I've been using EAP-TLS authentication for wireless client devices without any issues for months, but after updating my NPS server last night, the certificate authentication suddenly stopped working. All my certificates are still valid, including the root, issuer, server, and client certificates. I found that falling back to PEAP MSCHAPv2 works, which is great, but I'm stuck on this problem with EAP-TLS.
In the event log, I'm seeing event 6273 with reason code 16, indicating "Authentication failed due to a user credentials mismatch." On the client side, the logs show event 12013 with "Wireless 802.1x authentication failed" and an error code of 0x40420110, stating there's a user account problem, followed by event 11006 noting "Explicit EAP failure received." I'm at a loss for what steps to take next.
As an update, I managed to resolve the issue by deleting and reissuing the client certificates using the command "certutil -pulse." Still, I'd love to understand what caused this behavior in the first place, especially since we're planning to transition all clients to EAP-TLS authentication soon. It could have led to serious problems if I didn't have a backup plan with MSCHAPv2.
1 Answer
I experienced something similar recently. It turned out that certificate authentication wasn't actually happening correctly; it was defaulting to NTLM behind the scenes instead. To make sure the certificate authentication is truly operational, I had to set up a wireless profile using GPO. You can check out related discussions in other forums for more details!
When I looked back at the old event logs, they were showing event 6272, which detailed that EAP was actually being used with the correct certificate types. So, it seems like the certs were indeed working before the update.