Получена явная ошибка eap 0x50005

Hi cshsysadmin,

>>Explicit Eap failure received

There are many reasons could cause “Explicit EAP failure received”. Usually we will first to collect the wireless logs by enabling logging with command “netsh ras set tracing * enable” and “netsh wlan set tracing mode=yes” at client when this issue
be reproduced and analyze entries in its corresponding logging file.And post the complet logs to us,it will be helpful to analyze.

>>I did notice her pc certificate is pointing to our old certificate authority but has not expired. Could it be a certificate issue?

It could be.Please try to give her certificate from the server you are using.

In addition,which authentication methods did you set to use in network or connection request policies that you defined in NPS server ? what OS is running on client ??

Here is some link for your reference:

A Support Guide for Wireless Diagnostics and Troubleshooting

http://technet.microsoft.com/en-us/library/bb457018.aspx

Authentication Problem on a 802.1x Wireless Network

http://blogs.technet.com/b/yuridiogenes/archive/2008/04/18/authentication-problem-on-a-802-1x-wireless-network.aspx

Best Regards,

Cartman

Please remember to mark the replies as answers if they help and unmark them if they provide
no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

Помечено в качестве ответа
rdprice_cshco.com
28 марта 2016 г. 15:24

Источник

Hi cshsysadmin,

>>Explicit Eap failure received

>>I did notice her pc certificate is pointing to our old certificate authority but has not expired. Could it be a certificate issue?

It could be.Please try to give her certificate from the server you are using.

In addition,which authentication methods did you set to use in network or connection request policies that you defined in NPS server ? what OS is running on client ??

Here is some link for your reference:

A Support Guide for Wireless Diagnostics and Troubleshooting

http://technet.microsoft.com/en-us/library/bb457018.aspx

Authentication Problem on a 802.1x Wireless Network

http://blogs.technet.com/b/yuridiogenes/archive/2008/04/18/authentication-problem-on-a-802-1x-wireless-network.aspx

Best Regards,

Cartman

Please remember to mark the replies as answers if they help and unmark them if they provide
no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

Помечено в качестве ответа
rdprice_cshco.com
28 марта 2016 г. 15:24

Hi cshsysadmin,

>>Explicit Eap failure received

>>I did notice her pc certificate is pointing to our old certificate authority but has not expired. Could it be a certificate issue?

It could be.Please try to give her certificate from the server you are using.

In addition,which authentication methods did you set to use in network or connection request policies that you defined in NPS server ? what OS is running on client ??

Here is some link for your reference:

A Support Guide for Wireless Diagnostics and Troubleshooting

http://technet.microsoft.com/en-us/library/bb457018.aspx

Authentication Problem on a 802.1x Wireless Network

http://blogs.technet.com/b/yuridiogenes/archive/2008/04/18/authentication-problem-on-a-802-1x-wireless-network.aspx

Best Regards,

Cartman

Please remember to mark the replies as answers if they help and unmark them if they provide
no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

Marked as answer by
rdprice_cshco.com
Monday, March 28, 2016 3:24 PM

Hi cshsysadmin,

>>Explicit Eap failure received

>>I did notice her pc certificate is pointing to our old certificate authority but has not expired. Could it be a certificate issue?

It could be.Please try to give her certificate from the server you are using.

In addition,which authentication methods did you set to use in network or connection request policies that you defined in NPS server ? what OS is running on client ??

Here is some link for your reference:

A Support Guide for Wireless Diagnostics and Troubleshooting

http://technet.microsoft.com/en-us/library/bb457018.aspx

Authentication Problem on a 802.1x Wireless Network

http://blogs.technet.com/b/yuridiogenes/archive/2008/04/18/authentication-problem-on-a-802-1x-wireless-network.aspx

Best Regards,

Cartman

Please remember to mark the replies as answers if they help and unmark them if they provide
no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

Marked as answer by
rdprice_cshco.com
Monday, March 28, 2016 3:24 PM

I’m back on this now Christmas is out of the way

I had some default policies still enabled on my 2016 NPS Server, which I’ve disabled. They were:

Connection Request Policies > Use Windows authentication for all users.

