Domain WiFi connection issue

Question

Hello,

My organization is trying to move from user account auth to machine account auth with MS-CHAPv2 (we will be moving to EAP-TLS as soon as we can, this is just a necessary stop-gap) .

I have a GPO that pushes out a wifi profile with all the required settings. We all use more or less the same model of Dell laptops, Windows 11, up to date.

Active Directory Domain environment with RADIUS.

For the vast majority of users (hundreds) everything works fine, but for 2 or 3 users, the GPO applies, they can see the new profile but when they try to connect it fails.

There is no sign of the failure in the RADIUS logs, but the users event viewer shows this in the WLAN autoconfig -
Failure Reason:Explicit Eap failure received
ReasonCode 0x50005

ErrorCode 0x80070285

ReasonCode 327685

If the user falls back to a profile that uses user account authentication (same SSID, same RADIUS servers etc) it works fine.

What's more confusing is that, when I was testing this to begin with on my own computer, I could not get it to work until I disabled Credential Guard, so in the same GPO that pushes out the WiFi profile, I added a bit to disable CG.

Because of this problem, I had a look at several working laptops to compare, and I can see that the GPO is not disabling credential guard (no idea why) - and yet its working for hundreds of people!! :/

I manually disabled it on the problem laptops just in case but it had no effect.

When the GPO first rolled out, a lot more people had the issue where they couldn't connect, but in every case they just rebooted and it was fine.

Any ideas whats going on?

thanks.

Answer 1

just looked closer at user event log...

the wifi profile is set to autoconnect to the WiFi. On auto connect attempts there are eap errors with reason 327685 which i think means theres a problem with user certificate? (were not suing certificates).

When the user tries to connect to that profile maually they get reason code 163851 "the specific network is not available"

Answer 2

Hello,

Please check the following possible causes:

1. Ensure that the GPO is actually applied to the user's computer in question.
2. Check the Credential Guard status. For machines that cannot connect, you can manually check the status of Credential Guard even if the GPO has not disabled it.

Error code 163851 means "specific network unavailable". This usually means that the client cannot find or connect to the specified wireless network. This may be due to an incorrect network name (SSID), out-of-range network, disabled network, or a problem with the client's wireless adapter.

3. Check the wireless profile to ensure that the wireless profile Settings for all users are consistent, including the authentication method and encryption type.
4. Check the wireless adapter to ensure that the wireless adapter of the computer in question is working properly and that the driver is up to date. You can try updating the driver or uninstalling and reinstalling the driver.
5. Delete the old configuration file. Sometimes old or corrupt wireless profiles can cause problems. Try deleting the old wireless profile from the computer in question and then recreating or reapplying the new profile.

Answer 3

the fix was to delete machine GPO history (which breaks trust relationship) and then remove/re-add device back to domain.

problem is that is not really an ok fix considering i need to roll this GPO out to 2000 users world wide. - Most of which dont have on-site IT staff.