     Fully Qualified Account Name: -
     OS-Version:   -
     Called Station Identifier:  00-0F-7D-C4-45-20:staff
     Calling Station Identifier:  0C-74-C2-EF-Dd-0B
    NAS:
     NAS IPv4 Address:  192.168.9.10
     NAS IPv6 Address:  -
     NAS Identifier:   -
     NAS Port-Type:   Wireless - IEEE 802.11
     NAS Port:   497
    RADIUS Client:
     Client Friendly Name:  wcont1
     Client IP Address:   192.168.9.10
    Authentication Details:
     Connection Request Policy Name: Wireless
     Network Policy Name:  wism
     Authentication Provider:  Windows
     Authentication Server:  NAP01.test.local
     Authentication Type:  EAP
     EAP Type:   -
     Account Session Identifier:  -
     Logging Results:   Accounting information was written to the local log file.
     Reason Code:   22
     Reason:    The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
    Please help

    Hi,
    Anything updates?
    In addition, this issue may also because your client didn't have CA certificate of your domain. Please make sure that your client has CA certificate.
    Besides, the error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" may be due to that the default maximum transmission unit that NPS uses for EAP payloads is 1500
    bytes. You can lower the maximum size that NPS uses for EAP payloads by adjusting the Framed-MTU attribute in a network policy to a value no greater than 1344:
    Configure the EAP Payload Size
    Best regards,
    Susie

  • Apple & Windows 7 Authentication Methods Cisco 1242AP EAP

    Hi CSC Members,
    I'm pretty new to wireless (so go easy on me): My situation is I need to be able to provide secure wireless internet access to guests with BYODs. Namely Apple iPads, iPhones, Windows PCs and Apple Macs, without them being under my administrative control, namely I cannot add them to a domain or indeed do I want to be able to have to interact with the user and install Certificates on their machines.
    I'm looking for the 'best method' to achieve this, WPA2/AES with a PSK and MAC filtering was a suggestion but I don't really want to have to audit their MAC addresses. I'm just looking for a 'quick and dirty' secure username/password combination I'm guessing. I'm not using a WLC, just one or possibly a couple of 1242 Autonomous APs. I don't want to have to personally enter a PSK on their machines either as they can easily find this out and give the password to someone else, so I need to be able to change/add user accounts and user passwords centrally NOT on their devices.
    I have an example configuration below, using the Cisco 1242AP as a Local Radius WHICH WORKS for me on Apple iPads and iPhones, however I cannot for the life of me get it to work with a Windows 7 Laptop. I'm not even totally sure exactly what type of authentication I've configured (Help!!), but entering the username and password on an iDevice just works! Is it EAP-FAST? My Windows 7 client doesn't seem to support EAP-FAST, only Microsoft PEAP, which I "believe" requires a certificate or some kind of machine authentication. So I'm not sure how to access this wifi network I've created using a Windows machine. I'd prefer to use a Windows 2008 NPS Radius Server if at all possible but couldn't get it working with the 1242AP, hence I went for Local Radius as a starting point.
    1) Does anyone have a sensible suggestion as to what the best solution for my needs is? (I have access to a new Windows 2008 R2 Server)
    2) How do I configure a Windows 7 as well as an Apple machine to authenticate to the suggested 'best' method.
    3) I'd be really grateful if someone could clarify exactly what my configuration is using for Authentication.
    Thanking you in advance for your guidance and recommendations,
    Mike
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname Media_AP
    enable secret 5 $1$k3.3$QU/yBNYeOJM7BDxzRTq1g/
    aaa new-model
    aaa group server radius rad_local
    server 192.168.1.2 auth-port 1812 acct-port 1813
    aaa authentication login eap_local group rad_local
    aaa session-id common
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.1.1 192.168.1.10
    ip dhcp pool Media_DHCP_Pool
       network 192.168.1.0 255.255.255.0
       default-router 192.168.1.2
    dot11 syslog
    dot11 ssid MediaCafe
       authentication open eap eap_local
       authentication network-eap eap_local
       authentication key-management wpa version 2
       guest-mode
       infrastructure-ssid
    username Cisco password 7 13261E010803
    bridge irb
    interface Dot11Radio0
    no ip address
    no ip route-cache
    encryption mode ciphers aes-ccm
    ssid MediaCafe
    station-role root
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface Dot11Radio1
    no ip address
    no ip route-cache
    shutdown
    no dfs band block
    channel dfs
    station-role root
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface FastEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface BVI1
    ip address 192.168.1.2 255.255.255.0
    no ip route-cache
    ip http server
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    radius-server local
      no authentication mac
      nas 192.168.1.2 key 7 0505071C32444F1B1C010417081E013E
      user sky nthash 7 013150277A52525774146B5F492646375B2F277C7300716062734455335224000A
    radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key 7 11071816041A0A1E012E38212B213036
    bridge 1 route ip
    line con 0
    line vty 0 4
    end

