Thursday, April 17, 2014

Solution: EAP Wireless Failure, "Network authentication failed due to a problem with the user account"

Earlier today I set up an 802.1X EAP wireless network with a Ruckus WLAN controller.

Here's the setup:
Ruckus WLAN controller with a few dozen headless Ruckus WAPs
Domain CA that has enrolled in AD and is pushing certificates to all client pcs via group policy
Windows 2008R2 NAP server authenticating clients based on AD group "Domain Users"

I set up the NAP server and ruckus according to this guide -

Everything looked perfect, but I was getting a strange error on my test client when attempting to join the wireless network. Here's the error message:

A request was made to authenticate to a wireless network.

Security ID:
Account Name: kyler.middleton
Account Domain: (removed)
Logon ID: 0x517503

Network Information:
Name (SSID): Test-RadiusWireless
Interface GUID: {b02ab000-4120-483a-8633-9c473d7a5004}
Local MAC Address: 40:F0:2F:4B:FA:33
Peer MAC Address: C4:01:7C:96:FA:18

Additional Information:
Reason Code: Explicit Eap failure received (0x50005)
Error Code: 0x40420110
EAP Reason Code: 0x40420110
EAP Root Cause String: Network authentication failed due to a problem with the user account

EAP Error Code: 0x40420110

I tore every piece of my NAP setup apart -- went through every line of relevant group policy, certificates, Ruckus wireless configuration, when I found the issue.

I had set the NAP server (Windows 2008R2) to use the certificate of the trusted domain CA to sign the EAP messages. Though the client had the same trusted CA installed locally, a trusted CA is not a certificate, so the client was rejecting the two-way EAP authentication.

The issue was fixed when I changed the certificate the Windows NAP server was using to sign the EAP messages. When I updated it to a certificate signed by the CA (rather than the CA's own certificate), everything started working immediately.

Good luck to you!