Share via

OpenSSL Certificates used for NPS EAP - Reason Code 295 (CA certificates is not trusted by the policy provider)

Anonymous
2024-08-07T16:53:24+00:00

I have a customer that I am trying to get Network Policy Server working with EAP TLS authentication for WiFi AP's. I've used OpenSSL to create a CA cert (ca.crt), Server Cert (server.pfx), and Client Cert (client1.pvx) following https://blog.devolutions.net/2020/07/tutorial-how-to-generate-secure-self-signed-server-and-client-certificates-with-openssl/.  When I try to connect to the WiFi SSI which is being authenticated by NPS, in the Network Policy and Access Services Event Log, I get an event ID 6273: Network Policy Server denied access to a user, Reason Code: 295 "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider."

I do have the ca.crt installed in the "Trusted Root Certification Authorities" on the client PC (Current User & Local Computer) and the NPS Server (Local Computer). The NPS Server also has the server.pfx installed while the client has the client1.pfx installed.

Any suggestions on how to get rid of the Reason Code 295? I really appreciate anyone's input!

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-08-08T07:00:57+00:00

    Hi Dave Baddorf,

    Thank you for posting in the Microsoft Community Forums.

    Below are some possible steps and suggestions for resolution:

    1. Confirm that the certificates are installed correctly

    First, make sure that all relevant certificates are properly installed in the correct storage location:

    Client PC:

    ca.crt should be installed in the "Trusted Root Certificate Authorities" store.

    client1.pfx should be installed in the "Personal" store for "Person" or "Computer", depending on whether the certificate is installed for the current user or the computer.

    NPS server:

    ca.crt should also be installed in the "Trusted Root Certificate Authorities" store.

    server.pfx should be installed in the "Personal" store on the "Computer" and make sure that the private key is available.

    1. Check the certificate chain

    Ensure that the certificate chain is complete and correct. This includes checking:

    The client certificate (client1.pfx) is issued by a CA certificate (ca.crt).

    The NPS server certificate (server.pfx) is also issued by the same CA certificate, or at least by a trusted CA.

    1. Verify the NPS configuration

    On the NPS server, check the configuration of the network policy and connection request policy to ensure that they are correctly set up for certificate validation requirements:

    Verify that NPS is configured to use EAP-TLS as the authentication method.

    Verify that the NPS is configured with the correct certificate template or certificate authority (CA) to validate client certificates.

    1. Check firewall and port settings

    Ensure that the firewall settings on the NPS server allow communication on the ports used by the RADIUS protocol (typically 1812 and 1813). Also, check for any network devices (such as routers or switches) that may be blocking communication on these ports.

    1. Viewing Event Logs and Audit Logs

    On the NPS server, review the detailed event logs in the Event Viewer, especially those related to authentication failures.

    If NPS auditing is enabled, check the audit logs for more information about authentication failures.

    1. Client and server time synchronization

    Ensure that the client and NPS server times are synchronized. Unsynchronized time may cause certificate validation to fail because the timestamp in the certificate may not be within the valid range of the current time.

    1. Reinstall or renew the certificate

    If none of the above steps resolve the problem, try reinstalling or renewing the certificate. Sometimes the certificate file may be corrupted or installed incorrectly.

    Translated with DeepL.com (free version)

    Best regards

    Neuvi Jiang

    0 comments
  2. Anonymous
    2024-08-08T12:05:03+00:00

    Thanks for your response, Neuvi!

    1. Yes, the certificates are installed as you recommend (I outlined this in my post)
    2. Both the client certificate and the server certificate was created with the ca.crt (openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1000 -sha256 -extfile server-extensions.txt)
    3. NPS configuration is correct, I believe. I can run PEAP and it works. But my EAP TLS configuration isn't working (see event log message in my original post).
    4. NPS traffic is allowed. Otherwise, I wouldn't be seeing event logs with authentication errors.
    5. The event log is showing Reason Code 295 (CA certificates is not trusted by the policy provider)
    6. Times are synchronized
    7. I don't believe that the certificate installation in Windows is the issue.

    I am really looking for the root cause of the "Reason Code 295 (CA certificates is not trusted by the policy provider)".

    0 comments