When configuring EAP in Network Policy Server (IAS/RADIUS) on a Windows Server 2008 R2 Domain Controller, under Network Policies | Constraints | Authentication Methods | Microsoft: Protected EAP (PEAP) | Add, the following warning is reported:

"Cannot configure EAP
A certificate could not be found that can be used with this Extensible Authentication Protocol"

Using the Certificates (Local Computer) MMC Snap-in, a valid Domain Controller Authentication certificate is seen.

Requesting a Domain Controller certificate works, but is removed at the next Group Policy refresh, as it is superseded by the Domain Controller Authentication certificate, which breaks EAP.

The Domain Controller Authentication certificate is not valid for EAP, as the template specifies no subject which is a requirement for EAP:

Certificate Requirements for PEAP and EAP
http://technet.microsoft.com/en-us/library/cc731363.aspx
"If you issue a certificate to your server running Network Policy Server (NPS) that has a blank Subject name, the certificate is not available to authenticate your NPS server."

The issuing Certificate Authority needs the template updated to provide a certificate. This is only possible on Enterprise Edition of Windows Server 2008 R2.

From the Certificate Authority MMC console:

- Right click on Certificates and select Manage from the context menu
- Double click on the Domain Controller Authentication template
- Select the Subject Name tab
- Select DNS Name for Subject name format
- Click OK

From the DC/NPS Server:

- gpupdate /force
- Renew the certificate from the Certificates (Local Computer) MMC Snap-in.
- Double click on the reissued certificate
- Select the Details tab
- Check the Subject field is not blank

The certificate should now be available for selection.

Certificate Requirements for PEAP and EAP
http://technet.microsoft.com/en-us/library/cc731363.aspx

http://setspn.blogspot.com/2010/12/error-selecting-certificate-when.html