Network Policies > Connections to other access servers.

Network Policies > Connections to Microsoft Routing and Remote Access server.

With those 3 disabled, I’m no longer getting the following Information level event logged in Event Viewer:

Reason code: 66

Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.

Instead, I am now getting:

Reason code: 48

Reason: The connection request did not match any configured network policy.

I have 3 conditions set for the Staff WiFi Network Policy:

Condition: NAS Port Type, Value: Wireless — IEEE 802.11 OR Wireless — Other

Condition: User Groups, Value: MYDOMAINMeraki Staff Group

Condition: Machine Groups, Value: MYDOMAINMeraki Computer Group

The laptop I’m testing on is a member of the Meraki Computer Group, and the user account I’m logged on with belongs to the Meraki Staff Group.

I get a ‘Reason Code: 48’ event logged twice each time I try to connect; first for the user, then 10 seconds later for the machine:

————————————————————————————————————-

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: MYDOMAINElectroDan
Account Name: MYDOMAINElectroDan
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAINElectroDan

Client Machine:
Security ID: NULL SID
Account Name: —
Fully Qualified Account Name: —
Called Station Identifier: 9A-15-54-AB-52-67:Radius_Test
Calling Station Identifier: 84-3A-4B-56-F4-5C

NAS:
NAS IPv4 Address: 10.99.108.26
NAS IPv6 Address: —
NAS Identifier: —
NAS Port-Type: Wireless — IEEE 802.11
NAS Port: —

RADIUS Client:
Client Friendly Name: Meraki — Purchasing
Client IP Address: 10.99.108.26

Authentication Details:
Connection Request Policy Name: WiFi_Staff
Network Policy Name: —
Authentication Provider: Windows
Authentication Server: DC03.mydomain.local
Authentication Type: EAP
EAP Type: —
Account Session Identifier: 41413346334133424138354636383335
Logging Results: Accounting information was written to the local log file.
Reason Code: 48
Reason: The connection request did not match any configured network policy.

————————————————————————————————————-

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: MYDOMAINITSPARE01$
Account Name: host/ITSPARE01.mydomain.local
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAINITSPARE01$

Client Machine:
Security ID: NULL SID
Account Name: —
Fully Qualified Account Name: —
Called Station Identifier: 9A-15-54-AB-56-2D:Radius_Test
Calling Station Identifier: 84-3A-4B-56-F4-5C

NAS:
NAS IPv4 Address: 10.99.108.25
NAS IPv6 Address: —
NAS Identifier: —
NAS Port-Type: Wireless — IEEE 802.11
NAS Port: —

RADIUS Client:
Client Friendly Name: Meraki — Accounts
Client IP Address: 10.99.108.25

Authentication Details:
Connection Request Policy Name: WiFi_Staff
Network Policy Name: —
Authentication Provider: Windows
Authentication Server: DC03.mydomain.local
Authentication Type: EAP
EAP Type: —
Account Session Identifier: 41433342464337434233394535444334
Logging Results: Accounting information was written to the local log file.
Reason Code: 48
Reason: The connection request did not match any configured network policy.

————————————————————————————————————-

A couple of things I’ve noticed.

1) The machine account (MYDOMAINITSPARE01$) is being listed in the User section, and the Client Machine section is empty.

2) The 2nd entry (for MYDOMAINITSPARE01$) is registering via a different AP (Meraki — Accounts). Both AP’s are within range of my test laptop.

Fun.

Not.

I am having an issue with Windows 7 workstations connecting to our wireless ssid that authenticates user based via the Radius server. Windows 10 systems, mobile devices, and Mac devices are all able to authenticate and connect.

I have the NPS set up on a Windows Server 2012 R2 box utilizing Sophos UTM 9 as a Radius Client.

The Radius Sever authenticates the user as seen below:

On the Windows 7 workstations, I am prompted for the user authentication (as the NPS policy is set up for). I receive logs regarding «Explicit Eap failure received.» Please see below for those logs.

————————————————————————————

Wireless security failed.

