A certificate could not be found that can be used with this Extensible Authentication Protocol

Cannot configure EAP

When you are configuring a RADIUS server to use a certificate for Secure Wireless Connection or VPN connections, you might be presented with this dreadful error message:

 

This is due to that RADIUS server not having the correct certificate installed. In order to fix this problem, do as follows:

 

Stuff to do on the Certification Authority Server

You obviously must have a CA in your Domain, if not install the role on a server (I would recommend always to use the FRDC - Forest Root Domain Controller- as the CA too) and once you got it all done, run "mmc" and add the "Certificate Templates" snap-in, then edit the properties of the "Domain Controller Authentication" template

 

Ensure that you have the option "Publish certificate in Active Directory" ticked

 

Visit the "Security" tab and ensure that you allow for the Authenticated Users the permission to Read, Write, Enroll and Autoenroll

 

Once you have done all of this, close the mmc (without saving it) and open the Certification Authority application, then choose to stop the CA service.... and you guess it! After stopping it, start it again :)

That will publish to CA the certificate "Domain Controller Authentication" with the modifications that we have made

 

Stuff to do on the RADIUS server

Jumping now to your RADIUS server, run mmc and add the snap-in "Certificates" for Local Computer,then visit Personal > Certificates > Request New Certificate

 

Click "Next", and to the next window select Active Directory Enrollment Policy and click "Next" too

Because previously we select this certificate to be publish on AD, on the next window you should be able to see the "Domain Controller Authentication" certificate, select it and chool "Enroll", yah!

 

 At this stage you should be able to get a "Succeeded" green light, and the certificate will appear under Personal > Certificates

 

 

Now you can open the RADIUS certificate server from your NPS console, and see that the certificate is there, well done!

 

London, 6 November 2019

 

The white elephant in the room: make a note on your calendar of the expiration date of the certificate! You'd need to do exactly the same process on the RADIUS sever once the current certificate has expired

 

Print Friendly, PDF & Email

Comments powered by CComment