Event ID 15514 — Wired Network Authentication
Applies To: Windows Server 2008 R2
Wired Network Authentication consists of the 802.1X-based authentication settings that are applied to network adapters. The settings are required to connect to a specific IEEE 802.3 Ethernet network on which 802.1X authentication is performed.
Event Details
Product: | Windows Operating System |
ID: | 15514 |
Source: | Microsoft-Windows-Wired-AutoConfig |
Version: | 6.1 |
Symbolic Name: | Result802_1XEventFailureDesc |
Message: | Wired 802.1X Authentication failed. %tNetwork Adapter: %2 %tInterface GUID: %1 %tPeer Address: %3 %tLocal Address: %4 %tConnection ID: %5 %tIdentity: %6 %tUser: %7 %tDomain: %8 %tReason: %9 %tReason Text: %10 %tError Code: %11 |
Resolve
Correct 802.1X authentication failed errors
"802.1X Authentication failed" errors
A reason code is used to identify a known condition that is responsible for triggering a specific event. Each reason code has a corresponding Event log message. In some cases, multiple reason codes are linked to one event, and any one condition with an associated reason code can result in a reported event. The following lists provides the Reason Codes, Event log messages and # Def names corresponding to each condition that can trigger Event. "# def name" codes are provided because they can be useful, if you are working with Microsoft Customer Service and Support personnel. Following this list, there is prescriptive guidance for each Reason Code that is marked with an asterisk (*).
Note: For the most current list of reason codes and their associated meanings, see WLAN_REASON_CODE on the Web at https://go.microsoft.com/fwlink/?LinkId=99529.
Reason Codes, Event log messages, and #def names associated with this event:
- Reason code: 327681 Event log message: The 802.1X module was unable to identify a set of credentials to be used. [An example is when the authentication mode is set to “User” but no user is logged on.] # def name: ONEX_UNABLE_TO_IDENTIFY_USER
- *Reason code: 327682 Event log message: The EAP module was unable to acquire an identity for the user. [An example is when EAP-TLS is used with user authentication and the user’s certificate store has no certificate.] # def name: ONEX_IDENTITY_NOT_FOUND
- *Reason code: 327683 Event log message To proceed with authentication, the 802.1X module needs to display a user interface, but the user interface is disabled. [An example is when automatic machine authentication is enabled.] # def name: ONEX_UI_DISABLED
- Reason code: 327684 Event log message: An error occurred when the 802.1X module was unable to display a user interface for authentication. [An example is when the networking system tray icon is disabled.] # def name: ONEX_UI_FAILURE
- Reason code: 327685 Event log message: The EAP module returned an error code. # def name: ONEX_EAP_FAILURE_RECEIVED
- Reason code: 327686 Event log message: The peer with which the 802.1X module was negotiating is no longer present. # def name: ONEX_AUTHENTICATOR_NO_LONGER_PRESENT
- Reason code: 327687 Event log message: No response was received to an EAP identity response packet. # def name: ONEX_NO_RESPONSE_TO_IDENTITY
- Reason code: 327688 Event log message: The 802.1x module does not support this version of the profile. # def name: ONEX_PROFILE_VERSION_NOT_SUPPORTED
- *Reason code: 327689 Event log message: The length member specified in the 802.1x profile is invalid. # def name: ONEX_PROFILE_INVALID_LENGTH
- Reason code: 327690 Event log message: The EAP type specified in the 802.1x profile is not allowed for this media. [An example is when the keyed MD5 algorithm is used for wireless transmission.] # def name: ONEX_PROFILE_DISALLOWED_EAP_TYPE
- *Reason code: 327691 Event log message: The EAP type or EAP flags specified in the 802.1X profile are invalid. [An example is when EAP type is not installed on the system.] # def name: ONEX_PROFILE_INVALID_EAP_TYPE_OR_FLAG
- *Reason code: 327692 Event log message: The 802.1X flags specified in the 802.1X profile are invalid. # def name: ONEX_PROFILE_INVALID_ONEX_FLAGS
- *Reason code: 327693 Event log message: One or more timer values specified in the 802.1X profile is out of its valid range. # def name: ONEX_PROFILE_INVALID_TIMER_VALUE
- *Reason code: 327694 Event log message: The supplicant mode specified in the 802.1X profile is invalid. # def name: ONEX_PROFILE_INVALID_SUPPLICANT_MODE
- *Reason code: 327695 Event log message: The authentication mode specified in the 802.1X profile is invalid. # def name: ONEX_PROFILE_INVALID_AUTH_MODE
- *Reason code: 327696 Event log message: The EAP connection properties specified in the 802.1X profile are invalid. # def name: ONEX_PROFILE_INVALID_EAP_CONNECTION_PROPERTIES
Correcting Reason code: 327682: The EAP module was unable to acquire an identity for the user
Configure authentication mode for "User re-authentication," and then refresh Group Policy.
