A certificate could not be found that can be used with this Extensible Authentication Protocol
When you are configuring a RADIUS server to use a certificate for Secure Wireless Connection or VPN connections, you might be presented with this dreadful error message with the title: Cannot configure EAP: "A certificate could not be found that can be used with this Extensible Authentication Protocol"
This is due to that RADIUS server not having the correct certificate installed for the Extensible Authentication Protocol (EAP). In order to fix this problem, do as follows:
- Stuff to do on the Certification Authority Server
- Stuff to do on the RADIUS Server #
- Renew the certificate
Stuff to do on the Certification Authority Server
You obviously must have a CA infrastructure setup in your Domain, if not install the role on a server (I would recommend always to use the FRDC - Forest Root Domain Controller- as the Root CA too) and once you got it all done, run "mmc" and add the "Certificate Templates" snap-in, then edit the properties of the "Domain Controller Authentication" template
Ensure that you have the option "Publish certificate in Active Directory" ticked
Visit the "Security" tab and ensure that you allow for the Authenticated Users the permission to Read, Write, Enroll and Autoenroll
Once you have done all of this, close the mmc (without saving it) and open the Certification Authority application, then choose to stop the CA service.... and you guess it! After stopping it, start it again :) Nearly there! We are about to fix the issue of A certificate could not be found that can be used with this Extensible Authentication Protocol 💪
That will publish to CA the certificate "Domain Controller Authentication" with the modifications that we have made
Stuff to do on the RADIUS server
To finally fix this issue of a certificate could not be found that can be used with this Extensible Authentication Protocol, let's jump now to your RADIUS server, run mmc and add the snap-in "Certificates" for Local Computer, then visit Personal >>> Certificates >>> All tasks >>> Request New Certificate
Click "Next", and to the next window select Active Directory Enrollment Policy and click "Next" too
Because previously we selected this certificate to be publish on AD, on the next window you should be able to see the "Domain Controller Authentication" certificate, select it and choose "Enroll", yeah!
At this stage you should get a "Succeeded" green light, and the certificate will appear under Personal > Certificates
Now you can open the RADIUS certificate server from your NPS console, and see that the certificate is there, well done!
That's it! This is how I fixed the error message: "A certificate could not be found that can be used with this Extensible Authentication Protocol". Hope this solution works for you too
London, 6 November 2019
The white elephant in the room: make a note on your calendar of the expiration date of the certificate! You'd need to do exactly the same process on the RADIUS sever once the current certificate has expired. To renew the certificate, follow these steps:
In order to prevent a disaster and stop of services due to a silly certificate being out of day, do follow the steps on the section "Stuff to do on the RADIUS server" and renew the certificate on time!
If you enjoyed this article about a certificate could not be found that can be used with this Extensible Authentication Protocol you might be interested in this other one too:
- Setup and Configure a Public Key Infrastructure PKI https://www.nazaudy.com/setup-and-configure-a-public-key-infrastructure-pki