    The best senerio for guest to to have an open SSID.  Autonomous AP's your sort of out of luck.  With the WLC you can incorporate a splash page.  That being said, you might want to look at some free hotspot software unless you want to pay for one.  Here are some free ones, but you can just search around.
    http://www.hotspotsystem.com/en/hotspot/free_hotspot_software.html
    http://www.antamedia.com/free-hotspot/
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • Cisco ISE multiple EAP authentication methods question

    With Cisco ISE can you have various clients each using different EAP methods, such as PEAP for Windows machines, MD5 for legacy and TLS for others?
    My current efforts seem to fail as if a device gets a request from the ISE for an EAP method it doesnt understand it just times out.
    Thanks in advance.

    Multiple EAP Methods work fine. If your Clients are being crap you could try forcing then to use a specific set of Allowed Authentication Method by creating more specific Authentication rules.
    Sent from Cisco Technical Support iPad App

  • Per SSID EAP-type Authentication

    Is there away to configure ACS 4.2 to only allow certain EAP-type of authentication per SSID? For example: SSIDA - only allows EAP-TLS and SSIDB - only allows EAP-PEAP on the same ACS server?
    Any help is greatly appreciated.
    Sent from Cisco Technical Support iPad App

    You should configure a NAP (Network Access Policy). The selection factor should be "per SSID" and then for each policy you can allow different eap types.
    for the "per SSID" part, the WLC has a command to change the called-station-id to append the SSID name to the ap mac address

  • VWLC 802.1x NPS authentication Fails

    Hi Guys,
    Hopefully someone can help me with the following problem i'm facing...
    I've a vWLC running 7.3 deployed in our HQ site.
    At the HQ we have a W2k8 R2 NPS deployed at works fine for VPN, Router and Switch Authentication
    In a few remote branch offices which are connected to the HQ over DMVPN we have a couple of 3500's running in flexconnect mode with local switching.
    These AP's register just fine through the VPN link back to the vWLC.
    We deployed a few SSID's that are bound to AP groups.
    All SSID's that use WPA2 with PSK work fine
    All SSID's that use WPA2 with 802.1x Fail
    The Security Settings for the failing SSID's are:
    WPA2 Policy
    WPA2 Encryption AES
    Key Man 802.1x
    AAA Server is pointing to the right NPS for Auth and Accounting
    Radius overwrite IF is disabled
    The settings of the NPS are:
    Conditions:
    Win Group: DOMAIN\Groupxx
    NAS Port Type: Wireless - IEEE 802.11
    Settings:
    EAP Conf: Configured
    Access Perm: Granted
    EAP Method: MS PEAP
    Auth Method: EAP
    NAP Enforcement: Allow full access
    Update non complient: True
    Service Type: Login
    When a laptop (Mac os 10.8) tries to connect to a 802.1x SSID It Prompts for a username and passwd.
    Using DOMAIN\user + passwd the client tries to authenticate for a couple of times and fails
    On the vWLC i can see trap:
    AAA Authentication Failure for UserName:user  User Type: WLAN USER
    At the NPS i can see:
    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
    Security ID:                              DOMAIN\user
    Account Name:                              user
    Account Domain:                              DOMAIN
    Fully Qualified Account Name:          dom.com/OU/OU/OU/USER full name
    Client Machine:
    Security ID:                              NULL SID
    Account Name:                              -
    Fully Qualified Account Name:          -
    OS-Version:                              -
    Called Station Identifier:                    34-a8-4e-70-0b-90:test.sec
    Calling Station Identifier:                    10-40-f3-8f-ac-62
    NAS:
    NAS IPv4 Address:                    IP vWLC
    NAS IPv6 Address:                    -
    NAS Identifier: VWLC001
    NAS Port-Type:                              Wireless - IEEE 802.11
    NAS Port:                              1
    RADIUS Client:
    Client Friendly Name: vWLC001
    Client IP Address:                              IP vWLC
    Authentication Details:
    Connection Request Policy Name:          Use Windows authentication for all users
    Network Policy Name:                    Cisco WiFi
    Authentication Provider:                    Windows
    Authentication Server:                    FQDN NPS server
    Authentication Type:                    PEAP
    EAP Type:                              -
    Account Session Identifier:                    -
    Logging Results:                              Accounting information was written to the local log file.
    Reason Code:                              23
    Reason:                                        An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
    Hopefully someone can point me in the right direction.
    Cheers,
    JP

