Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, August 18, 2014 1:50 PM
Hi,
i have a IAS 2003 he work fine with EAP-TLS and IP Phones from Alcatel and with Certificates from Alcatel.
So i want update from 2003 to 2012 R2. I install a NPS 2012 R2 and export and import the config from the IAS to the NPS 2012 and check all settings. But the IP Phones dont work with EAP-TLS.
The Client PC work.
The only different is that the Client PC work with 802.1x EAP and a internal Domain CA Certificate. And the IP Phones are Alcatel Lucent IP Touch with a Certificate from Alcatel. I import the Root CA from Alcatel and the Intermediate Certfication to the NPS Server (same as by the IAS Server) but it dont work. On the IAS 2003 it work fine with this setup.
Here the error:
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
But if i disable the username for the IP Phone i get this message:
Reason Code: 34
Reason: The user or computer account that is specified in the RADIUS Access-Request message is disabled.
So i think that the Map to an existing user account work fine.
The Probleme is that i cannot export the Certificate from the Ip Phone. I have only the Root Certificate.
Have someone any idea?
All replies (6)
Thursday, August 28, 2014 12:47 PM ✅Answered
Hi,
i beleive there is some issues on certificate for IP phone. we have to bind it to corresponding network policy.
"The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.""
it means the authentciation type is not match on IP phone and NPS server. please check it in detail.
Regards,
Mike
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Tuesday, August 19, 2014 9:10 AM
Hi,
Please reset the password of the account and try again.
If issue persists, please make sure that the root certificate of the NPS (2012R2) has been installed on the IP phone.
IP phone need it to validate the certificate of NPS.
Besides, please make sure that the right policy can be matched in the first place.
Best Regards
Steven Lee
TechNet Community Support
Thursday, August 21, 2014 6:52 AM
Hi,
i have try to reset the password of the account but it dont work.
So the root certificate is installed on the nps.
Here the logs:
Account disabled:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: Domain\00809fb0b9c6
Account Name: 00809fb0b9c6
Account Domain: Domain.NET
Fully Qualified Account Name: Domain.NET\00809fb0b9c6
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 1C-E6-C7-3C-12-07
Calling Station Identifier: 00-80-9F-B0-B9-C6
NAS:
NAS IPv4 Address: 10.10.59.13
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Ethernet
NAS Port: 50007
RADIUS Client:
Client Friendly Name: switch.Domain.net
Client IP Address: 10.10.59.13
Authentication Details:
Connection Request Policy Name: Windows-Authentifizierung für alle Benutzer verwenden
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NPS2012.Domain.net
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 34
Reason: The user or computer account that is specified in the RADIUS Access-Request message is disabled.
Account is enabled:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: Domain\00809fb0b9c6
Account Name: 00809fb0b9c6
Account Domain: Domain.NET
Fully Qualified Account Name: Domain.NET\00809fb0b9c6
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 1C-E6-C7-3C-12-07
Calling Station Identifier: 00-80-9F-B0-B9-C6
NAS:
NAS IPv4 Address: 10.10.59.13
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Ethernet
NAS Port: 50007
RADIUS Client:
Client Friendly Name: switch.Domain.net
Client IP Address: 10.10.59.13
Authentication Details:
Connection Request Policy Name: Windows-Authentifizierung für alle Benutzer verwenden
Network Policy Name: vnetz-vlan333
Authentication Provider: Windows
Authentication Server: NPS2012.Domain.net
Authentication Type: EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Friday, August 22, 2014 6:16 AM
Hi,
I am trying to involve someone familiar with this topic to further look at this issue.
There might be some time delay. Appreciate your patience.
Best Regards.
Steven Lee
TechNet Community Support
Friday, August 22, 2014 9:29 AM
Hi,
it seems there is some incorrect configurations on NPS server. we assume there should be a certificate which is used for IP phone installed on IAS server's personal store under machine account. you may forgot to migrate it from IAS to NPS server. please check it from IAS server side and make sure the certificate which is used for IP phone authentication is installed on personal store under Computer account on NPS server. then bind this certificate to the network policy which is configured for IP phone.
if the issue persists, please follow the article below to migrate from IAS 2003 to NPS 2012 R2 smoothly.
Migrate A Windows 2003 RADIUS–IAS Server to Windows Server 2012 R2
Regards,
Mike
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Tuesday, August 26, 2014 11:45 AM
I had migrate the IAS to NPS this way.
I tried to deleate all root Certificates from the IP phone on the NPS Server. So i get this Error:
"A certificate chain could not be built to a trusted root authorit." Policy match and all ok.
I install the Root CA and the two needed Subordinate Certificateon Authority the to the Local Computer->Third-Party Root Certification Authorities.
Then i get the "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect." Error.
If i install the 3 Certs in the Local Computer-> Personal and i set the NPS EAP Rule the IP Phone Cert. I get this error. "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."
So i need the Domain CA Cert for the NPS EAP Rule. But if i install all Certs at the right place (same as the IAS Server) i get the same error as befor. "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."
So i have no idea