Windows NPS + Certificate Selection

Question

Hello,

We've installed a Windows NPS server and are slowly rolling it out into production. We are using Machine Certificates for network auth *(i.e. Microsoft: Smart Card or other certificate). We are also using Cisco network switches and Cisco APs.

I have noticed that some PCs do not like it when "Use Simple Certificate Selection" is enabled for the Wired 802 network. For Wi-Fi it didn't seem to matter if that box was checked or not. But, for some reason on Wired it depends on the PC whether or not it will work.

We are using a variety of Lenovo ThinkPads *(X1, T470, T470s, T480, T480s, T14, T460, T460s).

It seems very odd that a PC can auth just fine on Wireless, but not Wired, when the same cert is being used for BOTH NAS-Port Types, i.e. wired or wireless...

For the PCs that wouldn't work with this option enabled, I tried re-issuing their certs. But that didn't seem to change anything.

Any help would be greatly appreciated!

-Matt

Answer 1

Hello,

 

Thank you for posting in Q&A forum.

If "Use simple certificate selection" option is checked, NPS server will select the certificate used for 802.1x authentication automatically. However, it may bring some issue if it selects a wrong Root CA.

To further check this issue, you need to:

1.Check the certificate configured on the Lan connection.

2.Check the Root CA used for wired authentication in NPS policy on the server.

3.Compare the two certificate matches or not and if it's trusted on NPS server.

 

Hope this answer can help you well.

 

Best regards，

Jill Zhou