I am trying to get wired XP clients authenticating using MS Chap v2. The Rad
ius client is a cisco 6509 switch and the Radius server is a member server r
unning windows 2003. THere is a standalone CA on the domain and I have gener
ated a certificate from that. MY main issue is that I am not sure if my remo
te access policy is set up correctly. The policy is set to check membership 
of a windows group and Authentication type matches EAP or MS-CHAP V2. When a
 client tries to connect an error is written to the IAS event log withthe fo
llowing details

Event Id2 Reason code 22. The client could not be authenticated because the 
EAP type cannot be processed by the server.

If anyone can shed any light on this I would be grateful. I think its someth
ing that I have not configured properly in the Remote Access Policy

Many Thanks

Ken

[ Post a follow-up to this message ]

kniblock <kniblock.1ba194@mail.webservertalk.com> wrote in
news:kniblock.1ba194@mail.webservertalk.com:

>
> I am trying to get wired XP clients authenticating using MS Chap v2. The
> Radius client is a cisco 6509 switch and the Radius server is a member
> server running windows 2003. THere is a standalone CA on the domain and
> I have generated a certificate from that. MY main issue is that I am
> not sure if my remote access policy is set up correctly. The policy is
> set to check membership of a windows group and Authentication type
> matches EAP or MS-CHAP V2. When a client tries to connect an error is
> written to the IAS event log withthe following details
>
> Event Id2 Reason code 22. The client could not be authenticated because
> the EAP type cannot be processed by the server.
>
> If anyone can shed any light on this I would be grateful. I think its
> something that I have not configured properly in the Remote Access
> Policy
>
> Many Thanks
>
> Ken
>
>
>
> --
> kniblock
> ------------------------------------------------------------------------
> Posted via http://www.webservertalk.com
> ------------------------------------------------------------------------
> View this thread: http://www.webservertalk.com/message358329.html
>
>

Hi there --

I am unclear about which authentication method and authentication type you
are attempting to deploy.

If you want to deploy EAP, for 802.1X authenticating switches you can
deploy several possible things:

Protected EAP with MS-CHAP v2. This requires a server cert on your IAS
server that client computers trust. Users are authenticated with password-
based credentials and the client computer authenticates the server with the
server certificate.

EAP-TLS. This requires server certs and client certs, and you must deploy a
public key infrastructure (PKI) / Certificate Services in Windows.

EAP-MD5. This is a password-based authentication method that is similar to
CHAP, but the challenge and response are sent as EAP messages.

If you are just trying to deploy MS-CHAP v2, do not select an EAP method in
the remote access policy. Only select the check box (on the Authentication
tab of the RAP profile for MS-CHAP v2.

Then make sure your clients are configured to use the auth method you have
selected on the IAS server's RAP.

--
James McIllece, Microsoft

Please do not send email directly to this alias.  This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

[ Post a follow-up to this message ]

There is a difference between PEAP-EAP-MSCHAPv2 and MS-CHAPv2. I will not
get into the details of the difference
For Wired and Wireless clients, you can't use MS-CHAPv2 to authenticate,
it's in fact PEAP-EAP-MSCHAPv2 that you need.
To enable PEAP-EAP-MSCHAPv2 on the server, goto EAP, Add PEAP, [by defau
lt
it will have EAP-MSCHAPv2 as an internal method]
This should resolve the issue of Reason Code 22 in your case

HTH


--
 ========================================
=====
This posting is provided "AS IS" with no warranties, and confers no
rights.
 ========================================
=====

"kniblock" <kniblock.1ba194@mail.webservertalk.com> wrote in message
news:kniblock.1ba194@mail.webservertalk.com...
>
> I am trying to get wired XP clients authenticating using MS Chap v2. The
> Radius client is a cisco 6509 switch and the Radius server is a member
> server running windows 2003. THere is a standalone CA on the domain and
> I have generated a certificate from that. MY main issue is that I am
> not sure if my remote access policy is set up correctly. The policy is
> set to check membership of a windows group and Authentication type
> matches EAP or MS-CHAP V2. When a client tries to connect an error is
> written to the IAS event log withthe following details
>
> Event Id2 Reason code 22. The client could not be authenticated because
> the EAP type cannot be processed by the server.
>
> If anyone can shed any light on this I would be grateful. I think its
> something that I have not configured properly in the Remote Access
> Policy
>
> Many Thanks
>
> Ken
>
>
>
> --
> kniblock
> ------------------------------------------------------------------------
> Posted via http://www.webservertalk.com
> ------------------------------------------------------------------------
> View this thread: http://www.webservertalk.com/message358329.html
>

[ Post a follow-up to this message ]