|Applies To||RSA ACE/Agent 5.6 for Windows|
RSA Security Extensible Authentication Protocol (EAP)
Microsoft Internet Authentication Service (IAS)
|Issue||Wireless connection fails to authenticate the client in RSA ACE/Agent 5.6 for Windows|
Error: "Reason-Code = 22 | Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" on Event Viewer
Full Event Viewer information (NOTE: Station Identifiers are MAC addresses; in the example we have replaced the MAC addresses with 9's):
User <username> was denied access.
Fully-Qualified-User-Name = <Primary DNS Suffix>/Users/<User Name>
NAS-IP-Address = 192.168.1.2
NAS-Identifier = AP
Called-Station-Identifier = 9999.9999.9999
Calling-Station-Identifier = 9999.9999.9999
Client-Friendly-Name = ap
Client-IP-Address = 192.168.1.2
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 425
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless access to Intranet - RSA Security EAP
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp
|Cause||There was a mismatch between the EAP-Type configured on the client compared with the EAP-Type configured with Microsoft IAS-RADIUS|
|Resolution||To correct this issue, check the Microsoft Internet Authentication Service (IAS) RADIUS configuration and Microsoft EAP-PEAP client configuration are matched using an EAP-Type of RSA Security EAP.|
For detailed Microsoft IAS-RADIUS configuration, refer to page 41 in the RSA ACE/Agent 5.6 for Windows Installation and Administration Guide - Configuring Wireless LAN Access Authentication with PEAP chapter.
Microsoft also provides a white paper describing how to configure RSA ACE/Server to provide a secure authentication solution for VPN and Windows XP 802.1X wireless clients with PEAP. It's available at http://www.microsoft.com/downloads/details.aspx?FamilyID=2466f0e3-231b-46b5-ae1e-0e5d3c3cacad&displaylang=en.
Wireless client configuration:
- From Wireless Network Connection Properties, highlight the preferred network and click the Properties button
- From the Association tab:
- The Network name (SSID) is grayed out
- Ensure the Network Authentication is 'Open' , Data encryption is 'WEP', and the 'The key is provided for me automatically' is ticked
- From the Authentication tab:
- Ensure that 'Enable IEEE 802.1x authentication for this network' is ticked, and the EAP type is 'Protected EAP (PEAP)'
- Ensure that 'Authenticate as computer when computer information is available' and 'Authenticate as quest when user or computer information is unavailable' are unticked
- Click the EAP type Properties button
- From Protected EAP Properties:
- 'Validate server certificate' is unticked (This solution is focused on a non-certificate solution. Please bear in mind that a certificate will make the connection more secure).
- Select Authentication Method is ' RSA Security EAP'
- 'Enable Fast Reconnect' is unticked (fast reconnect ticked can provide a better roaming experience)
|Legacy Article ID||a22316|