WPA2 Enterprise authenticated via RAIDUS works fine for all clients except Windows ones

  • 1
  • Question
  • Updated 2 years ago
  • (Edited)
I have been trying to setup one wireless network for all of my users in an attempt to streamline onboarding.

I have one network which is set up to use WPA / WPA2 802.1X CCMP (AES) with an external RADIUS server for authentication.

I have setup an external RADIUS server as a common object (the RADIUS server in question being a server 2008r2 server using NPS.

I have set all this up, and using an iOS, OS X or Android device, it works as intended. You pick the network, get prompted to enter your domain credentials, and as long as you are in the correct AD group, you get onto the network. However, if I try and log in with a Windows machine, (7, 8.1 or 10) I get "Can't connect to this network" pop up almost straight away. The clients I am currently testing with are not members of the Domain, however Domain machines are seeing the same issue. These connection attempts do not appear in the Event Log for NPS.

Here are some screenshots of my NPS config:









The cert we are using is self signed by our CA.

Any ideas? It's so frustrating that all the "extra" devices on my network are fine, but my core of Windows laptops are having no luck!
Photo of James Bray

James Bray

  • 1 Post
  • 0 Reply Likes
  • confused

Posted 2 years ago

  • 1
Photo of Rob Burgoyne

Rob Burgoyne

  • 19 Posts
  • 0 Reply Likes
It could be that the windows machines don't trust your CA for the radius server cert. You might have to uncheck the box that says "verify server cert" in the network profile in network settings. If this is a BYOD environment I would consider using a commercial cert for radius, where they trust the CA already. If they are domain machines you may need to push the certs out via GPO.
Photo of Scott Farrand

Scott Farrand

  • 7 Posts
  • 0 Reply Likes
How did you generate the self signed certificate? (is this via a CA in your windows domain?)

Are these clients members of the domain?

The best solution may be to deploy a commercial certificate for radius...  IOS and Android will allow you to easily ignore self signed certificates where Windows is more picky...

Note that I use a 2012 NPS setup to authenticate users from two different domains in the same forest on the same SSID, but with different vlan assignments... the certificate thing can be problematic... but there are solutions for that out there...
(Edited)
Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
I would also agree that this sounds like a certificate issue, in my deployment we don't use a certificate as our NPS authentication is only for college owned devices. As suggested purchasing a commercial certificate should solve this issue.

FWIW -  our BYOD solution is handled by eduroam using 802.1X or via simple WPA2 guest registration system.