on Jun 14, 2016Article Content
| Article Number | 000021337 |
| Applies To | RSA ACE/Agent 5.6 for Windows RSA Security Extensible Authentication Protocol (EAP) Microsoft Internet Authentication Service (IAS) Wireless EAP-PEAP |
| Issue | Wireless connection fails to authenticate the client in RSA ACE/Agent 5.6 for Windows Error: "Reason-Code = 22 | Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" on Event Viewer Full Event Viewer information (NOTE: Station Identifiers are MAC addresses; in the example we have replaced the MAC addresses with 9's): User <username> was denied access. Fully-Qualified-User-Name = <Primary DNS Suffix>/Users/<User Name> NAS-IP-Address = 192.168.1.2 NAS-Identifier = AP Called-Station-Identifier = 9999.9999.9999 Calling-Station-Identifier = 9999.9999.9999 Client-Friendly-Name = ap Client-IP-Address = 192.168.1.2 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = 425 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = <undetermined> Policy-Name = Wireless access to Intranet - RSA Security EAP Authentication-Type = EAP EAP-Type = <undetermined> Reason-Code = 22 Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp |
| Cause | There was a mismatch between the EAP-Type configured on the client compared with the EAP-Type configured with Microsoft IAS-RADIUS |
| Resolution | To correct this issue, check the Microsoft Internet Authentication Service (IAS) RADIUS configuration and Microsoft EAP-PEAP client configuration are matched using an EAP-Type of RSA Security EAP. For detailed Microsoft IAS-RADIUS configuration, refer to page 41 in the RSA ACE/Agent 5.6 for Windows Installation and Administration Guide - Configuring Wireless LAN Access Authentication with PEAP chapter. Microsoft also provides a white paper describing how to configure RSA ACE/Server to provide a secure authentication solution for VPN and Windows XP 802.1X wireless clients with PEAP. It's available at http://www.microsoft.com/downloads/details.aspx?FamilyID=2466f0e3-231b-46b5-ae1e-0e5d3c3cacad&displaylang=en. -------------------------------------------- Wireless client configuration: -------------------------------------------- - From Wireless Network Connection Properties, highlight the preferred network and click the Properties button - From the Association tab: - The Network name (SSID) is grayed out - Ensure the Network Authentication is 'Open' , Data encryption is 'WEP', and the 'The key is provided for me automatically' is ticked - From the Authentication tab: - Ensure that 'Enable IEEE 802.1x authentication for this network' is ticked, and the EAP type is 'Protected EAP (PEAP)' - Ensure that 'Authenticate as computer when computer information is available' and 'Authenticate as quest when user or computer information is unavailable' are unticked - Click the EAP type Properties button - From Protected EAP Properties: - 'Validate server certificate' is unticked (This solution is focused on a non-certificate solution. Please bear in mind that a certificate will make the connection more secure). - Select Authentication Method is ' RSA Security EAP' - 'Enable Fast Reconnect' is unticked (fast reconnect ticked can provide a better roaming experience) |
| Legacy Article ID | a22316 |