Windows10 machines no longer able to connect

mak2018
Here to help

Windows10 machines no longer able to connect

have a strange issue. 

 

Are primary NPS (2008R2) authenticating against AD has been working a long time.  The cert expired and that server was recently patched. Cert was renewed, installed and the policy updated to start using it.  Sometime between all of this (COVID-19 no one in the office to notice) Windows10 clients can no longer connect and the logs on the NPS server show the right clients/policy/etc.. but always deny access based on:

 

 

 

	Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

 

 

If I test auth from the Meraki portal using that same u/p it works fine.  If I push auth to another radius server in our environment those Windows10 clients can connect without issue.  Obviously, different server, different cert but identical policies.  I have tired everything, recreating the policy. update the pres-hared key, disabling cert check on local clients, enabling TLS1.2 but nothing seems to matter. 

 

Note OSX/Andorid have no issues connecting via the same policy/NPS server..Just seems to be windows 10 machines.  

 

Does anyone have any ideas that can help me figure this out?   

7 Replies 7
ammahend
Building a reputation

had a similar issue with me, it was limitation on password complexity, can you set an account with a simpler password and try. Also is the new cert signed by the same CA as before ?

 

mak2018
Here to help

Password complexity didn't change and if it was that I would assume it would be across the board but it isn't.  Its just this single NPS server.  Same CA digicert.  The only thing we have seen in the packet captures showed some TLS mismatches between windows clients and the NPS server but even when enabling 1.2 which the Windows clients appear to be using it made no difference.  

 

At my wits end here.  

SoCalRacer
Kind of a big deal
mak2018
Here to help

Thanks but I didnt install the cert, another team did so I can't say if it was installed right or wrong. But all of this would lead me to believe it is cert related.

First link doesn't apply as we aren't using win7 clients, all win10 and OSX. Second link looks promising because when I look at the recently renewed/installed cert on the NPS server it has no KEY whereas the previous ones did. Checking with the team that manages that aspect right now.
mak2018
Here to help

Ok, cert was installed without the key which broke auth for win10 clients.  OSX and Android were able to auth without issue regardless of whether they key was installed on the NPS server.  Once the cert + key were reinstalled it started working (had to stop/start NPS).  

 

Hopefully this helps someone in the future.  

PhilipDAth
Kind of a big deal
Kind of a big deal

Which certificate expired - your CA certificate (big implications) or the NPS server certificate (minor implications)?

GIdenJoe
Kind of a big deal
Kind of a big deal

A customer of mine did not have an expiring cert, but after a windows update, the cert was replaced by a wildcard for some bizarre reason.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels