Hey everyone! I'm facing a peculiar problem with one of our users regarding RADIUS authentication. I've set up a RADIUS server and configured it to provide network access based on a Windows group that contains the necessary computer objects. Most users are able to connect effortlessly with just a click on the WiFi SSID, and the NPS logs confirm that their connections are authorized based on their group membership. However, one user is having issues. When he attempts to connect, it prompts him for a username and password, even though his computer is in the same group as everyone else. I tried using ChatGPT and Gemini for troubleshooting, but no luck. Has anyone else encountered a similar issue?
3 Answers
Also, make sure the computer has the necessary certificate for machine authentication set up. That might be causing the fallback to user authentication. Let me know if you find out!
It sounds like you're running into a common Windows authentication problem where that specific machine isn't using machine authentication, which is why it's asking for user credentials. Here are some things you can check:
1. **Computer Account Issues**: Make sure the computer account password is in sync. Run `nltest /sc_verify:DOMAIN` to check the secure channel and reset it if necessary with `nltest /sc_reset:DOMAIN`.
2. **Group Policy**: It's worth running `gpupdate /force`, rebooting, and then checking if the wireless policy applied correctly with `rsop.msc`.
3. **Certificates**: Confirm that the machine certificate isn't missing or expired. Use `certlm.msc` to check the certificates in the Personal and Trusted Root stores.
4. **WLAN AutoConfig**: Restart the "WLAN AutoConfig" service if it's having issues and make sure it's set to start automatically.
To quickly diagnose, check the domain trust and group membership, review event logs for authentication errors, and compare policies between the working and non-working machines using `gpresult /h report.html`.
For a quick fix, you can try removing and re-adding the wireless profile with the command `netsh wlan delete profile name="SSID_NAME"` and reboot the machine.
While we wait to see if those checks help, I found out that my colleague took that computer for a complete reinstallation. This should cover a lot of your suggestions, including rejoining the domain, which I think will resolve the trust issues and certificate problems.
Have you checked that the AD object isn’t set to Deny in the Dial-in policy? It should be set for full access, not to just use NPS. Just something to look into!
I checked that already, and it’s set to full access. I even tried allowing NPS to make the decision, but I’m still getting the same error. The event viewer is pointing to that error as you mentioned, but it seems very vague.
I will check that and let you know as soon as I can!