Network Adapter: Intel(R) Dual Band Wireless-AC 7260

Interface GUID: {941fcf87-19a6-40b1-9338-879ef205cf6a}

Local MAC Address: 0C:8B:FD:CD:3A:7F

Network SSID: PSACorporate

BSS Type: Infrastructure

Peer MAC Address: 00:1A:8C:8C:04:C1

Reason: Explicit Eap failure received

Error: 0x80074005

Wireless 802.1x authentication failed.

Network Adapter: Intel(R) Dual Band Wireless-AC 7260

Interface GUID: {941fcf87-19a6-40b1-9338-879ef205cf6a}

Local MAC Address: 0C:8B:FD:CD:3A:7F

Network SSID: PSACorporate

BSS Type: Infrastructure

Peer MAC Address: 00:1A:8C:8C:04:C1

Identity: test1

User: TFrazier

Domain: PSA_NT

Reason: Explicit Eap failure received

Error: 0x80074005

EAP Reason: 0x4005

EAP Root cause String:

EAP Error: 0x4005

————————————————————————————

I have manually configure the wireless settings to avoid the PC from using the wrong creds. Please see the wireless settings below:

I’ve pretty much hit a road block and could use some assistance as to where to look next. Thanks in advanced.

— Tim

I am trying to get NPS (Running Windows Server 2008 R2) setup as a RADIUS server to authenticate my wireless clients (running Windows 7 Enterprise). When attempting this, I get the following in the event log on the DC/NPS:

— System

— Provider

[ Name] Schannel
[ Guid] {1F678132-5938-4686-9FDC-C8FF68F15C85}

EventID 36888

Version 0

Level 2

Task 0

Opcode 0

Keywords 0x8000000000000000

— TimeCreated

[ SystemTime] 2009-08-17T20:27:15.913829000Z

EventRecordID 136791

Correlation

— Execution

[ ProcessID] 540
[ ThreadID] 1748

Channel System

Computer DOMAINCONTROLLER.domain

— Security

[ UserID] S-1-5-18

— EventData

AlertDesc 20
ErrorState 960

And the following in the NPS log:
«DOMAINCONTROLLER»,»IAS»,08/18/2009,09:13:28,1,»DOMAINUSER»,»DOMAINuser»,»001c1011af08″,»001bfcb1bd23″,,,»001c1011af08″,»WAP IP»,47,0,»WAP IP»,»WAP Hostname»,,,19,,,,11,»Secure Wireless Connections»,0,»311 1 DOMAINCONTROLLERIP 08/17/2009 16:55:48 120″,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,»Secure Wireless Connections»,1,,,,
«DOMAINCONTROLLER»,»IAS»,08/18/2009,09:13:28,3,,»DOMAINuser»,,,,,,,,0,»WAP IP»,»WAP Hostname»,,,,,,,11,»Secure Wireless Connections»,23,»311 1 DOMAINCONTROLLERIP 08/17/2009 16:55:48 120″,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,»Secure Wireless Connections»,1,,,,

And the following in the client security log:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/18/2009 9:13:28 AM
Event ID: 5632
Task Category: Other Logon/Logoff Events
Level: Information
Keywords: Audit Failure
User: N/A
Computer: LAPTOP.domain
Description:
A request was made to authenticate to a wireless network.

Subject:
      Security ID:            DOMAINuser
      Account Name:            user
      Account Domain:            DOMAIN
      Logon ID:            0x23e79

Network Information:
      Name (SSID):            DOMAIN-wlan
      Interface GUID:            {90952a3d-ac07-4f0d-9598-50afdea22da8}
      Local MAC Address:      00:1B:FC:B1:BD:23
      Peer MAC Address:      00:1C:10:11:AF:08

Additional Information:
      Reason Code:            Explicit Eap failure received (0x50005)
      Error Code:            0x0
      EAP Reason Code:      0x0
      EAP Root Cause String:
      EAP Error Code:            0x0

The client is receiving the root certificate that has an intended purpose of <All> according to the certificate MMC snap-in. Is there some other kind of certificate I need to issue, and if so, how? Also, if I’m reading the NPS log correctly I’m getting authentication type 11 and Result Code 23 neither of which show up in http://technet.microsoft.com/en-us/library/cc771748%28WS.10%29.aspx.

