Are primary NPS (2008R2) authenticating against AD has been working a long time. The cert expired and that server was recently patched. Cert was renewed, installed and the policy updated to start using it. Sometime between all of this (COVID-19 no one in the office to notice) Windows10 clients can no longer connect and the logs on the NPS server show the right clients/policy/etc.. but always deny access based on:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
If I test auth from the Meraki portal using that same u/p it works fine. If I push auth to another radius server in our environment those Windows10 clients can connect without issue. Obviously, different server, different cert but identical policies. I have tired everything, recreating the policy. update the pres-hared key, disabling cert check on local clients, enabling TLS1.2 but nothing seems to matter.
Note OSX/Andorid have no issues connecting via the same policy/NPS server..Just seems to be windows 10 machines.
Does anyone have any ideas that can help me figure this out?
Password complexity didn't change and if it was that I would assume it would be across the board but it isn't. Its just this single NPS server. Same CA digicert. The only thing we have seen in the packet captures showed some TLS mismatches between windows clients and the NPS server but even when enabling 1.2 which the Windows clients appear to be using it made no difference.
Thanks but I didnt install the cert, another team did so I can't say if it was installed right or wrong. But all of this would lead me to believe it is cert related.
First link doesn't apply as we aren't using win7 clients, all win10 and OSX. Second link looks promising because when I look at the recently renewed/installed cert on the NPS server it has no KEY whereas the previous ones did. Checking with the team that manages that aspect right now.
Ok, cert was installed without the key which broke auth for win10 clients. OSX and Android were able to auth without issue regardless of whether they key was installed on the NPS server. Once the cert + key were reinstalled it started working (had to stop/start NPS).