I'm facing a strange issue where about 10 of our users can't connect their laptops to our corporate WiFi, which uses RADIUS authentication with machine certificates. When they try to connect, they're prompted for a username and password, and the option to use their Windows account is grayed out. If they select the 'connect using a certificate' option, they get a message saying they can't connect to the network. The only recent change is an update to the Cisco WLC by our partner, but no configuration changes were made. Most users are connecting without problems, so it's puzzling. I've tried standard WiFi troubleshooting methods, but when I forget the network and try to reconnect, it just says it can't connect without prompting for the certificate. Any ideas on how to resolve this?
4 Answers
We've had a few odd connectivity issues lately as well, mostly showing missing subject errors in the NPS logs. Not sure yet if they're related to certs or not. A simple reset resolved one of our issues.
Do you have a Group Policy Object (GPO) that publishes the WiFi profile to your clients, or are the WiFi settings manually configured on each laptop? Are all the users' machine certificates from the same Certificate Authority? Have you checked the logs on the RADIUS server for any clues?
I'm not super familiar with RADIUS setups, but have you checked if the laptops have the right drivers? Are they all running the same version? Also, you might want to try the old classic 'ip release and renew' command in CMD to see if that helps.
We also use RADIUS with machine certificates for WiFi authentication. Recently, one of our users faced a similar issue where their managed laptop couldn't connect. After some troubleshooting, running the command "DISM /online /cleanup-image /restorehealth" fixed the problem for them. Might be worth a shot for you too!
Thanks for the tip! I tried it, but unfortunately, it didn't resolve the issue.

No manual configurations involved; the settings and certs are part of our custom Windows image. New laptops connect automatically out of the box. All machines have the same certificate, but I don’t have access to the RADIUS servers since they're managed by the central team in another country.