WiFi authentication failing "A certificate could not be found that can be used with this Extensible Authentication Protocol." Certificate Authority. NPS. RADIUS.

Question

Hello all.

Issue outline

I'm struggling to get WPA2-Enterprise wifi authentication working with a local Windows Certificate Authority and Network Policy Server on a Unifi wifi network.

• The CA is running on Windows Server 2019 Core
• The NPS server is on Windows Server 2019 Desktop, and has RAS & IAS, Workstation Authentication and Computer certificates from the CA.
• Clients are all Windows 10 Enterprise, 21H2 or higher, and have Workstation Authentication and Computer certificates from the CA.
• All computers involved have the CA root certificate in the Trusted Root Certification Authorities store.
• The NPS server is configured to use Protected EAP, identified by the RAS IAS certificate, and the policy constraints are the computer has to be in the 'Domain Computers' group and have a certificate from the local CA.
• Automatic enrollment with the CA is deployed to the clients via GPO.
• The wireless profile for 'MySSID' is deployed to clients via GPO.

When trying to connect a client computer, the Windows GUI states: "Unable to connect because you need a certificate to sign in. Contact your IT support person."

The client computer WLAN-AutoConfig event log records "12013 OneXAuthentication", "11006 MsmSecurity", and "8002 AcmConnection" errors (text below).

Recorded errors

12013 OneXAuthentication

Wireless 802.1x authentication failed.

Network Adapter: Intel(R) Wi-Fi 6 AX201 160MHz

Interface GUID: {f7fff3ed-b0fd-4b54-b42e-9f5e3679664d}

Local MAC Address: 8C:C6:81:xx:xx:xx

Network SSID: MySSID

BSS Type: Infrastructure

Peer MAC Address: F0:9F:C2:xx:xx:xx

Identity: NULL

User: 

Domain: 

Reason: Explicit Eap failure received

Error: 0x80420014

EAP Reason: 0x31E

EAP Root cause String: A certificate could not be found that can be used with this Extensible Authentication Protocol.

EAP Error: 0x80420014

11006 MsmSecurity

Wireless security failed.

Network Adapter: Intel(R) Wi-Fi 6 AX201 160MHz

Interface GUID: {f7fff3ed-b0fd-4b54-b42e-9f5e3679664d}

Local MAC Address: 8C:C6:81:xx:xx:xx

Network SSID: MySSID

BSS Type: Infrastructure

Peer MAC Address: F0:9F:C2:xx:xx:xx

Reason: Explicit Eap failure received

Error: 0x80420014

8002 AcmConnection

WLAN AutoConfig service failed to connect to a wireless network.

Network Adapter: Intel(R) Wi-Fi 6 AX201 160MHz

Interface GUID: {f7fff3ed-b0fd-4b54-b42e-9f5e3679664d}

Connection Mode: Manual connection with a profile

Profile Name: MySSID

SSID: NPSecure

BSS Type: Infrastructure

Failure Reason:The specific network is not available.

RSSI: -43

NPS Server logs

The NPS server does not record any event logs, but the NPS text auditing logs contain the below:

