EAP-TLS Failure with Windows-XP STA & Win-2012 NAS

Hi,

I'm facing a weird problem. I've installed both Active Directory, CA & NPS in a single machine.

I've generated user-certificate & also copied CA certificate to Client Windows-XP machine and installed them onto "Personal" and Trusted root CA locations.When I create a profile and connect through WZC,  radius server rejects with reason:"An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors."

To debug, I've setup another client machine with Windows-7. I did install same certificates which I installed in Windows-XP client and create profile to connect. And it just connects with-out any issue.

I'm not sure what's the above error meant for Win-XP case. And how do I check EAP log files for EAP errors. I've tried enabling tracing for ras and looked for logs c:\windows\tracing. But I see all files were almost 0KB and no useful information at all.

Can you help me debug this problem? Please see the snippet from eventviewer.

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
    Security ID:            NULL SID
    Account Name:            wifiuser@qcsr.com
    Account Domain:            QCSR
    Fully Qualified Account Name:    QCSR\wifiuser

Client Machine:
    Security ID:            NULL SID
    Account Name:            -
    Fully Qualified Account Name:    -
    OS-Version:            -
    Called Station Identifier:        00904c130f31
    Calling Station Identifier:        00037f104912

NAS:
    NAS IPv4 Address:        192.165.122.1
    NAS IPv6 Address:        -
    NAS Identifier:            00904c130f31
    NAS Port-Type:            Wireless - IEEE 802.11
    NAS Port:            11

RADIUS Client:
    Client Friendly Name:        BROADCOM
    Client IP Address:            192.165.122.1

Authentication Details:
    Connection Request Policy Name:    NAP 802.1X (Wireless)
    Network Policy Name:        -
    Authentication Provider:        Windows
    Authentication Server:        BANRADSVR01.qcsr.com
    Authentication Type:        EAP
    EAP Type:            Microsoft: Smart Card or other certificate
    Account Session Identifier:        -
    Logging Results:            Accounting information was written to the local log file.
    Reason Code:            23
    Reason:                An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.