Win 7 IKEv2+PEAP = "no NPS server"?

Stefan Winter stefan.winter at
Thu Apr 8 15:27:45 CEST 2010


I wonder if anyone else has come across this already... Google is not
very helpful here.

We're setting up a VPN Server (strongswan) with Windows 7 in IKEv2 mode.
The client side is supposed to authenticate with PEAP(*) to FreeRADIUS.
That works pretty well, but on the first PEAP connection to the server,
there's a big fat warning on the Win 7 UI: "You're connecting to a
server which is not a valid NPS Server for this domain. You are strongly
discouraged from continuing... bla..." If you click Connect, *everything
works*. Now I'm wondering what needs to be done to make that useless
warning go away... Maybe the FreeRADIUS server certificate needs yet
another Extended Key Usage or so? I didn't really find helpful

I wonder why it's Win 7's business anyway: of course the other end is
not a NPS server. It's FreeRADIUS. But why would an EAP client consider
it its own business to warn about a vendor discrepancy on the RADIUS far


Stefan Winter

(*) If you just select EAP-MSCHAPv2 (no inner tunnel), the end result at
the FR side is a crippled User-Name (which makes it impossible to auth
users). Whether it's Win 7 or the strongswan EAP -> RADIUS conversion
that gets it wrong, I don't know.

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Users mailing list