    Find below the output of the debug:
    (Cisco Controller) >
    (Cisco Controller) >*Dot1x_NW_MsgTask_4: May 27 10:08:51.567: 00:21:6a:72:3c:ec apfMsRunStateInc
    *apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Processing RSN IE type 48, length 20 for mobile 10:40:f3:8f:ac:62
    *apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Received RSN IE with 0 PMKIDs from mobile 10:40:f3:8f:ac:62
    *apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Setting active key cache index 8 ---> 8
    *apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 unsetting PmkIdValidatedByAp
    *apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 apfMsAssoStateInc
    *dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Station 10:40:f3:8f:ac:62 setting dot1x reauth timeout = 1800
    *dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 1)
    *dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
    *dot1xMsgTask: May 27 10:09:41.429: 00000000: 02 00 00 32 01 01 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
    *dot1xMsgTask: May 27 10:09:41.429: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
    *dot1xMsgTask: May 27 10:09:41.429: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
    *dot1xMsgTask: May 27 10:09:41.429: 00000030: 72 74 69 64 3d 31 rtid=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 00000000: 01 00 00 0e 02 01 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 00000010: 6c 73 ls
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received Identity Response (count=1) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=1) for mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 00000000: 02 01 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 00000000: 01 01 00 00 ....
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 3)
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000000: 02 00 00 32 01 03 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000030: 72 74 69 64 3d 31 rtid=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 00000000: 01 00 00 0e 02 03 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 00000010: 6c 73 ls
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received Identity Response (count=2) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=3) for mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 00000000: 02 03 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Unable to send AAA message for mobile 10:40:F3:8F:AC:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000000: 01 01 00 00 ....
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 5)
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000000: 02 00 00 32 01 05 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000030: 72 74 69 64 3d 31 rtid=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Reached Max EAP-Identity Request retries (3) for STA 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Not sending EAP-Failure for STA 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Station 10:40:f3:8f:ac:62 setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 00000000: 01 00 00 0e 02 05 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 00000010: 6c 73 ls
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received EAP Response packet with mismatching id (currentid=0, eapid=5) from mobile 10:40:f3:8f:ac:62
    *apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Processing RSN IE type 48, length 20 for mobile 10:40:f3:8f:ac:62
    *apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Received RSN IE with 0 PMKIDs from mobile 10:40:f3:8f:ac:62
    *apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Setting active key cache index 8 ---> 8
    *apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 unsetting PmkIdValidatedByAp
    *dot1xMsgTask: May 27 10:09:54.676: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 1)
    *dot1xMsgTask: May 27 10:09:54.676: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
    *dot1xMsgTask: May 27 10:09:54.676: 00000000: 02 00 00 32 01 01 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
    *dot1xMsgTask: May 27 10:09:54.676: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
    *dot1xMsgTask: May 27 10:09:54.676: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
    *dot1xMsgTask: May 27 10:09:54.676: 00000030: 72 74 69 64 3d 31 rtid=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000000: 01 00 00 0e 02 01 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000010: 6c 73 ls
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received Identity Response (count=1) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=1) for mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000000: 02 01 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000000: 01 01 00 00 ....
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 3)
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000000: 02 00 00 32 01 03 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000030: 72 74 69 64 3d 31 rtid=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000000: 01 00 00 0e 02 03 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000010: 6c 73 ls
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received Identity Response (count=2) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=3) for mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000000: 02 03 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Unable to send AAA message for mobile 10:40:F3:8F:AC:62
    *radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
    *radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
    *radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-resp] AAA request requeued OK
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-resp] Requeue failed. Returning AAA response
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 AAA Message 'Timeout' received for mobile 10:40:f3:8f:ac:62
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 Filtering AAA Response with invalid Session ID - proxy state 10:40:f3:8f:ac:62-02:00
    *radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
    *radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
    *radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-resp] AAA request requeued OK
    *radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
    *radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
    *radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-resp] Requeue failed. Returning AAA response
    *radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 AAA Message 'Timeout' received for mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:11:11.529: 10:40:f3:8f:ac:62 Processing AAA Error 'Timeout' (-5) for mobile 10:40:f3:8f:ac:62

