I have a Windows 2008 Std server running NPS. After applying the latest round of updates (including Root Certificates for April 2012 KB931125 (See:http://support.microsoft.com/kb/933430/)), EAP authentication is failing due to being malformed.
Sample error (Security/Event ID 6273), truncated for brevity:
Authentication Details:
Proxy Policy Name: Use Windows authentication for all users
Network Policy Name: Wireless Access
Authentication Provider: Windows
Authentication Server: nps-host.corp.contoso.com
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Reason Code: 266
Reason: The message received was unexpected or badly formatted.
The NPS policy (Wireless Access) is configured accordingly (for Constraints/Authentication methods)
EAP Types:
Microsoft: Protected EAP (PEAP) - with a valid certificate from ADCS
Microsoft: Secured password (EAP-MSCHAP v2)
Less secure authentication methods:
Microsoft Encrypted Authentication version 2 (MS-CHAP-v2)
User can change password after it has expired
Microsoft Encrypted Authentication (MS-CHAP)
User can change password after it has expired
We've tested a different RADIUS server without the aforementioned patch, and removed EAP as an authentication type and experienced success.
Has anyone else experienced this issue?
I'm going to put this here, since I experienced this yesterday and one of my first searches led me to this question.
The problem ended up being, as ALF4 mentioned, too many root certificates. It occurred after a Windows update to the root certificates.
We solved it by changing the Registry to prevent the NPS server from sending the trusted root certificates list to the clients.
That immediately solved the issue and clients could connect again.
Special thanks to Brian who pointed out KB933430 which, despite being for Windows Server 2003, fixed our Server 2008 and Server 2008 R2 boxes.
In December 2012, this issue occurred for many people when Microsoft messed up update KB931125 on December 11th 2012 by accidentally applying the root cert update to clients and servers, when it should've only been applied on clients. This added hundreds of 3rd-party root certificates to the trusted root certs list on servers, causing problems like you showed.
Took me long enough to find it, but MS has an article and fix available at KB2801679 "SSL/TLS communication problems after you install KB 931125".The faulty update has since been expired on Windows Update and WSUS, but if you've already applied it, you can clean up the root cert list by running the Fix-it provided in the article on all affected servers.
I think it fixes the cause in a cleaner way than the registry hacks or manual cert cleanup mentioned above.
If you'd prefer to perform it manually, the fix is essentially to delete all 3rd-party root certs, after which any required ones are automatically recreated from Windows Update. Just make sure you've synced WSUS and accepted the expiration for KB931125.
The Fix-it seems to work for me, without a reboot or other updates. I removed the registry modification mentioned in Jason's answer and was still able to authenticate Wi-Fi via NPS.
Root Certificates!! You have too many being sent hence "badly formed". Remove the expired ones and shrink the list as much as you can and it will start to work again.
http://support.microsoft.com/kb/933430. I used Method 3 and was back up and running.