Nazaudy, a spark in your curious mind

A certificate could not be found that can be used with this Extensible Authentication Protocol

When you are configuring a RADIUS server to use a certificate for Secure Wireless Connection or VPN connections, you might be presented with this dreadful error message with the title: Cannot configure EAP: "A certificate could not be found that can be used with this Extensible Authentication Protocol"

 

 A certificate could not be found that can be used with this Extensible Authentication Protocol

 

This is due to that RADIUS server not having the correct certificate installed for the Extensible Authentication Protocol (EAP). In order to fix this problem, do as follows:

 

Stuff to do on the Certification Authority Server

You obviously must have a CA infrastructure setup in your Domain, if not install the role on a server (I would recommend always to use the FRDC - Forest Root Domain Controller- as the Root CA too) and once you got it all done, run "mmc" and add the "Certificate Templates" snap-in, then edit the properties of the "Domain Controller Authentication" template

 

Certificate Template in FRDC

 

Ensure that you have the option "Publish certificate in Active Directory" ticked

 

Publish certificate in Active Directory in order to fix the error message Extensible Authentication Protocol

 

Visit the "Security" tab and ensure that you allow for the Authenticated Users the permission to Read, Write, Enroll and Autoenroll

 

Enable Autoenroll

 

Once you have done all of this, close the mmc (without saving it) and open the Certification Authority application, then choose to stop the CA service.... and you guess it! After stopping it, start it again :)

Stop service so new settings can be used

 

That will publish to CA the certificate "Domain Controller Authentication" with the modifications that we have made

 

Stuff to do on the RADIUS server

To finally fix this issue of a certificate could not be found that can be used with this Extensible Authentication Protocol, let's jump now to your RADIUS server, run mmc and add the snap-in "Certificates" for Local Computer, then visit Personal >>> Certificates >>> All tasks >>> Request New Certificate

 

Request New Certificate

 

Click "Next", and to the next window select Active Directory Enrollment Policy and click "Next" too

Active Directory Certificate Enrollment Policy

 

Because previously we selected this certificate to be publish on AD, on the next window you should be able to see the "Domain Controller Authentication" certificate, select it and choose "Enroll", yah!

Domain Controller Authentication

 

 At this stage you should get a "Succeeded" green light, and the certificate will appear under Personal > Certificates

 

 Certificate found

 

Now you can open the RADIUS certificate server from your NPS console, and see that the certificate is there, well done!

Edit Extensible Authentication Protocol settiings

 

 

London, 6 November 2019

 

The white elephant in the room: make a note on your calendar of the expiration date of the certificate! You'd need to do exactly the same process on the RADIUS sever once the current certificate has expired

 

If you enjoyed this article about a certificate could not be found that can be used with this Extensible Authentication Protocol you might be interested in this other one too:

 

References

A certificate could not be found that can be use with this Extensible Authentication Protocol when configuring Authentication Methods for 802.1x https://social.technet.microsoft.com/Forums/windows/en-US/d526253d-ab90-49f4-9e77-cb1dd96cc111/