  • NPS Authentication Fails (Reason 16) After Migration to 2012 R2 from 2008 R2

    I'm using NPS for wired dot1x authentication and I just migrated my NPS server from 2008 R2 to 2012 R2.  When I point the network switch to start using the new 2012 R2 NPS as the RADIUS server, I get authentication failures - event 6273, reason code
    16.  When I switch it back to the 2008 R2 server, it works fine.  The two servers are configured EXACTLY the same as far as I can tell - same RADIUS client config, same connection request policies, same network policies - and it should be since I
    used the MS prescribed migration process.  The only thing that differs is the server's certificate name used in the PEAP setup screen.
    I'm using computer authentication only, so everything is based on computer accounts and I've selected to NOT validate server credentials on the group policy.
    I've verified the shared secrets multiple times.  Both servers are domain controllers.
    Here is an example of the errors logged on the 2012 R2 server.
    ========================================
    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
        Security ID:            FAITHCHURCH\youthroom$
        Account Name:            host/YOUTHROOM.faithchurch.net
        Account Domain:            FAITHCHURCH
        Fully Qualified Account Name:    FAITHCHURCH\youthroom$
    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        -
        Calling Station Identifier:        44-37-E6-C0-32-CA
    NAS:
        NAS IPv4 Address:        192.168.1.1
        NAS IPv6 Address:        -
        NAS Identifier:            -
        NAS Port-Type:            Ethernet
        NAS Port:            1010
    RADIUS Client:
        Client Friendly Name:        Extreme X440
        Client IP Address:            192.168.1.1
    Authentication Details:
        Connection Request Policy Name:    Secure Wired (Ethernet) Connections 2
        Network Policy Name:        Secure Wired (Ethernet) Connections 2
        Authentication Provider:        Windows
        Authentication Server:        Sigma.faithchurch.net
        Authentication Type:        PEAP
        EAP Type:            -
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            16
        Reason:                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
    ========================================

    Hi,
    Have you added the NPS server to the RAS and IAS Servers
    security group in AD DS?
    The NPS server needs permission to read the dial-in properties of user accounts during the authorization process.
    Try to add a loal user on the NPS server, then test with the local user. If it works, it means that there is something wrong between NPS and DC.
    If the issue persists, it means that the configuration between NPS and NAS is wrong.
    Steven Lee
    TechNet Community Support

  • An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP).

    Hello everyone:
    I know this question have been asked in these forums quite a few times. I apologize if it is a repeat telecast but I was not able to find a suitable solution pertaining to my problem.
    I have a AP/SM setup that is configured to get EAP-PEAP authentication from Windows 2012 Server. I have setup everything and have verified that the EAP-PEAP authentication works fine on AP/SM by getting authentication from FreeRADIUS server. Now, when I try
    to get authentication from Windows Server, I am getting a reject. The Event log shows this generic message:
    Reason Code: 23
    Reason:
        An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
    There is nothing in the EAP logs that is obvious too:
    "USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1
    07/11/2014 00:05:57 4927",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
    "USIL01PMPTST01","IAS",07/11/2014,11:59:44,11,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1 07/11/2014 00:05:57 4927",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
    "USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1
    07/11/2014 00:05:57 4928",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
    "USIL01PMPTST01","IAS",07/11/2014,11:59:44,11,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1 07/11/2014 00:05:57 4928",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
    "USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,11,"PEAP_TEST",0,"311 1 10.120.133.1
    07/11/2014 00:05:57 4929",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
    "USIL01PMPTST01","IAS",07/11/2014,11:59:44,3,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,11,"PEAP_TEST",23,"311 1 10.120.133.1 07/11/2014 00:05:57 4929",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
    So, basically, the sequence is this:
    request , challenge, request , challenge, request, reject
    Any idea what might be happening?
    Thank you.

