Advertisement
I am in the process of setting up an NPS server (on Server 2016). The goal is to use AD authentication, via RADIUS, for 802.1x. I think my problem is with PEAP and the cert I am using. I have my connection and network policies set up and working with the RADIUS client; I know this is true because Android and Apple devices are able to connect when I bypass the security alert that pops up. However, Windows 10 clients fail outright to connect.<\/p>\n
The cert I am using is a clone of a wildcard cert from a 3rd party CA.<\/p>\n
From the logs on a test system:<\/p>\n
Reason: Explicit Eap failure received
\nError: 0x80420406
\nEAP Reason: 0x80420406
\nEAP Root cause String: The authentication failed because the certificate on the server computer does not have a server name specified<\/p>\n
I was reading about this error. Perhaps the fact that it is a wildcard cert is the problem? Should I obtain a server-named cert? I have so far steered clear of creating a CA on my network for this purpose to avoid the potential warning messages that might pop up on certain devices (we are a mixed environment, OSX, Windows, iOS, Android, ChromeOS).<\/p>\n
I looked into certificate templates but again that appears to apply in situations when you’ve got your own CA providing certificates…<\/p>\n
I would greatly appreciate any observations or suggestions you might have.<\/p>","upvoteCount":14,"answerCount":3,"datePublished":"2019-07-12T19:36:02.000Z","author":{"@type":"Person","name":"cmdrvyborg","url":"https://community.spiceworks.com/u/cmdrvyborg"},"suggestedAnswer":[{"@type":"Answer","text":"
I am in the process of setting up an NPS server (on Server 2016). The goal is to use AD authentication, via RADIUS, for 802.1x. I think my problem is with PEAP and the cert I am using. I have my connection and network policies set up and working with the RADIUS client; I know this is true because Android and Apple devices are able to connect when I bypass the security alert that pops up. However, Windows 10 clients fail outright to connect.<\/p>\n
The cert I am using is a clone of a wildcard cert from a 3rd party CA.<\/p>\n
From the logs on a test system:<\/p>\n
Reason: Explicit Eap failure received
\nError: 0x80420406
\nEAP Reason: 0x80420406
\nEAP Root cause String: The authentication failed because the certificate on the server computer does not have a server name specified<\/p>\n
I was reading about this error. Perhaps the fact that it is a wildcard cert is the problem? Should I obtain a server-named cert? I have so far steered clear of creating a CA on my network for this purpose to avoid the potential warning messages that might pop up on certain devices (we are a mixed environment, OSX, Windows, iOS, Android, ChromeOS).<\/p>\n
I looked into certificate templates but again that appears to apply in situations when you’ve got your own CA providing certificates…<\/p>\n
I would greatly appreciate any observations or suggestions you might have.<\/p>","upvoteCount":14,"datePublished":"2019-07-12T19:36:02.000Z","url":"https://community.spiceworks.com/t/nps-with-radius-certificate-issue/720679/1","author":{"@type":"Person","name":"cmdrvyborg","url":"https://community.spiceworks.com/u/cmdrvyborg"}},{"@type":"Answer","text":"
We run NPS with dynamic vlans assignments. We use a CA to create our certs for NPS and also have a wildcard Pulic cert for our CA(not needed). I think your on the right track and either need to purchase a cert for that server or create your own CA.<\/p>\n
Having your own CA also allows you to sign powershell scripts and other server application. Both are really useful in a mixed environment.<\/p>","upvoteCount":0,"datePublished":"2019-07-12T20:28:13.000Z","url":"https://community.spiceworks.com/t/nps-with-radius-certificate-issue/720679/2","author":{"@type":"Person","name":"steviestaab2620","url":"https://community.spiceworks.com/u/steviestaab2620"}},{"@type":"Answer","text":"
The authentication failed because the certificate on the server computer does not have a server name specified<\/em><\/p>\n In the network policy under protected EAP settings you can disable the validate server certificate<\/em> option to test it.<\/p>\n But normally the clients should get a pop-up if the server certificate isn’t trusted (if using wildcard).<\/p>\n