I'm trying to set up 802.1x for both wired and wireless networks. I've built a Windows Server 2008 R2 PKI and auto-enrolled user and computer certificates.
My aim is to have both the computers and the users authenticate with the certificates. To do this, I have been defining the authentication setting as "Microsoft: Smart Card or other certificate".
However, this appears to only be working with the computer certificates. If I try to authenticate with the user certificate, I get an EAP reason code 22 (The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot
be processed by the server.)
If I modify the NPS authentication methods so that ALL possible permutations are allowed, the user can then connect BUT the log shows that the authentication method used is "Microsoft: Secured password (EAP-MSCHAP v2)". The order that I've got the methods
defined in is:

Microsoft: Smart Card or other certificate Microsoft: Protected EAP (Smart Card or other certificate) Microsoft: Protected EAP (Secured password)
(Note that you can only add Protected EAP once - I've added the two EAP types within the properties)
If I define a Group Policy to force authentication by certificate, the client complains that it needs a certificate ... and it clearly has one!
I cannot see anything in the logs that helps me to understand why the certificate it has isn't being used.

Need to support users over the internet? click here try our remote control online beta

I came across this thread:

http://social.technet.microsoft.com/Forums/en-CA/winserversecurity/thread/0799e45b-7ffb-4d90-b373-b962afc1d69c

and realised that I had created the user certificates with a Windows Server 2008 Enterprise template type. So I've now recreated the user certificate with a Windows Server 2003 Enterprise template type but it still authenticates using Secured Password :-(.

There is an amazing pack of free network admin tools. click here to download it

Hi,



This issue is more server related, in order to get the answer effectively, it is recommended to submit a new question in
Windows Server Forum.



The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums
regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.



Regards,



Sabrina




TechNet Subscriber Support
in forum

If you have any feedback on our support, please contact
tnmff@microsoft.com.
This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.
This can be beneficial to other community members reading the thread.

There is an amazing pack of free network admin tools. click here to download it

Hi Philip -
Just FYI, EAP only provides one method of authentication per connection - in other words, you can connect with a user certificate or a computer certificate, but not both for one connection attempt. This type of dual authentication doesn't work.
Do your client computers trust the CA that issued the NPS server's certificate? For clients to trust the NPS server, they must trust the server certificate that NPS provides to the clients during the authentication process. For the clients to trust the certificate,
they must have the CA certificate in the Trusted Root Certification Authorities certificate store for the Local Computer.
Hope that helps -James McIllece

There is an amazing pack of free network admin tools. click here to download it