    Hi,
    Have you installed certificates on the NPS server properly? Have you selected the proper certificate in the properties of PEAP?
    Here is an article about the Certificate requirements of PEAP,
    Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS
    http://support.microsoft.com/kb/814394
    If your certificate matches the requirement, you may try to reinstall the certificate by export and import.
    To export a certificate, please follow the steps below,
    Open the Certificates snap-in for a user, computer, or service.
    In the console tree under the logical store that contains the certificate to export, click
    Certificates.
    In the details pane, click the certificate that you want to export.
    On the Action menu, point to
    All Tasks, and then click Export.
    In the Certificate Export Wizard, click No, do not export the private key. (This option will appear only if the private key is marked as exportable and you have access to the private key.)
    Provide the following information in the Certificate Export Wizard:
    Click the file format that you want to use to store the exported certificate: a DER-encoded file, a Base64-encoded file, or a PKCS #7 file.
    If you are exporting the certificate to a PKCS #7 file, you also have the option to include all certificates in the certification path.
    If required, in Password, type a password to encrypt the private key you are exporting. In
    Confirm password, type the same password again, and then click
    Next.
    In File name, type a file name and path for the PKCS #7 file that will store the exported certificate and private key. Click
    Next, and then click Finish.
    To import a certificate, please follow the steps below,
    Open the Certificates snap-in for a user, computer, or service.
    In the console tree, click the logical store where you want to import the certificate.
    On the Action menu, point to
    All Tasks, and then click Import to start the Certificate Import Wizard.
    Type the file name containing the certificate to be imported. (You can also click
    Browse and navigate to the file.)
    If it is a PKCS #12 file, do the following:
    Type the password used to encrypt the private key.
    (Optional) If you want to be able to use strong private key protection, select the
    Enable strong private key protection check box.
    (Optional) If you want to back up or transport your keys at a later time, select the
    Mark key as exportable check box.
    Do one of the following:
    If the certificate should be automatically placed in a certificate store based on the type of certificate, click
    Automatically select the certificate store based on the type of certificate.
    If you want to specify where the certificate is stored, select
    Place all certificates in the following store, click
    Browse, and choose the certificate store to use.
    If issue persists, you may try to re-issue the certificate.
    For detailed procedure, you may refer to the similar threads below,
    Having issues getting PEAP with EAP-MSCHAP v2 working on Windows 2008 R2
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/c66cf0a8-24dd-4ccd-b5bb-16bd28ad8d4c/having-issues-getting-peap-with-eapmschap-v2-working-on-windows-2008-r2?forum=winserverNAP
    Hope this helps.
    Steven Lee
    TechNet Community Support

  • Which EAP Type to choose for 802.1x Wireless Policy?

    Hi everyone,
    i have a question about recommendation for EAP Type in a wireless policy:
    Which configuration is more secure/recommendet?
    a)
    Authentication Type: PEAP
    EAP Type: EAP-MSCHAP v2
    b)
    Authentication Type: EAP
    EAP Type: Certificate
    We have a working configuration with a) and could Change to b).
    Thanks,
    Andy