Very confused.

[SOLVED | See edit #2]

I saw another user have that issue on their school network back on build 10240, but I’m seeing it happen to me on the new fast ring build, 10565. Can anyone else confirm this? My event viewer is riddled with these errors after failing to connect:

Authentication failed for EAP method type 25. The error was 0x54F

and

EapHostPeerGetResult returned a failure.
Eap Method Friendly Name: Microsoft: Protected EAP (PEAP)
Reason code: 0
Root Cause String: NULL
Repair String: NULL

The guest network is fine, since there’s no authentication (obviously)

Is there a fix for this somewhere or will I have to resort to using ethernet/guest networking for the while?

(I hope MS fixes this soon… this is enterprise-breaking levels of bad)

Edit: Posted in the wrong sub, can someone help me fix this please? Made a new post linking to here for now: https://www.reddit.com/r/windowsinsiders/comments/3ort8f/8021x_peap_is_broken_with_wpa2enterprise_windows10/

Edit #2: I GOT IT! A Software Lead Designer at MS contacted me and he walked through the issue. The fix was to add a registry key:

reg add HKLMSYSTEMCurrentControlSetServicesRasManPPPEAP13  /v TlsVersion /t REG_DWORD /d 0xc0

following that, restart and try connecting again. Hopefully this helps someone else

Источник

Hi cshsysadmin,

>>Explicit Eap failure received

>>I did notice her pc certificate is pointing to our old certificate authority but has not expired. Could it be a certificate issue?

It could be.Please try to give her certificate from the server you are using.

In addition,which authentication methods did you set to use in network or connection request policies that you defined in NPS server ? what OS is running on client ??

Here is some link for your reference:

A Support Guide for Wireless Diagnostics and Troubleshooting

http://technet.microsoft.com/en-us/library/bb457018.aspx

Authentication Problem on a 802.1x Wireless Network

http://blogs.technet.com/b/yuridiogenes/archive/2008/04/18/authentication-problem-on-a-802-1x-wireless-network.aspx

Best Regards,

Cartman

Please remember to mark the replies as answers if they help and unmark them if they provide
no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

Marked as answer by
rdprice_cshco.com
Monday, March 28, 2016 3:24 PM

Источник

I’m back on this now Christmas is out of the way

I had some default policies still enabled on my 2016 NPS Server, which I’ve disabled. They were:

Connection Request Policies > Use Windows authentication for all users.

Network Policies > Connections to other access servers.

Network Policies > Connections to Microsoft Routing and Remote Access server.

With those 3 disabled, I’m no longer getting the following Information level event logged in Event Viewer:

Reason code: 66

Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.

Instead, I am now getting:

Reason code: 48

Reason: The connection request did not match any configured network policy.

I have 3 conditions set for the Staff WiFi Network Policy:

Condition: NAS Port Type, Value: Wireless — IEEE 802.11 OR Wireless — Other

Condition: User Groups, Value: MYDOMAINMeraki Staff Group

Condition: Machine Groups, Value: MYDOMAINMeraki Computer Group

The laptop I’m testing on is a member of the Meraki Computer Group, and the user account I’m logged on with belongs to the Meraki Staff Group.

I get a ‘Reason Code: 48’ event logged twice each time I try to connect; first for the user, then 10 seconds later for the machine:

————————————————————————————————————-

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: MYDOMAINElectroDan
Account Name: MYDOMAINElectroDan
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAINElectroDan

Client Machine:
Security ID: NULL SID
Account Name: —
Fully Qualified Account Name: —
Called Station Identifier: 9A-15-54-AB-52-67:Radius_Test
Calling Station Identifier: 84-3A-4B-56-F4-5C

NAS:
NAS IPv4 Address: 10.99.108.26
NAS IPv6 Address: —
NAS Identifier: —
NAS Port-Type: Wireless — IEEE 802.11
NAS Port: —

RADIUS Client:
Client Friendly Name: Meraki — Purchasing
Client IP Address: 10.99.108.26

