000021337 - Wireless connection fails to authenticate the client in RSA ACE/Agent 5.6 for Windows

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021337
Applies ToRSA ACE/Agent 5.6 for Windows
RSA Security Extensible Authentication Protocol (EAP)
Microsoft Internet Authentication Service (IAS)
Wireless
EAP-PEAP
IssueWireless connection fails to authenticate the client in RSA ACE/Agent 5.6 for Windows
Error: "Reason-Code = 22 | Reason = The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" on Event Viewer
Full Event Viewer information (NOTE: Station Identifiers are MAC addresses; in the example we have replaced the MAC addresses with 9's):

User <username> was denied access.
Fully-Qualified-User-Name = <Primary DNS Suffix>/Users/<User Name>
NAS-IP-Address = 192.168.1.2
NAS-Identifier = AP
Called-Station-Identifier = 9999.9999.9999
Calling-Station-Identifier = 9999.9999.9999
Client-Friendly-Name = ap
Client-IP-Address = 192.168.1.2
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 425
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless access to Intranet - RSA Security EAP
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp
CauseThere was a mismatch between the EAP-Type configured on the client compared with the EAP-Type configured with Microsoft IAS-RADIUS
ResolutionTo correct this issue, check the Microsoft Internet Authentication Service (IAS) RADIUS configuration and Microsoft EAP-PEAP client configuration are matched using an EAP-Type of RSA Security EAP.

For detailed Microsoft IAS-RADIUS configuration, refer to page 41 in the RSA ACE/Agent 5.6 for Windows Installation and Administration Guide - Configuring Wireless LAN Access Authentication with PEAP chapter.

Microsoft also provides a white paper describing how to configure RSA ACE/Server to provide a secure authentication solution for VPN and Windows XP 802.1X wireless clients with PEAP. It's available at http://www.microsoft.com/downloads/details.aspx?FamilyID=2466f0e3-231b-46b5-ae1e-0e5d3c3cacad&displaylang=en.

--------------------------------------------
Wireless client configuration:
--------------------------------------------

- From Wireless Network Connection Properties, highlight the preferred network and click the Properties button

- From the Association tab:

  - The Network name (SSID) is grayed out

  - Ensure the Network Authentication is 'Open' , Data encryption is 'WEP', and the 'The key is provided for me automatically' is ticked

- From the Authentication tab:

  - Ensure that 'Enable IEEE 802.1x authentication for this network' is ticked, and the EAP type is 'Protected EAP (PEAP)'

  - Ensure that 'Authenticate as computer when computer information is available' and 'Authenticate as quest when user or computer information is unavailable' are unticked

- Click the EAP type Properties button

- From Protected EAP Properties:

  - 'Validate server certificate' is unticked (This solution is focused on a non-certificate solution. Please bear in mind that a certificate will make the connection more secure).

  - Select Authentication Method is ' RSA Security EAP'

  - 'Enable Fast Reconnect' is unticked (fast reconnect ticked can provide a better roaming experience)
Legacy Article IDa22316

Attachments

    Outcomes