    Hi,
    Project a uses PEAP cooperate with EAP(EAP-MSCHAP v2) is more security/recommended.
    PEAP is a new member of the family of EAP protocols. To enhance both the EAP protocols and network security, PEAP provides:
    1. Protection for the EAP method negotiation that occurs between client and server through a TLS channel. This helps prevent an attacker from injecting packets between the client and the network access server (NAS) to cause the negotiation of a less secure
    EAP method. The encrypted TLS channel also helps prevent denial of service attacks against the IAS server.
    2. Support for the fragmentation and reassembly of messages, allowing the use of EAP types that do not provide this.
    3. Wireless clients with the ability to authenticate the IAS or RADIUS server. Because the server also authenticates the client, mutual authentication occurs.
    4. Protection against the deployment of an unauthorized wireless access point (WAP) when the EAP client authenticates the certificate provided by the IAS server. In addition, the TLS master secret created by the PEAP authenticator and client is not shared
    with the access point. Because of this, the access point cannot decrypt the messages protected by PEAP.
    5. PEAP fast reconnect, which reduces the delay in time between an authentication request by a client and the response by the IAS or RADIUS server, and allows wireless clients to move between access points without repeated requests for authentication.
    This reduces resource requirements for both client and server.
    You can choose between two EAP types for use with PEAP: EAP-MS-CHAPv2 or EAP-TLS. EAP-MS-CHAPv2 uses credentials (user name and password) for user authentication. EAP-TLS uses either certificates installed in the client computer certificate store or a smart
    card for user and client computer authentication. Comparatively, the second one is more security because public Key certificates provide a much stronger authentication method than those that use password-based credentials.
    Best Regards,           
    Eve Wang 

  • Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

    I would love some help with this issue.  I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0  I have a test account set up with lab.acme.com to use the ACS.
    When I log into my site using Windows Auth, everything is great.  However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
    to use to log in   and after 3-5 second
     and return me the logon page with error message “Authentication failed” 
    I base my setup on the technet article
    http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
    I validated than all my certificate are valid and able to retrieve the crl
    I got in eventlog id 300
    The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
    Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
    Additional Data
    Exception details:
    Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
    ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
    correctly, but one of the CA certificates is not trusted by the policy provider.
    at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
    at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
    at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
    at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
    at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
    --- End of inner exception stack trace ---
    at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
    at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
    at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
    at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
    at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
    at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
    serializationContext, AsyncCallback asyncCallback, Object asyncState)
    at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
    trustNamespace, AsyncCallback callback, Object state)
    System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
    failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
    at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
    at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
    at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
    at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
    at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
    thx
    Stef71

    This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
    on my case was :
    PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
    cer\SP2K10\ad0001.cer")
    PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
    Certificate                 : [Subject]
                                    CN=domain.AD0001CA, DC=domain, DC=com
                                  [Issuer]
                                    CN=domain.AD0001CA, DC=portal, DC=com
                                  [Serial Number]
                                    blablabla
                                  [Not Before]
                                    22/07/2014 11:32:05
                                  [Not After]
                                    22/07/2024 11:42:00
                                  [Thumbprint]
                                    blablabla
    Name                        : domain.ad0001
    TypeName                    : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
    DisplayName                 : domain.ad0001
    Id                          : blablabla
    Status                      : Online
    Parent                      : SPTrustedRootAuthorityManager
    Version                     : 17164
    Properties                  : {}
    Farm                        : SPFarm Name=SharePoint_Config
    UpgradedPersistedProperties : {}
    PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
    cer\SP2K10\ADFS_Signing.cer")
    PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
    Certificate                 : [Subject]
                                    CN=ADFS Signing - adfs.domain
                                  [Issuer]
                                    CN=ADFS Signing - adfs.domain
                                  [Serial Number]
                                    blablabla
                                  [Not Before]
                                    23/07/2014 07:14:03
                                  [Not After]
                                    23/07/2015 07:14:03
                                  [Thumbprint]
                                    blablabla
    Name                        : Token Signing Cert
    TypeName                    : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
    DisplayName                 : Token Signing Cert
    Id                          : blablabla
    Status                      : Online
    Parent                      : SPTrustedRootAuthorityManager
    Version                     : 17184
    Properties                  : {}
    Farm                        : SPFarm Name=SharePoint_Config
    UpgradedPersistedProperties : {}
    PS C:\Users\administrator.PORTAL>

  • Authentication method for JCo connection in XSS installation

    Hi All,
    I have a query which perplexes me.  I am implementing XSS (ESS/MSS) on SAP Portal EP6 SR1 with an ECC5 backend for prototype purposes.
    When I follow SAP's help steps to setup JCo connections, it states that for the metadata connection you should use a security authentication method of 'User/Password', but for the application data connection you should use a security authentication method of 'Ticket'.
    Does anyone know why the difference in methods here?  Is it possible to use 'User/Password' for both?  Any thoughts would be appreciated.

