This step-by-step article describes how to troubleshoot Extensible Authentication Protocol (EAP) authentication when you are using it with virtual private network (VPN) connections.
Use an Enterprise Certification Authority (CA) to obtain certificates for EAP authentication. According to the Windows 2000 Server Resource Kit Distributed Systems Guide, stand-alone CAs cannot issue certificates for the smart card logon process.
Troubleshoot RRAS That Does Not Recognize the Installed Certificate
RRAS may not recognize the installed certificate on the profile's Authentication tab (EAP Configuration) in the Smart Card or other Certificate Properties dialog box. There is nothing listed on the Certificate issued to menu.
This problem occurs because of an incorrect configuration when you request the certificate.
To resolve this problem, make sure that the RRAS computer requests the certificate by using the Advanced Form. To do this, follow these steps:
Make sure that the name in the Name box in the Identifying Information dialog box is in the following format:
Make sure that the server type is Server Authentication Certificate.
Make sure that the CSP is Microsoft RSA Schannel Cryptographic Provider.
Click to select the Use local machine store check box.
An RRAS Profile is configured with the correct, recognized certificate, but the VPN client may not connect. Additionally, you may receive the following error message on the client:
Error 0x80090325: The certificate chain was issued by an untrusted authority.
The following error is listed in the server's System log:
The user DomainUser has connected and failed to authenticate because of the following error: The certificate chain was issued by an untrusted authority.
This problem occurs because the CA certification path is not installed.
To resolve this problem, install the CA Certification Path on both client and server. To do this, select the Retrieve the CA certificate or certificate revocation list from http://CAServerName/certsrv.
EAP-TLS is designed to be used in conjunction with a certificate infrastructure and either user certificates or smart cards. With EAP-TLS, the VPN client sends its user certificate for authentication and the VPN server sends a computer certificate for authentication. This is the strongest authentication method because it does not rely on passwords.
NOTE: You can use third-party CAs as long as the certificate in the computer store of the IAS server contains the Server Authentication certificate purpose (also known as a certificate usage or certificate issuance policy). A certificate purpose is identified by using an object identifier (OID). The object identifier for Server Authentication is "220.127.116.11.18.104.22.168.1". Additionally, the user certificate installed on the Windows 2000 remote access client must contain the Client Authentication certificate purpose (object identifier "22.214.171.124.126.96.36.199.2"). Certificates from third-party CAs must be issued by using SCHANNEL CSP.
If the VPN server is configured with the Windows authentication provider and is supporting L2TP connections or is authenticating connections by using the EAP-TLS authentication protocol, you must install a computer certificate on the VPN server that can be validated by the VPN client and a root certificate that is used to validate the VPN client.
For additional information about how to configure VPN to use EAP authentication, click the article number below to view the article in the Microsoft Knowledge Base:
259880 Configuring VPN to Use Extensible Authentication Protocol (EAP)