<Event>

	<Timestamp data_type="4">10/17/2023 12:21:16.937</Timestamp>

	<Computer-Name data_type="1">NPS_SERVER</Computer-Name>

	<Event-Source data_type="1">IAS</Event-Source>

	<User-Name data_type="1">host/DEVICE.DOMAINNAME.local</User-Name>

	<NAS-IP-Address data_type="3">172.16.1.14</NAS-IP-Address>

	<NAS-Identifier data_type="1">f09fc2xxxxxx</NAS-Identifier>

	<Called-Station-Id data_type="1">f0-9f-c2-xx-xx-xx:MySSID</Called-Station-Id>

	<NAS-Port-Type data_type="0">19</NAS-Port-Type>

	<Service-Type data_type="0">2</Service-Type>

	<Calling-Station-Id data_type="1">8C-C6-81-xx-xx-xx</Calling-Station-Id>

	<Connect-Info data_type="1">CONNECT 0Mbps 802.11b</Connect-Info>

	<Acct-Session-Id data_type="1">34763C0201567A6B</Acct-Session-Id>

	<Acct-Multi-Session-Id data_type="1">B1F6D98C733F762B</Acct-Multi-Session-Id>

	<Framed-MTU data_type="0">1400</Framed-MTU>

	<Client-IP-Address data_type="3">172.16.1.14</Client-IP-Address>

	<Client-Vendor data_type="0">0</Client-Vendor>

	<Client-Friendly-Name data_type="1">AP1</Client-Friendly-Name>

	<Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name>

	<Provider-Type data_type="0">1</Provider-Type>

	<SAM-Account-Name data_type="1">DOMAIN\DEVICE$</SAM-Account-Name>

	<Fully-Qualifed-User-Name data_type="1">DOMAIN\DEVICE$</Fully-Qualifed-User-Name>

	<Class data_type="1">311 1 172.16.0.9 10/02/2023 11:39:52 44578</Class>

	<Authentication-Type data_type="0">5</Authentication-Type>

	<NP-Policy-Name data_type="1">UniFi RADIUS 2023</NP-Policy-Name>

	<Packet-Type data_type="0">1</Packet-Type>

	<Reason-Code data_type="0">0</Reason-Code>

</Event>

<Event>

	<Timestamp data_type="4">10/17/2023 12:21:16.937</Timestamp>

	<Computer-Name data_type="1">NPS_SERVER</Computer-Name>

	<Event-Source data_type="1">IAS</Event-Source>

	<Class data_type="1">311 1 172.16.0.9 10/02/2023 11:39:52 44578</Class>

	<Session-Timeout data_type="0">30</Session-Timeout>

	<Acct-Session-Id data_type="1">34763C0201567A6B</Acct-Session-Id>

	<NP-Policy-Name data_type="1">UniFi RADIUS 2023</NP-Policy-Name>

	<Authentication-Type data_type="0">5</Authentication-Type>

	<Client-IP-Address data_type="3">172.16.1.14</Client-IP-Address>

	<Client-Vendor data_type="0">0</Client-Vendor>

	<Client-Friendly-Name data_type="1">AP1</Client-Friendly-Name>

	<Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name>

	<Provider-Type data_type="0">1</Provider-Type>

	<SAM-Account-Name data_type="1">DOMAIN\DEVICE$</SAM-Account-Name>

	<Fully-Qualifed-User-Name data_type="1">DOMAIN\DEVICE$</Fully-Qualifed-User-Name>

	<Packet-Type data_type="0">11</Packet-Type>

	<Reason-Code data_type="0">0</Reason-Code>

</Event>

Additional

Things I've already tried:

• Re-issuing certificates to NPS server and client computers
• Removing and re-creating NPS connection policy from scratch
• Selecting the Workstation Authentication for the NPS service, rather than the RAS/IAS certificate
• Confirming that the certificates have the correct OIDs for Server and Client authentication
• Confirming that the client certificates include the DNS name in the subjectAltName field
• Disabling verification of the server certificate in the Wireless profile (via GPO)
• Many gpupdate refreshes and reboots

Can anyone help me figure out what is going wrong? I've used this same set up at another site and it's worked correctly.

Answer 1

Hello Andy,

The event logs you provided indicate that the authentication is encountering problems, but they do not provide specific error messages or root causes.

And I’ve noticed you've already taken several important steps in troubleshooting the issue, including re-issuing certificates, reconfiguring NPS policies, verifying certificate OIDs, and more. Given the complexity of the issue, it's possible that the root cause may lie in a combination of factors, including client-side configurations, NPS server settings, network policies, and access point configurations.

You might consider in-depth analysis of client-side logs and network packet captures.

Regards,

Karlie