With recent Windows updates and Cisco WAP4410N firmware updates, our Microsoft PEAP authentication started failing to our Windows wireless clients using WPA2-Enterprise security on the Wireless Access Point (WAP).
I tried the usual solutions of making sure that the Microsoft NPAS / NPS / RADIUS (aka IAS) server was using a valid SSL server certificate for PEAP, and verifying that the client computers trust the CA that issued the RADIUS server certificate. All of those were correct and yet I was still getting errors for all Windows clients trying to connect. Apple iOS devices were connecting successfully – adding to my confusion of what component might be causing the problem.
Finally I found a blog entry online listing the same problem and a Microsoft Knowledge Base (KB) article with a suggested fix (registry setting change). The article mentions Windows 2003, but I can verify that the same problem and solution apply to Server 2008 R2 as well. Read the KB article here: Clients cannot make connections if you use IAS in Windows Server. Many thanks to Eddie’s Blog for posting this solution over at: Troubleshoot PEAP Authentication (eddielublog.blogspot.com).
The registry fixes are located under the following key HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL with the values SendTrustedIssuerList and EventLogging. The event log change requires a system reboot and SCHANNEL logs show up under the “Administrative Events” view in 2008 R2. After assigning SendTrustedIssuerList a value of 0, I restarted the “Network Policy Server” (NPS/RADIUS) to make sure the change was active. The next authentication attempt on the WAP was successful :-).
Error Messages that may indicate this problem:
- Log Name: Security, Event ID: 6273, Task Category: Network Policy Server, Keywords: Audit Failure, Authentication Type: PEAP, Network Policy Server denied access to a user, Reason Code: 266, Reason: The message received was unexpected or badly formatted.