I'm currently moving our authentication off of a Cisco ISE to a windows NPS server. Each machine uses a certificate from our CA to authenticate and has worked on the ISE with no issues. We now are moving most services (maybe all eventually) to Microsoft Azure and so my boss wanted to set up a NPS server there. We also have a vMX100 in Azure so all traffic is sent to Azure through the Meraki VPN.
I set up an MX68CW at my desk and configured it with a test SSID that was set to authenticate with the new NPS. It's a pretty simple policy in the NPS, just matches 802.1x and then does a certificate exchange. The NPS has a certificate from our CA as well and is set to use that to authenticate itself to the client. It worked fine on my test MX68CW. I joyfully told my boss and he gave me the go-ahead to set it up on all our branches. The clients at the first branch I set it up on wouldn't authenticate. The NPS gave me this error:
Reason code: 22
The client could not be authenticated because the Extensible Authentication Protocol type cannot be processed by the server.
But when I use my test MX68CW again, it still works fine there. I tried a few other locations, some with MX68CW, some with MR52/55, but it always generates this error. With the MX68CWs I can't really change that many settings, so the EAP type shouldn't be different. I just have the NPS clients set up in subnets, so not individual devices, and it's matching that fine. I am at a loss. I don't know what to check because it works for exactly one device that I have tried and since it's not working for any actual production devices that I've tried, I'm unsure about trying anymore.
I had the thought, that maybe I needed to reboot the wireless devices after I change the setting. So I went in earlier today to try that. Deleted the ISE entry and added the NPS and let it sit for about a minute so the dashboard would push the setting change, then rebooted. After it came back it did attempt to authenticate on the NPS but I still got the same error for the 2 wireless devices at that location. I rebooted it once more, and when it came back up for some reason it authenticated with the Cisco ISE, even though that is not even configured in dashboard now. It was previous configured with the ISE, but I deleted that. Did the new config not get completely committed or something?
Maybe this is to much information, but I try to always list everything I've done and everything I've experienced, just in case something clues someone in on something.