————————————————————————————————————-

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: MYDOMAINITSPARE01$
Account Name: host/ITSPARE01.mydomain.local
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAINITSPARE01$

Client Machine:
Security ID: NULL SID
Account Name: —
Fully Qualified Account Name: —
Called Station Identifier: 9A-15-54-AB-56-2D:Radius_Test
Calling Station Identifier: 84-3A-4B-56-F4-5C

NAS:
NAS IPv4 Address: 10.99.108.25
NAS IPv6 Address: —
NAS Identifier: —
NAS Port-Type: Wireless — IEEE 802.11
NAS Port: —

RADIUS Client:
Client Friendly Name: Meraki — Accounts
Client IP Address: 10.99.108.25

Authentication Details:
Connection Request Policy Name: WiFi_Staff
Network Policy Name: —
Authentication Provider: Windows
Authentication Server: DC03.mydomain.local
Authentication Type: EAP
EAP Type: —
Account Session Identifier: 41433342464337434233394535444334
Logging Results: Accounting information was written to the local log file.
Reason Code: 48
Reason: The connection request did not match any configured network policy.

————————————————————————————————————-

A couple of things I’ve noticed.

1) The machine account (MYDOMAINITSPARE01$) is being listed in the User section, and the Client Machine section is empty.

2) The 2nd entry (for MYDOMAINITSPARE01$) is registering via a different AP (Meraki — Accounts). Both AP’s are within range of my test laptop.

Fun.

Not.

— System

— Provider

[ Name] Schannel
[ Guid] {1F678132-5938-4686-9FDC-C8FF68F15C85}

EventID 36888

Version 0

Level 2

Task 0

Opcode 0

Keywords 0x8000000000000000

— TimeCreated

[ SystemTime] 2009-08-17T20:27:15.913829000Z

EventRecordID 136791

Correlation

— Execution

[ ProcessID] 540
[ ThreadID] 1748

Channel System

Computer DOMAINCONTROLLER.domain

— Security

[ UserID] S-1-5-18

— EventData

AlertDesc 20
ErrorState 960

Subject:
      Security ID:            DOMAINuser
      Account Name:            user
      Account Domain:            DOMAIN
      Logon ID:            0x23e79

Very confused.

[SOLVED | See edit #2]

Authentication failed for EAP method type 25. The error was 0x54F

and

EapHostPeerGetResult returned a failure.
Eap Method Friendly Name: Microsoft: Protected EAP (PEAP)
Reason code: 0
Root Cause String: NULL
Repair String: NULL

The guest network is fine, since there’s no authentication (obviously)

Is there a fix for this somewhere or will I have to resort to using ethernet/guest networking for the while?

(I hope MS fixes this soon… this is enterprise-breaking levels of bad)

Edit #2: I GOT IT! A Software Lead Designer at MS contacted me and he walked through the issue. The fix was to add a registry key:

reg add HKLMSYSTEMCurrentControlSetServicesRasManPPPEAP13  /v TlsVersion /t REG_DWORD /d 0xc0

following that, restart and try connecting again. Hopefully this helps someone else

Источник

user2183815

2018-11-14 в 18:46

У меня есть рабочая станция, которая не хочет проходить аутентификацию в моей сети. Я получаю сообщение об ошибке, как показано ниже в окне просмотра событий.

Это настроено с EAP-TLS как изображение ниже.

У меня есть несколько рабочих станций, которые отлично работают с вышеуказанными настройками. Эти рабочие станции имеют настройку, они добавляются в определенную группу в нашем домене для размещения в нужной локальной сети в сети. И для меня, похоже, я правильно настроил в домене.

Я попытался восстановить новый сертификат в консоли управления Microsoft, и, кажется, он работает нормально. Хотя я все равно получаю то же сообщение об ошибке в программе просмотра событий.

Я полагаю, что это локальная проблема на этом компьютере, поскольку информационное сообщение указывает, что оно приостановлено на этом сетевом адаптере. Был бы очень признателен за некоторые рекомендации о том, как устранить неполадки или решить эту проблему.

0 ответов на вопрос

Похожие вопросы