    Hi john,
    User -ID /Pwd method can be used to access the backend for both types of Data as per your scenario.
    User -ID /Pwd method and logon tickets both can be used to access data in backend.
    The difference lies in the scenario with which you are accessing the back-end.
    If all your portal users are same as backend users then you can select Logon ticket methods.
    If they are going to be different then you need User-ID /Pwd method .
    Check the following link to get a clear picture:
    <a href="http://help.sap.com/saphelp_ep50sp2/helpdata/en/4d/dd9b9ce80311d5995500508b6b8b11/frameset.htm">Scenario to use type of SSO</a>
    Hope it helps.
    Regards,
    Vivekanandan

  • 802.1x EAP type not configured

    Hi, a simple 802.1x test with XP client sp2, 3560 with IOS 12.2(35)SE5 and ACS 4.1(1) build 23.
    EAP MD5 selected on the client and enabled on the ACS but I receive in ACS an authentication failure message, with Authen-Failure-Code "EAP type not configured".
    Any idea ?
    thank you in advance
    greatings

    You have to install a self-generated certificate on the ACS, and enabled PEAP with "Allow EAP-MSCHAPv2". then changed the setting on our PC, and manage to make it work.
    Could you do the following,
    1.) Enable full detail logging on the ACS: System Configuration -> Service
    Control -> Logging detail level = "FULL". Then restart the ACS services.
    2.) Enable "debug radius" together with the debugs that you already have
    on the switch
    3.) If there is a sniffer (Norton SnifferPro, or the freeware Wireshark or
    Ethereal) on the client laptop, please start it and enable sniffing on the
    client interface.
    4.) Make another authentication attempt.
    5.) Generate a "package.cab" on the ACS, by running Bin\CSSupport.exe
    underneath the ACS installation directory
    6.) Please send me the following information,
    a) The package.cab file,
    b) the debug output from the switch,
    c) the sniffer trace (if available).

  • Wireless Security & Authentication methods

    Hi,
    I've some experience on WLAN Networks, but I would like to have your opinion around Wireless Security implemenations.
    We have several sites where we have some Cisco Access points running IOS. We are currently doing WEP 128b, with Mac-Authentication against a central ACS Server.
    But having fixed WEP, and mac registrations is not very practical.
    Do you know about any method to have authentication against Active Directory (passing through the Cisco ACS), and Dynamic WEP Keys ?
    Any recommendation is welcome.
    Of course with this we would like to bring up our level of security.
    Thanks a lot for all,
    Best Regards,
    Jorge

    802.1x/EAP authentication is the most popular authentication method in wireless. The following documents explain how to configure EAP authentication.
    http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml
    http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a13.shtml

  • None of the available endpoints supports authentication methods user/pass

    Dear All
    i  create a destination in the ce7.1.but when i  test the destination in the ws navigator  ,but it cant not run ,  the error is:
    The destination [YHSendMessage02] supports the following authentication methods [User Name/Password (Basic)], but none of the available endpoints supports them. The supported authentication types are [None]. Either the destination has to be updated or a new endpoint should be used
    i test the ws in the navigator  dont used the destination ,it work well, so i think maybe some wrong in my ce  about the destination 'configuration.
    best regards

