Here is the environment/situation:
Server1: Windows 2008 server, previous IAS/NPS/RADIUS authentication, current Certificate Authority (non-Domain Controller - DC is separate on Server 2003)
Server2: Windows 2012 Server, new install, intended RADIUS authenticator / NPS
Windows Firewall has been disabled on both
Wireless Network: Using Aruba access points (if relevant): WPA2 Enterprise
We installed Server2 a couple of months ago, starting to host a few web applications (such as LanSweeper & a PRTG probe), and now want to host our RADIUS authentication here (Does 2012 enable more than 50 clients btw?). There were no additional roles/features/services needed past the basic install, but now I have installed the Network Policy Server role. I then exported the NPS from Server1 (which has proven authentication enabled). The list of RADIUS clients (& correct shared secrets), Connection Request Policies, & Network Policies all populated, and are relatively basic. However, now I'm stuck.
I've read and tried a bunch of things, partly based on the perception (correct?) that I need a certificate for Server2 from Server1 in this scenario.
http://community.spiceworks.com/topic/262350-does-an-ias-nps-radius-server-have-to-be-on-a-domain-controller
I have installed the AD CS role, but I don't know if I have to make this a subordinate CA, nor what I have to do to complete the certificate request (it fails). Here are some of my messages/info:
Step by step to set up RADIUS:
http://www.microsoft.com/en-us/download/details.aspx?id=733
(failed on the Certificate Enrollment)
When requesting the certificate through MMC:
Process I used: ?????????
"An error occurred while enrolling for a certificate.
Url: Server1.domain.com\domain-Server1-CA
Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722)"
When using the certutil to test: ( certutil -ping -util "server1.domain.com\domain-server1-ca )
Process I used: ????????
Server "domain-server1-ca" ICertRequest2 interface is alive (50ms)
CertUtil: -ping command completed successfully
In the Event Viewer / Security Log (under Server Roles - Network Policy and Access Services) on Server2 when I try to connect with a wireless client:
Event ID 4400: A LDAP connection with domain controller DC.DOMAIN.com for domain 'DOMAIN' is established.
Event ID 6273: Network Policy Server denied access to a user - Audit FailureNAS:
NAS IPv4 Address:
10.0.0.100 (Access Point)
NAS Identifier:
10.0.0.100 (Access Point)
NAS Port-Type:
Wireless - IEEE 802.11
NAS Port:0
Authentication Details:
Connection Request Policy Name:
Secure Wireless Connections (same as on successful Server1)
Network Policy Name:
Secure Wireless Connections (again, same as on successful Server1)
Authentication Provider:
Windows
Authentication Server:
Server1.domain.com
Authentication Type:
EAP
EAP Type:-
Account Session Identifier:
-
Logging Results:
Accounting information was written to the local log file.
Reason Code:22
Reason:The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
I'm pretty new to certificates, and the underlying communication here.
It may be multiple things, something very simple I missed, or just a service disabled, but any help would be appreciated.
Thanks
(Further Resources that should help me finish once I have this communication resolved):
http://community.spiceworks.com/topic/265143-nps-eap-type-cannot-be-processed-by-the-server
http://www.petenetlive.com/KB/Article/0000685.htm
http://technet.microsoft.com/en-us/library/cc731363.aspx?