Cannot configure EAP

When you are configuring a RADIUS server to use a certificate for Secure Wireless Connection or VPN connections, you might be presented with this dreadful error message:


This is due to that RADIUS server not having the correct certificate installed. In order to fix this problem, do as follows:


Stuff to do on the Certification Authority Server

You obviously must have a CA in your Domain, if not install the role on a server (I would recommend always to use the FRDC - Forest Root Domain Controller- as the CA too) and once you got it all done, run "mmc" and add the "Certificate Templates" snap-in, then edit the properties of the "Domain Controller Authentication" template


Ensure that you have the option "Publish certificate in Active Directory" ticked


Visit the "Security" tab and ensure that you allow for the Authenticated Users the permission to Read, Write, Enroll and Autoenroll


Once you have done all of this, close the mmc (without saving it) and open the Certification Authority application, then choose to stop the CA service.... and you guess it! After stopping it, start it again :)

That will publish to CA the certificate "Domain Controller Authentication" with the modifications that we have made


Stuff to do on the RADIUS server

Jumping now to your RADIUS server, run mmc and add the snap-in "Certificates" for Local Computer,then visit Personal > Certificates > Request New Certificate


Click "Next", and to the next window select Active Directory Enrollment Policy and click "Next" too

Because previously we select this certificate to be publish on AD, on the next window you should be able to see the "Domain Controller Authentication" certificate, select it and chool "Enroll", yah!


 At this stage you should be able to get a "Succeeded" green light, and the certificate will appear under Personal > Certificates



Now you can open the RADIUS certificate server from your NPS console, and see that the certificate is there, well done!


London, 6 November 2019


The white elephant in the room: make a note on your calendar of the expiration date of the certificate! You'd need to do exactly the same process on the RADIUS sever once the current certificate has expired


Print Friendly, PDF & Email

Comments powered by CComment