Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About mak2018
mak2018
Here to help
Member since Apr 11, 2018
12-16-2021
Community Record
13
Posts
0
Kudos
0
Solutions
Badges
12-15-2021
06:16 AM
We have been using Meraki for years and all of a sudden last week Windows 10 clients weren't able to connect. Auth would succeed on the Windows NPS server but on the client side they would get a message saying "Cant connect to this network" or something to that affect. OSX clients can connect without issue. Support team found that unchecking 'verify server certificate' allowed them connect. So the ops team updated both certs and restarted NPS but still some users are getting the same message and unchecking that setting allows them to connect. Does anyone have any idea what can be done on those Windows 10 clients to allow them to verify the cert and connect? The cert is valid and the only think I can think of is something changed on those win10 clients that is preventing them installing or validating a new cert? Note that we have always had a cert on the NPS server and this was never an issue until last week.
... View more
05-05-2020
01:51 PM
Ok, cert was installed without the key which broke auth for win10 clients. OSX and Android were able to auth without issue regardless of whether they key was installed on the NPS server. Once the cert + key were reinstalled it started working (had to stop/start NPS). Hopefully this helps someone in the future.
... View more
05-05-2020
11:14 AM
Thanks but I didnt install the cert, another team did so I can't say if it was installed right or wrong. But all of this would lead me to believe it is cert related. First link doesn't apply as we aren't using win7 clients, all win10 and OSX. Second link looks promising because when I look at the recently renewed/installed cert on the NPS server it has no KEY whereas the previous ones did. Checking with the team that manages that aspect right now.
... View more
05-05-2020
11:08 AM
Password complexity didn't change and if it was that I would assume it would be across the board but it isn't. Its just this single NPS server. Same CA digicert. The only thing we have seen in the packet captures showed some TLS mismatches between windows clients and the NPS server but even when enabling 1.2 which the Windows clients appear to be using it made no difference. At my wits end here.
... View more
05-05-2020
10:50 AM
have a strange issue. Are primary NPS (2008R2) authenticating against AD has been working a long time. The cert expired and that server was recently patched. Cert was renewed, installed and the policy updated to start using it. Sometime between all of this (COVID-19 no one in the office to notice) Windows10 clients can no longer connect and the logs on the NPS server show the right clients/policy/etc.. but always deny access based on: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect. If I test auth from the Meraki portal using that same u/p it works fine. If I push auth to another radius server in our environment those Windows10 clients can connect without issue. Obviously, different server, different cert but identical policies. I have tired everything, recreating the policy. update the pres-hared key, disabling cert check on local clients, enabling TLS1.2 but nothing seems to matter. Note OSX/Andorid have no issues connecting via the same policy/NPS server..Just seems to be windows 10 machines. Does anyone have any ideas that can help me figure this out?
... View more
02-11-2019
08:13 AM
What do you want to know exactly? What settings are changed where? I don't follow your question. Like I said Win10 cannot create the profile by itself when a user attempts to connect for the first time. It has to be created manually and that is the problem I am trying to solve. FWIW I asked the help desk team for the settings they are using and will share them.
... View more
02-09-2019
01:01 PM
PEAP man and its from digicert or thawte IIRC. Dont know the settings as I am not on the helpdesk but the fact remains something with Win10 and the NPS/CERT is causing an issue. Manually creating the profile or pushing out via GPO doesn't solve the issue at hand, its just a workaround.
... View more
02-08-2019
12:50 PM
Nope because it doesn't even get far enough to create the profile automatically in Win10. It just fails to connect without creating a profile. Trying to make this work so no manual intervention is needed.
... View more
02-08-2019
12:38 PM
We have our coporate SSID that seems to simply not work on Windows10 clients. Help desk has to manually configure the profiles on Win10 boxes in order to allow them to connect. We have tested this ad nausea and from what I gather when a win10 user attempts to connect and authentication is pushed to an NPS server using a wildcard certificate an error 16 is thrown on the NPS server. But if I use the same u/p from the meraki portal to test authentication it works fine. Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect. If we push AUTH to an NPS server using a cert that matches its name it works without issue. OSX doesn't have this issue, just windows. Has anyone seen this before?
... View more
04-12-2018
11:41 AM
Yes and no, server name isn't but the domain is. We use split dns my man. I am good now, just wanted to know what my options were. Been using Meraki + NPS + public certs for a long time.
... View more
04-12-2018
11:32 AM
Initially tried to use an existing wildcard (not the norm) but in the end just bought one with the server name itself.
... View more
04-11-2018
03:58 PM
Been using Meraki and NPS for sometime. Usually get a digicert installed on the NPS and users need to accept the cert the first time when authenticating. Is there a way to just allow them to authenticate and validate the cert without them having to accept it?
... View more
