Tuesday, June 12, 2012

A certificate could not be found that can be use with this EAP when configuring 802.1x on NPS

I was running the default 802.1x wizard to configure a new RADIUS server on Windows Server 2008 R2. I had an error that prompt "A certificate could not be found that can be use with this Extensible Authentication Protocol" as shown below:

But when I run the cert manager, I saw a computer certificate! So what's wrong?! It's the template. Most of the time, we configure auto-enrollment for machines based on Computer template. This time, you'll need the "RAS and IAS Server" template. Rather than auto-enrollment, you may want to perform a manual cert enrollment for the NPS server. Hence, I duplicate a new NPS server template from the "RAS and IAS Server". And yes, you'll also need to register the NPS server on AD using "netsh ras add registeredserver" command. Ensure that the NPS server is a member of the "RAS and IAS Server" security group on the AD.

To further ensure that the NPS server is using the "correct" cert, click "edit" on the PEAP or EAP-TLS authentication method and verify the cert as follows:

In summary (click for detailed step-by-step guide):
  1. Register the NPS server 
  2. Enroll a new cert based on "RAS and IAS Server" template
  3. Excellent link for NAP with 802.1x troubleshooting
  4. Setting up & verifying NAP CA to issue health certificates

1 comment:

  1. There are many techniques which people are using to secure and protect their data. Some people use coding on the note pad file which creates an encrypted folder in which they can keep their important data and lock it with a password, but the crackers are far cleverer, they know how to break that coding and how to crack that password, it isn't at all secure to protect your data with this trick.