    The following message returned from SAP:
    Root of the problem is found. The problem occurs as PI WSDLs doesn't contain security settings. Lack of security settings breaks consumption of those services. I'm working on providing a fix to enable consumption of such services.
    Looking at a WSDL generated by PI (example):
    <wsp:Policy wsu:Id="OP_si_servicename"/>
    The policy contains no transportbinding or authentication methods at all.
    Looking at a WDSL generated by ECC (example):
    <wsp:Policy wsu:Id="BN_BN_si_ManageCustomizingCustomerService_binding">
          <saptrnbnd:OptimizedXMLTransfer uri="http://xml.sap.com/2006/11/esi/esp/binxml" wsp:Optional="true" xmlns:saptrnbnd="http://www.sap.com/webas/710/soap/features/transportbinding/"/>
          <saptrnbnd:OptimizedXMLTransfer uri="http://www.w3.org/2004/08/soap/features/http-optimization" wsp:Optional="true" xmlns:saptrnbnd="http://www.sap.com/webas/710/soap/features/transportbinding/"/>
          <wsp:ExactlyOne xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">
             <wsp:All>
                <sp:TransportBinding>
                   <wsp:Policy>
                      <sp:TransportToken>
                         <wsp:Policy>
                            <sp:HttpsToken>
                               <wsp:Policy>
                                  <sp:HttpBasicAuthentication/>
                               </wsp:Policy>
                            </sp:HttpsToken>
                         </wsp:Policy>
                      </sp:TransportToken>
                      <sp:AlgorithmSuite>
                         <wsp:Policy>
                            <sp:TripleDesRsa15/>
                         </wsp:Policy>
                      </sp:AlgorithmSuite>
                      <sp:Layout>
                         <wsp:Policy>
                            <sp:Strict/>
                         </wsp:Policy>
                      </sp:Layout>
                   </wsp:Policy>
                </sp:TransportBinding>
             </wsp:All>
          </wsp:ExactlyOne>
       </wsp:Policy>
    At the moment SAP is working on a fix to solve this problem.

  • None of the authentication methods supported by this client are supported by your server.

    Dear Exchange Admin
    We have implemented exchange server .
    MAPI profile configuration in outlook is working fine.but when we try to configure POP3 in outlook ,without SMTP authentication it is fine.
    But when we enable SMTP authentication ,it is getting the following error
    "None of the authentication methods supported by this client are supported by your server.
    Kindly help
    Ashraf

    This worked for me today, as I had the same issue.
    I had to set encryption to TLS to get it to work, and the server names as yahoo.co.uk...
    In Outlook 2013, click File | Add Account.
    Select Manual setup or additional server types.
    Click Next.
    Select POP.
    Click Next.
    On the “Account Settings” page, enter your account settings:
    Your Name: The name you want to show when you send email.
    Email address: Your full Yahoo email address.
    Account Type: POP3
    Incoming Mail Server: pop.mail.yahoo.com
    Outgoing Mail Server: smtp.mail.yahoo.com
    User Name: Your Yahoo ID.
    Password: Your Yahoo account password.
    Leave the “Require logon using Secure Password Authentication” option unchecked.
    Click More Settings.
    Click the Outgoing Server tab.
    Select the My outgoing server (SMTP) requires authentication box.
    Click Use same settings as my incoming mail server.
    Click the Advanced tab. Enter advanced information:
    Incoming server (POP3) port: 995
    Select This server requires an encrypted connection (SSL).
    Outgoing server (SMTP) port: 465, 587, or 25
    Set the encryption type to SSL or TLS
    Set your desired server timeout and delivery options.
    - We recommend leaving a copy of messages on the server.
    Click OK.
    Restart Outlook.
    Click Send/Receive All Folders.
    You can now retrieve emails from your Yahoo Mail account in Outlook 2013.

Maybe you are looking for

  • Prompt with external data

    Hi! I wolud like to create a variable based on an object from the database times a value the user can choose. For example: =<Sales>*( 0,2 or whatever the user choose to write). I do not want the user to edit in the variable, can I create a prompt whe

  • HT4889 How do change the ownership of files after using the migration assistant?

    After I copied all of my files across using the migration assistant, the tool is nice enough to assume that I want to use the same ID that I had on my PC.  This is not my case as I am using a different name on the mac.  How do I get the files from th

  • Applet and Struts

    Hi all, We have an existing application in struts and ejb.We have to add an applet to performa validation with the server. things are fine but when the Action method is supposed to redirect for an action mapping the corresponding JSP isnot loading so

  • Is there a limit to how many AExp that can be streamed to at once?

    Hi Guys and Girls Have been looking at the Sonos system for a while now but I wonder if multiple AE would be a cheaper alternative? Is there a limit to how many Airport Express units can be streamed to at once? The house is quite large and I would li

  • Vendore Material return Rejection

    Guru We have received the material for processing & the material is rejected now my client want to send the material back to vendor Can u explain in details proedure. Thanks Sudhir