Explicit EAP error 0x9009030C. Authentication failed due to a user credentials mismatch on NPS server

Question

We've been having a strange problem related to 802.1x authentication using internal CA certificates against a wireless network that uses 802.1x authentication. Most of the computers don't have issues but this problem crops up on newly setup machines which have acquired internal certs for 802.1X authentication recently. The Explicit EAP error 0x9009030C pops up from the endpoint Windows 11 pc end. On the Windows NPS RADIUS server side, we see eventlog ID 6273 "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect." Sometimes I can wire up the laptop and have the user login then the error goes away and wifi connects using 802.1x authentication miraculously. Often times, I need to remote to the pc and launch certificate management console as a domain account that is a local admin on the laptop and launch certificate management console to "request new certificate" then the problem also gets fixed. However, I do not have the real root cause that's causing this problem.

Anyone has any similar experience or insight on this?

*** Moved from Windows / Windows 11 / Internet and connectivity ***

Answer 1

Disabled option "Verify the server's identity by validating the certificate" option inside group policy that governs the WLAN 802.1x authentication settings. This seems to have fixed most of the problems.

I referenced this article: https://vcloudnine.de/windows-nps-authentication-failed-with-error-code-16/#:~:text=Logging%20Results:%20Accounting%20information%20was%20written%20to%20the%20local%20log

I don't see why reverse server side certificate check is ever necessary when an internal CA is used for our 802.1x authentication infrastructure. This shortened the amount of time for wifi connection also, especially during high bandwidth usage inside our SD-WAN.

Answer 2

Hi ronnieshih,

Thank you for posting in the Microsoft Community Forums.

Check the certificate:

Ensure that the client certificate is properly installed on the newly setup computer and that it is valid, not revoked, and trusted.

On the client computer, open the Certificate Management Console and check the status and properties of the client certificate.

Verify user credentials:

Ensure that the username and password provided are correct.

Check that the username exists in Active Directory and that the password is correct.

Check NPS configuration:

Ensure that the NPS is properly configured to use Active Directory for authentication.

On the NPS, check the Network Policy and Connection Request Policy to ensure that they are set correctly to authenticate user credentials.

Update the client computer configuration:

On Windows 11 client computers, ensure that the 802.1x settings have been configured correctly.

Update the wireless network adapter driver to the latest version to ensure compatibility with the 802.1x standard.

Temporary solution:

As you mentioned, sometimes the problem can be resolved by remotely accessing the PC and launching the Certificate Management Console as a domain account and requesting a new certificate. This may be because this action triggers a revalidation or renewal of the certificate.

Another possible interim solution is to reboot the client computer or wireless network adapter to clear possible caching or status issues.

Deeper analysis:

Use a network diagnostic tool such as Wireshark to capture and analyze network traffic during the 802.1x authentication process for possible errors or problems.

Check the relevant logs in the Windows Event Viewer for more detailed information about authentication failures.

Best regards

Neuvi