Hi folks

We have a very strange phenomenon and maybe some of you guys can help me.

We had a perfect working Network Policy Server 2008 R2 environment. NPS was running on a Domain Controller (2K8R2)
authenticating requests from various sources (Cisco WLAN Controller, Cisco Switches, ...)

People connected to WLAN from Windows 7 computers, MAC Books Pro, iPhones, Android Devices , ...

Everything was working fine until we upgraded our Domain Controllers to Server 2012 (in-place upgrade)
The upgrades went smoothly and error free. Domain Controllers are stable and our domain works fine.

There is one exception: Our Network Policy Server which was upgraded to 2012 as well.

The configuration has been migrated and seems to be exactly the same as before.

The only difference is that Windows 7 clients (notebooks which are not member of the domain)
cannot authenticate anymore. On the Server side I see there is an event log entry (application) :

Source: EapHost
Message: Negotiation failed. Requested EAP methods not available

- Creating the WLAN profile manually doesn't help.
- Windows 7 asks for username/password (this is what we use. no computer/user certificates).
- CA certificate is installed on these computers

The strange thing is that users with Mac Books, iPhones, Android Mobiles have no problem authenticating.
Only when they try connecting to WLAN on Windows 7 it fails.

- The NPS Policies have not changed. 
- The same Windows 7 notebooks can successfully connect to other WLANs without a problem.
   So it seems not to be a client problem.

Why should the NPS server not know the EAP methods when other devices (iPhone, ANdroid, Mac Book) successfully can connect ?

In the log file I see a rejection (code 3 in the fourth field). If I do the same on my Android Mobile I see code 2  which means success.

Request from Samsung Galaxy S3

"IKAWA","IAS",06/14/2013,10:00:54,1,"myuser","mydomain.local/Prod/INS/Users/Lastname, Firstname","00-08-30-00-b9-00:ins","5c-0a-5b-38-2e-60",,,"wlc","a.b.c.88",1,9,"a.b.c.88","wlc",,,19,,,2,11,"WLAN Access",0,"311 1 152.96.120.201 06/14/2013 04:13:00 4087",,,,"Microsoft: Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,13,6,,,,"122",,,,,,,,,,,"WLAN Access",1,,,,
"IKAWA","IAS",06/14/2013,10:00:54,2,,"mydomain.local/Prod/INS/Users/Lastname, Firstname",,,,,,,,9,"a.b.c.88","wlc",,,,,,,11,"WLAN Access",0,"311 1 152.96.120.201 06/14/2013 04:13:00 4087",,,,"Microsoft: Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,13,6,,,,"122",,,,,,,,"0x01494E534C4F43414C",,,"WLAN Access",1,,,,

Request from Windows 7 Notebook

"IKAWA","IAS",06/14/2013,10:05:17,1,"myuser","MYDOMAIN\MyUser","00-08-30-00-b9-00:ins","8c-70-5a-cd-05-e8",,,"wlc","a.b.c.88",1,9,"a.b.c.88","wlc",,,19,,,2,5,,0,"311 1 152.96.120.201 06/14/2013 04:13:00 4161",,,,"",,,,,,,,,,,,,,13,6,,,,"122",,,,,,,,,,,"WLAN Access",1,,,,
"IKAWA","IAS",06/14/2013,10:05:17,3,,"MYDOMAIN\MyUser",,,,,,,,9,"a.b.c.88","wlc",,,,,,,5,,22,"311 1 152.96.120.201 06/14/2013 04:13:00 4161",,,,"",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"WLAN Access",1,,,,

This is so strange.

If anybody could help it would be great.

Regards,
Oliver

Hi Posbis,

Thank you for your question.

I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

Thank you for your understanding and support.

Hi,

What authentication protocols do you use on the NPS server and the client, PEAP?

Are there any events under the following path? If yes, please paste the errors here, as they're more user-friendly.

