I'm trying to get 802.1x PEAP-TLS working using computer certificates but have been unsuccessful. I am running Windows 2008 Enterprise SP1 as the DC/DNS/NPS/CA (test lab don't freak). I have created a radius group in AD. I have setup NPS policies to allow the group through. Group policy has a Wireless 802.1x policy setup for my Netgear AP. When I have group policy set for Authentication Mode: User Authentication, I can connect from my Windows 7 laptop perfectly. When I change the Authentication Mode to Computer Authentication, run gpupdate /force from another connection and retry from the AP, it will not connect. On Windows 7, I have both the user and computer certificates installed. I have verified their purposes are correct. I have looked several times at the CA cert on the server and can't find a problem.
I've check the logfile on the server, the event logs on both, but can't find any good clues. I ran Wireshark and see a success at the end of the exchange for the user certificate connection, whereas on the computer certificate connection attempt, it shows Failure. It gives Code: Failure (4) Id: 5. Wireshark shows Request Identity, Start, Request Identity, Response Identity, Request TLS EAP, Client Hello, Server Hello, Response TLS-EAP, Server Hello, Certificate Client Key Exchange, Request TLS-EAP, Certificate Client Key Exchange, Change Cipher Spec Entrypted Handshake Message, Response TLS EAP, Failure.
Questions:
1. Am I correct in thinking that if this is setup correctly, ALL users can simply connect via 802.1x with nothing more than the computer certificate and login to Windows as usual - even if no one has a user certificate?
2. Is there any better way to troubleshoot this other than the logfile in C:\Windows\System32\logfiles?
3. What can I try to troubleshoot this?
Thank you.