Hey everyone! I hope you're all having a fantastic Friday. I've been dealing with a pesky issue related to our on-prem Windows RADIUS server for a while now, and I'm really hoping someone here can help me out. Currently, our RADIUS server is set up to handle user authentication linked to an Organizational Unit (OU), and everything runs smoothly when users log in with their passwords. However, it's a whole different story when users try to log in using Windows Hello for Business (WHFB) with a PIN. This issue seems to be affecting devices set up via Autopilot/Intune, while older devices configured on-prem work just fine. Within the RADIUS logs, I keep noticing three failed login attempts before the account gets locked in Active Directory, which is quite frustrating. It feels like the RADIUS server is failing to recognize the PIN, but when the devices are connected via Ethernet, they can access on-prem resources without any issues. This leads me to believe it's not a problem with cloud trust. Any insights or suggestions on what might be causing this would be greatly appreciated!
3 Answers
If you have the budget for it, consider using SCEPman with RADIUSaas. With this setup, we issue certificates through Intune that the clients then use to connect to Wi-Fi, and it works seamlessly with both PCs and Macs—no separate SSID needed for Macs anymore!
Are you using Windows NPS for your RADIUS setup? I haven’t specifically worked with WHFB and RADIUS, but with NPS, you'll likely need to install the NPS extension that allows your server to query Entra directly. Just a heads up, once you install that extension, your NPS server can only authenticate through Entra, so it might be a good idea to set up a test NPS box before making major changes to your existing server. Good luck! Getting everything to work can be quite a hassle!
Be careful about this approach! The extension is mainly meant for MFA prompts, particularly for VPN access, and won’t really help with 802.1x connections. It could actually complicate your setup.
Are you sure you’re using 802.1x password-based authentication instead of certificate-based authentication? I’ve read that WHFB in a hybrid cloud setup may have limitations with Kerberos authentication. It might be worth checking the Microsoft documentation to confirm if you need to switch to certificate-based authentication instead. Also, consider adding the 'Enable NTLMv2 Compatibility' key to your NPS server in case there’s any NTLM vs NTLMv2 compatibility issue.
Thanks for the advice! I’ll definitely check out that extension. By the way, for users on WHFB, how do you manage Wi-Fi authentication? Are you relying on certificate authentication?