Server Manager->Diagnostics->Custom Views->Server Roles->Network Policy and Access Services

You can also try this,

SSL/TLS communication problems after you install KB 931125

http://support.microsoft.com/kb/2801679

Hi Thanks for hlping

1. We use PEAP

2. There are no errors under : Server Manager->Diagnostics->Custom Views->Server Roles->Network Policy and Access Services

3. The only error I see is under : Windows Logs->Application

Log Name:      Application
Source:        Microsoft-Windows-EapHost
Date:          24.06.2013 17:21:56
Event ID:      1006
Task Category: Authenticator
Level:         Information
Keywords:     
User:          SYSTEM
Computer:      ikawa.<domain>.local
Description:
Negotiation failed. Requested EAP methods not available
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-EapHost" Guid="{6EB8DB94-FE96-443F-A366-5FE0CEE7FB1C}" />
    <EventID>1006</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>1</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2013-06-24T15:21:56.492021700Z" />
    <EventRecordID>50263</EventRecordID>
    <Correlation />
    <Execution ProcessID="876" ThreadID="5024" />
    <Channel>Application</Channel>
    <Computer>ikawa.<domain>.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  </EventData>
</Event>

4. I will have a look at the KB article you mentioned...

Regards,

Oliver

Hi

I checked on "SSL/TLS communication problems after you install KB 931125"

None of the mentioned Event-IDs are logged in my System-EventLog.

Regards

Oliver

Hi,

You can do this,

1. Change the shared secret of the RADIUS client(AP).

2. Issue another certificate and bind it in NPS.

3. Use PEAP-TLS to have a test.

If the steps above won't work, I suggest you create a MS support case because such issue needs further troubleshooting.

Hi folks

It seems that after a 2h debugging session we found the problems and Windows Clients can connect again. It seems that there are two factors involved in the problem:

1. We use a custom Domain Controller Certificate (Derived from the Domain Controller Certificate Template but with an additional SAN instead of the DC FQDN only). This Certificate has no "Subject Name" (only SANs). It seems that NPS Server 2012 doesn't like that and needs the Subject Name.
   
   But we are not 100% sure. We just see that it doesn't work with our DC Certificate (which works fine for the whole Domain Environment) and it works with the automatically enrolled one.
   
2. We had two conflicting WLAN Access Rules. One under Connection Request Policies and another one under Network Policies.

       The first one was set to override the network policy (Auth Methods) but looked more or less identical with the exception that it had the
       "less secure  authentication  methods "MS-CHAP-v2, MC-CHAP, CHAP, PAP, SPAP) enabled in addition to EAP-PEAP while the second one
       only had EAP-PEAP. So we disabled the override and changed the certificate to the auto enrolled one and it worked again (Windows, Android,
       iOS, OS X)      

       Could it be that the Domain Controller after upgrading to Server 2012 (NPS is installed on DC) rejects some of the less secure
        authentication methods we had checked ? I mean could it be that DC 2012 acts different as DC 2008 R2 and this has an impact
        on NPS 2012?

Ayyway. It works again but there is still the feeling that we don't know exactly what the roots of the problem are.
As already mentioned, this configuration worked flawlessly on Server/NPS 2008 R2. Maybe it is a bug on the 2012 product line; who knows.

Thanks for helping anyway

Regards,

Oliver

• Marked as answer by Posbis Thursday, June 27, 2013 11:18 AM

I met exactly the same problem and want to confirm solution.

Suddenly NPS stopped to authenticate Win7 clients (but Win8, IOS, Android still worked). Problem was in lack of used certificate subject name. Exactly as Oliver said I used Domain controller certificate with SAN only. Replacing to the certificate based on "RAS and IAS srerver" template solved the problem. 

Tutorials are here:

https://technet.microsoft.com/en-us/library/cc731363%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 

https://msdn.microsoft.com/en-us/library/cc754198.aspx?f=255&MSPPError=-2147217396

• Edited by Nikriaz 18 minutes ago