PEAP Errors with WAP4410N and Microsoft RADIUS

With recent Windows updates and Cisco WAP4410N firmware updates, our Microsoft PEAP authentication started failing to our Windows wireless clients using WPA2-Enterprise security on the Wireless Access Point (WAP).

I tried the usual solutions of making sure that the Microsoft NPAS / NPS / RADIUS (aka IAS) server was using a valid SSL server certificate for PEAP, and verifying that the client computers trust the CA that issued the RADIUS server certificate. All of those were correct and yet I was still getting errors for all Windows clients trying to connect. Apple iOS devices were connecting successfully – adding to my confusion of what component might be causing the problem.

Finally I found a blog entry online listing the same problem and a Microsoft Knowledge Base (KB) article with a suggested fix (registry setting change). The article mentions Windows 2003, but I can verify that the same problem and solution apply to Server 2008 R2 as well. Read the KB article here: Clients cannot make connections if you use IAS in Windows Server. Many thanks to Eddie’s Blog for posting this solution over at: Troubleshoot PEAP Authentication (

The registry fixes are located under the following key HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL with the values SendTrustedIssuerList and EventLogging. The event log change requires a system reboot and SCHANNEL logs show up under the “Administrative Events” view in 2008 R2. After assigning SendTrustedIssuerList a value of 0, I restarted the “Network Policy Server” (NPS/RADIUS) to make sure the change was active. The next authentication attempt on the WAP was successful :-).

Error Messages that may indicate this problem:

  • Log Name: Security, Event ID: 6273, Task Category: Network Policy Server, Keywords: Audit Failure, Authentication Type: PEAP, Network Policy Server denied access to a user, Reason Code: 266, Reason: The message received was unexpected or badly formatted.

About notesbytom

Keeping technology notes on to free up my mind to solve new problems rather than figuring out the same ones repeatedly :-).
This entry was posted in Networking, System Administration and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s