To perform these procedures, you must be logged on by using an Administrator account, or you must have been delegated the appropriate authority.
- Click Start, and then click Server Manager.
- In the left pane of Server Manager, click Features, and then in the details pane, in Features Summary, click Add Features. The Add Features Wizard opens.
- In Select Features, in Features, select Group Policy Management, and then click Next.
- In Confirm Installation Selections, click Install.
- In Installation Results, review the information, and then click Close.
- Click Start, type gpmc.msc in Start Search, and the press ENTER. The Group Policy Management Console opens.
- In the left pane, double-click your forest. For example, Forest: example.com.
- Double-click Domains, and then do one of the following:
- To manage the default Group Policy for the domain. Double-click the domain that contains the default Group Policy object (GPO) that you want to manage, right-click the GPO you want to manage, and then click Edit.
- To link an existing Group Policy object. Click Link to an Existing GPO, in Look in this domain, select the domain, and in Group Policy objects, select the GPO you want to manage, and then click OK.
- In Group Policy Management Editor, in the left pane, double-click Windows Settings, double-click Security Settings, and then select Wired Network (IEEE 802.3) Policies.
- In the details pane, right-click your GPO, and then click Properties.
- On the Security tab, in Authentication Mode, select User re-authentication, and then click OK.
- At a command prompt, type gpupdate, and then press ENTER, to refresh Group Policy.
Correcting Reason code: 327683To proceed with authentication, the 802.1X module needs to display a user interface, but the user interface is disabled
Enable Single Sign On
To perform this procedure, you must be logged on by using an Administrator account, or you must have been delegated the appropriate authority.
- Click Start, and then click Server Manager.
- In the left pane of Server Manager, click Features, and then in the details pane, in Features Summary, click Add Features. The Add Features Wizard opens.
- In Select Features, in Features, select Group Policy Management, and then click Next.
- In Confirm Installation Selections, click Install.
- In Installation Results, review the information, and then click Close.
- Click Start, type gpmc.msc in Start Search, and the press ENTER. The Group Policy Management Console opens.
- In the left pane, double-click your forest. For example, Forest: example.com.
- Double-click Domains, and then do one of the following:
- To manage the default Group Policy for the domain. Double-click the domain that contains the default Group Policy object (GPO) that you want to manage, right-click the GPO you want to manage, and then click Edit.
- To link to an existing Group Policy object. Click Link to an Existing GPO, in Look in this domain, select the domain, and in Group Policy objects, select the GPO you want to manage, and then click OK.
- In Group Policy Management Editor, in the left pane, double-click Windows Settings, double-click Security Settings, and then select Wired Network (IEEE 802.3) Policies.
- In the details pane, right-click your policy, and then click Properties.
- On the Security tab, in Authentication Mode, select User re-authentication, and then click Advanced. The Advanced tab opens.
- In Single Sign On, select Enable Single Sign On for this network, and then select Allow additional dialogs to be displayed during Single Sign On.
- Click OK to save the settings.
Correcting other ONEX_PROFILE_INVALID-based errors for:
- Reason code: 327689 The length member specified in the 802.1x profile is invalid.
- Reason code: 327691 The EAP type or EAP flags specified in the 802.1X profile are invalid.
- Reason code: 327692 The 802.1X flags specified in the 802.1X profile are invalid.
- Reason code: 327693 One or more timer values specified in the 802.1X profile is out of its valid range.
- Reason code: 327694 The supplicant mode specified in the 802.1X profile is invalid.
- Reason code: 327695 The authentication mode specified in the 802.1X profile is invalid.
- Reason code: 327696 The EAP connection properties specified in the 802.1X profile are invalid.
For computers already configured with Wired Network (IEEE 802.3) Policies, Group Policy is applied for the Wired AutoConfig service when the computer is started, and whenever an updated policy is downloaded. If Group Policy is updated on the server while the computer is turned off, the last known policy (which might be stale) is immediately applied when the computer is started. If the 802.1X settings on the computer authorize the computer for network access, updated policies are downloaded and applied when the computer connects to the network, prior to user authentication. If 802.1X settings on the computer cannot authorize computer network access at startup, then application of updated policies occurs immediately after user authentication.
Correction for these errors involves a three-step process:
- Log on to a computer that has a valid profile, use the netsh lan export profile command to save the valid profile to portable media, such as a universal serial bus (USB) flash drive. Use the section, named "Export a valid profile", to export the profile so that it can be imported into another computer.
