Hell All,I am facing one problem when trying to detect exact EAP-Failure reason.The EAP failure sent back from AP just indicates that the EAP-Failure occurred but does not contain any siginficant information in the Data.The Deauth sent by AP too contains reason code which is very generic and does not help to identify any significant information.I am looking for specific informations for EAP-Failure - for diagnosis purpose.For example - EAP failed due to wrong credential entries or auth timeout etc.Please assist if anyone of you know - how to interpret such specific information for Vista.Regards,Anil

Hello Anil,Generally, the EAP-Failure code does not contain any information as to why the authentcation failed. This is because of two reason. One, the EAP-Failure could simply be manufactured by the AP/switch (NAS) that you are connecting to. AnNAS will send an EAP-Failure if, for example the converastion with the backend RADIUS server times out. The NAS does not know why the connection timed out, but sends to EAP-Failure to the client to close its conversation.The other reason you will get an EAP-Failure is if the RADIUS server generated it. This can happen for quite a number of reasons and only a couple return any further reason. For example, if the client's request does not match a policy on the RADIUS server, the server will simple respond with an Access-Reject which contains the EAP-Failure. No futher information is provided and you will need to look at the logs/events on the RADIUS server to determine what happened. An example of a bad password can be determined, but is a bit more difficult. To see the EAP-Failure, I am assuming you are looking atthe diagnostic logs on the client or apacket sniffer trace. Unfortunately, a sniffer trace will not be of muchuse, because the packets are encrypted. However, if you look at the RASCHAP.log(see kb 328601 on how to enable logging), you can see the error being returned.The reason you need to look here, is because the failure is occuring at the MS-CHAP layer and not actually at the EAP layer.So to effectively troubleshoot authentication problems, you need to determine if the EAP-Failure is coming directly from the NAS or is it a result of the RADIUS server. That should help you understand where you need to look further.Clay Seymour - MSFT

Hello Clay,Thanks for the response.Can you please let me know Kb 326801 - where to locate it.In the meantime - with all my experiements I observed that, EAP - Failure is always sent when there is a credential mismatch.Whereas in case of Server Timeout (Radius) , the AP sends direct DeAuth.Based on this behavior - I have done the diagnoisis application to find out the cause of failure.About MS-CHAP layer - I am not sure whether different EAP's (third party) will use it. Regards,Anil