question

DarMar-8420 avatar image
0 Votes"
DarMar-8420 asked CandyLuo-MSFT answered

NPS- PEAP - certificate authentication failure

Hi,

I have configured an NPS server in Server 2019 standard.

PEAP/Secured Password (EAP-MSCHAP2 v2) is working perfectly.
PEAP/Smart card or other certificate is not working.

The test client workstation has the correct new domain computer/user CA certificate installed and NPS server has the correct CA certificates installed and is enabled to perform domain authentication.

Does anyone have any ideas what might be the problem?

Here is an example of NPS server log:

<Event><Timestamp data_type="4">04/06/2021 10:42:53.944</Timestamp><Computer-Name data_type="1">NPS01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Service-Type data_type="0">2</Service-Type><Framed-MTU data_type="0">9198</Framed-MTU><Called-Station-Id data_type="1">00-62-EC-18-CD-81</Called-Station-Id><Calling-Station-Id data_type="1">54-EE-75-31-24-20</Calling-Station-Id><Framed-IP-Address data_type="3">172.18.110.3</Framed-IP-Address><NAS-IP-Address data_type="3">172.18.114.2</NAS-IP-Address><NAS-Port-Id data_type="1">GigabitEthernet1/0/1</NAS-Port-Id><NAS-Port-Type data_type="0">15</NAS-Port-Type><NAS-Port data_type="0">50101</NAS-Port><Client-IP-Address data_type="3">172.18.114.2</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">Switch</Client-Friendly-Name><Cisco-AV-Pair data_type="1">method=dot1x</Cisco-AV-Pair><Cisco-AV-Pair data_type="1">service-type=Framed</Cisco-AV-Pair><Cisco-AV-Pair data_type="1">audit-session-id=0A9C2582000010E46DA2F630</Cisco-AV-Pair><User-Name data_type="1">host/test500.DOMAIN.com</User-Name><Proxy-Policy-Name data_type="1">CERTIFIKAT</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">DOMAIN\TEST500$</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">DOMAIN\TEST500$</Fully-Qualifed-User-Name><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">Copy of Certifikat - TEST</NP-Policy-Name><Class data_type="1">311 1 172.18.66.62 04/05/2021 08:54:19 1589</Class><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

<Event><Timestamp data_type="4">04/06/2021 10:42:53.944</Timestamp><Computer-Name data_type="1">NPS01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 172.18.66.62 04/05/2021 08:54:19 1589</Class><Session-Timeout data_type="0">60</Session-Timeout><NP-Policy-Name data_type="1">Copy of Certifikat - TEST</NP-Policy-Name><Client-IP-Address data_type="3">172.18.114.2</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">Switch</Client-Friendly-Name><Authentication-Type data_type="0">5</Authentication-Type><Proxy-Policy-Name data_type="1">CERTIFIKAT</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">DOMAIN\TEST500$</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">DOMAIN\TEST500$</Fully-Qualifed-User-Name><Packet-Type data_type="0">11</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

windows-server-2019
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Please check the event ID in NPS event log and post the exact error message for us to do troubleshooting.

0 Votes 0 ·

Unfortunately there are no events in Event Viewer only in the nps.log file.

On Network monitor I can see that there are some EAP:Request and EAP:Response. After sometime I get on client workstation Authentication failed error.

Regards.

0 Votes 0 ·

1 Answer

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered

Hi,

It is hard for to do troubleshooting if there is no specific event/error about the problem. In such case, we need to trace and monitoring logs to analyze the cause. However, analysis of log is beyond our forum support level and due to forum security policy, we have no such channel to collect user log information. So, we recommend you open a case with MS Professional tech support service, they will help you open a phone or email case to Microsoft, so that you would get a technical support on a one-to-one basis while ensuring privileged information.

Here is the link:

https://support.microsoft.com/en-us/gp/customer-service-phone-numbers

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.