- Log on to the computer that has the invalid profile, connect the portable media with the valid profile, then use the netsh lan add profile command to overwrite the invalid profile with the valid profile. Use the section, named "import a valid profile", to import the profile.
- On the computer with the updated profile, run the gpupdate command to refresh Group Policy settings. import a valid profile. Use the section, named "Run the gpupdate command to refresh Group Policy" to refresh Group Policy
The following procedures provide the series of instructions required to complete the three-step corrective process.
To perform these procedures, you must be logged on by using a local computer Administrator account, or you must have been delegated the appropriate authority. If you are not logged on using an account that belongs to the Administrators group, you must be able to supply administrator credentials, in order to run the command prompt as administrator.
For more information, see Netsh Commands for Wired Local Area Network (LAN) on the Web at https://go.microsoft.com/fwlink/?LinkId=81754.
Export a valid profile
- Log on to a computer that has a valid profile, click Start, click All Programs, and then click Accessories.
- Right-click Command Prompt, and then click Run as administrator, to run the command prompt as administrator.
- At the command prompt, type netsh, press ENTER, type lan, and then press ENTER.
- Run the netsh lan export profile command as follows:
Netsh lan "export profile" syntax:
- export profile folder=PathAndFileName [[interface=]InterfaceName]
Netsh lan "export profile" command example:
- export profile folder="c:\Users\user\Documents\profile1.xml" interface="Local Area Connection"
Parameters
- folder Required. Specifies the path and file name for the profile XML file.
- interface Optional. Specifies the name of the interface on which the profile is configured.
Remarks
- The folder parameter must specify an existing folder that is accessible from the local computer.
- The path can be either an absolute path or relative path to the current working directory. In addition, "." refers to the current working directory, and ".." refers to the parent directory of the current working directory.
- The folder name cannot be a Universal Naming Convention (UNC) path.
- If the interface parameter is specified, only the specified profile associated with that interface is exported. Otherwise all profiles on the computer with the specified name are exported.
- Profiles of specified interfaces are saved in the format "InterfaceName ProfileName.xml." Profiles at the computer level are saved in the file name format "ProfileName.xml."
- There is wildcard support for this parameter. You can use the characters ? and * to replace a letter and letters of the interface name, respectively.
Import a profile
- Log on the computer that has the invalid profile, click Start, click All Programs, and then click Accessories.
- Right-click Command Prompt, and then click Run as administrator, to run the Command Prompt as administrator.
- At the command prompt, type netsh, press ENTER, type lan, and then press ENTER.
- Run the netsh lan add profile command as follows:
Netsh lan "add profile" syntax:
- add profile filename=PathAndProfileName interface=InterfaceName
Netsh lan "add profile" example:
- add profile filename="C:\Users\WiredUser\Documents\profile1.xml" interface="Local Area Connection"
Parameters
- filename Required. Specifies the path and name of the XML file containing the profile data.
- interface Required. Specifies the name of the interface on which the profile will be set.
Remarks
- The interface parameter specifies one of the interface names shown by the netsh lan show interface command.
- The profile will be added to the specified interface.
- There is wildcard support for this parameter. You can use the characters ? and * to replace a letter and letters of the interface name, respectively.
Run the gpupdate command to refresh Group Policy
- On the computer with the updated profile, click Start, click All Programs, and then click Accessories.
- Right-click Command Prompt, and then click Run as administrator, to run the command prompt as administrator.
- At the command prompt, type gpupdate and then press ENTER.
- Ensure that the output of the command says "User Policy update has completed successfully" and "Computer Policy update has completed successfully"
Verify
Verify 802.1X wired security settings are applied
There are two methods to verify that wired security settings are applied:
To perform these procedures, you must be logged on by using an Administrator account, or you must have been delegated the appropriate authority.
- Verify wired security settings by using the netsh lan command
- Verify wired security settings by using the status of a local area connection
Verify wired security settings by using the netsh lan command
To verify wired security settings by using the netsh lan command
- Click Start, and in Start Search, type cmd, and then press ENTER.
- At the command prompt, type netsh lan show interfaces.
- If 802.1X is configured on the network adapter, the command returns a result indicating that 802.1X security settings are applied.
Verify wired security settings by using the status of a local area connection
To verify wired security settings by using the status of a local area connection
- Click Start, click Control Panel, and then click Network and Internet.
- Click Network and Sharing Center, and then in Tasks, click Manage network connections.
- Right-click the local area connection, select Properties, and then select the Authentication tab.
- If 802.1X is configured on the network adapter, Enable IEEE 802.1X authentication is selected, but blocked from user modification.