Hi All
We are having some issues getting a VPN set up to use a smart card for its credentials. It works just fine when using a username and password, but fails with the following error when using a smart card:
The client could not be authenticated because the EAP type could not be processed by the server.
This appears in the Security log as an audit failure. Above it is the details of the username, client IP etc which all appears fine.
The network setup is as follows. All servers run Server 2008 R2 Standard with SP1. All clients run Windows 7 Professional with SP1 64 bit and are domain members. We have a DC at 2008 R2 Forest Functional Level. We have also installed a CA on this server, and have duplicated the Smartcard Logon template to V2 (Server 2003 Enterprise). We have another server running TMG 2010. This has 2 network cards, one for local LAN and one for WAN. It is set up as an edge firewall. We have enabled the Remote Access (VPN) settings in the console for TMG. We have it using PPTP and allowing a group called VPNUsers access.
When we use our client PC to access the VPN using a username and password, it lets us in with no problems. We reconnect to the domain network and plug in our smartcard reader. The user we are logged on to the PC as is an admin. They have also installed an
Enrollment Agent certificate into their local store. Using this user, we then enroll on behalf of, and then put in the name of our user. It requests the smart card be inserted. We do this and the enrollment goes through fine. Log off of the PC and back in
as the user instead of the admin. Change the VPN to use smart card instead of PEAP or EAP-MSCHAP-V2. Then it fails to establish the connection with error code as shown in the attached image
I have tried a number of different smart cards, readers, and tweaked several settings on both the client and server, but I am coming to the limit of what I can do. Is this something anyone has come across before? Have I missed a step in the setup of the VPN or client? Any help would be greatly appreciated.
Many Thanks
Iain