I have been struggling with our NPS implementation. I would greatly appreciate any assistance or suggestions anyone might have!
Goal: set up AD-authenticated security for our wireless network.
Plan: Configure NPS (dedicated Windows Server 2016) to use RADIUS to authenticate users in a specific AD security group. Use a wildcard cert from a 3rd party cert authority.
Status: Non-Windows devices can connect, so I know that NPS and the Cisco wireless controller are "talking" to each other (no problems with the preshared key). However, Windows wireless devices always kick back the same error:"Can't connect to this network."
Steps I have taken:
1. I have confirmed that the cert is installed on the client, and I have confirmed the subject lines match.
2. Tried different types of authentication (PEAP, MS-CHAPV2, etc) no effect.
3. Tried using broader groups (domain users), no effect.
4. Checked the error log. I get an Event ID of 16, user name doesn't match or PW is incorrect. Here is the full error log, with identifying information about my organization replaced/removed:
Network Policy Server denied access to a user.Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: DOMAIN\user
Account Domain:DOMAIN
Fully Qualified Account Name:DOMAIN\user
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name:-
Called Station Identifier:20-bb-xx-xx-xx-80:CASD_802.1x
Calling Station Identifier:f8-xx-xx-xx-cc-46
NAS:
NAS IPv4 Address:198.x.x.x
NAS IPv6 Address:-
NAS Identifier:wirelesscontroller#1
NAS Port-Type:Wireless - IEEE 802.11
NAS Port: 13
RADIUS Client:
Client Friendly Name:wirelesscontroller#1
Client IP Address:198.X.X.X
Authentication Details:
Connection Request Policy Name:Use Windows authentication for all users
Network Policy Name:-
Authentication Provider:Windows
Authentication Server:server.example.com
Authentication Type:PEAP
EAP Type: -
Account Session Identifier:35643233383131382F66383A3539xxxxxxxxxx3A63633A34362F3135363038323031
Logging Results:Accounting information was written to the local log file.
Reason Code:16
Reason:Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.