Share via

Azure AD Joined devices - NPS - Eap types "Secure password (EAP-MSCHAP v2)"

Erjen Rijnders 61 Reputation points
2021-05-18T12:50:58.637+00:00

For some time, we use Meraki Access Points with Radius authentication. The NPS configuration is straight forward, we configured a network policy > Authentication Methods > EAP types: "Microsoft: Protected EAP (PEAP).
On the "Edit" page below EAP type, we used "Secured password (EAP-MSCHAP v2) and we configured the certificate that must be used.

Now this works great for domain joined devices. Even pre-logon works great, so before the user is logged in we already have Wi-Fi connection.

But for Azure AD Joined devices (using PIN login), this doesn't work as expected. As soon as you try to connect, it asks for a password. If you fill in the password, you are connected. Even if you somehow login to the network with a password, it's also working perfect. And logging in with a password in the User Account on the Windows Logon screen, it also works.

In the NPS-log, I do see a successful login, even though it's not working. If I check the security eventlog, it tells me that the logon has failed with "bad username or password".
97535-2021-05-18-14-53-06-photos.png

We use Windows Hello for Business (which works great for drive mappings and other applications).

I found a recent blog that could be the problem: https://sysmansquad.com/2021/04/27/working-around-nps-limitations-for-aadj-windows-devices/
Maybe NPS needs to find the computer object. But I want to verify it here first, could that be the problem? I have not configured a condition in NPS that checks for a domain computers group for example.

Can someone shed some light on this problem, why it's failing? Thanks a lot in advance.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Erjen Rijnders 61 Reputation points
    2021-06-01T18:06:41.603+00:00

    Thank you Jason for your help. We weren't actually using device auth in NPS, that's what I meant.
    Luckily, we found the issue. The issue was related to WH4B because the WiFi settings on the device were configured to use the Windows username and password for automatic sign on to the WiFi network but that was failing because of WH4B (as WH4B uses smartcard auth).
    Unchecking that checkbox solved our issue.
    101501-2021-06-01-20-05-20-windows-10-wireless-setup-info.png

    Thanks again!

    Was this answer helpful?

  2. Erjen Rijnders 61 Reputation points
    2021-05-18T14:19:44.963+00:00

    Thank you for confirmation! I had some doubts because that Q&A didn't mention Windows Hello for Business.
    We will try the workaround. Thanks again.

    Was this answer helpful?

    0 comments
  3. Jason Sandys 31,421 Reputation points Microsoft Employee Moderator
    2021-05-18T14:10:33.203+00:00

    Maybe NPS needs to find the computer object.

    Not maybe, definitely. The blog you linked to as well as the Q&A thread that it links to calls this out. The blog presents a possible workaround. Other alternatives include only using user auth (meaning there is no pre-logon, device-based auth).

    Yes, this is a known issue and in the backlog to be addressed but with no commitment at this time.

    (This is unrelated to Intune so I'm removing the Intune tag as well.)

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.