have a strange issue.
Are primary NPS (2008R2) authenticating against AD has been working a long time. The cert expired and that server was recently patched. Cert was renewed, installed and the policy updated to start using it. Sometime between all of this (COVID-19 no one in the office to notice) Windows10 clients can no longer connect and the logs on the NPS server show the right clients/policy/etc.. but always deny access based on:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
If I test auth from the Meraki portal using that same u/p it works fine. If I push auth to another radius server in our environment those Windows10 clients can connect without issue. Obviously, different server, different cert but identical policies. I have tired everything, recreating the policy. update the pres-hared key, disabling cert check on local clients, enabling TLS1.2 but nothing seems to matter.
Note OSX/Andorid have no issues connecting via the same policy/NPS server..Just seems to be windows 10 machines.
Does anyone have any ideas that can help me figure this out?
had a similar issue with me, it was limitation on password complexity, can you set an account with a simpler password and try. Also is the new cert signed by the same CA as before ?
Sounds like an issue on the server side, probably cert issue in the way it was installed/trusted/setup. Have you reviewed the below links?
Password complexity didn't change and if it was that I would assume it would be across the board but it isn't. Its just this single NPS server. Same CA digicert. The only thing we have seen in the packet captures showed some TLS mismatches between windows clients and the NPS server but even when enabling 1.2 which the Windows clients appear to be using it made no difference.
At my wits end here.
Ok, cert was installed without the key which broke auth for win10 clients. OSX and Android were able to auth without issue regardless of whether they key was installed on the NPS server. Once the cert + key were reinstalled it started working (had to stop/start NPS).
Hopefully this helps someone in the future.
Which certificate expired - your CA certificate (big implications) or the NPS server certificate (minor implications)?
A customer of mine did not have an expiring cert, but after a windows update, the cert was replaced by a wildcard for some bizarre reason.