Windows NPS + Certificate Selection

Matt 1 Reputation point
2024-04-02T19:22:34.55+00:00

Hello,

We've installed a Windows NPS server and are slowly rolling it out into production. We are using Machine Certificates for network auth *(i.e. Microsoft: Smart Card or other certificate). We are also using Cisco network switches and Cisco APs.

I have noticed that some PCs do not like it when "Use Simple Certificate Selection" is enabled for the Wired 802 network. For Wi-Fi it didn't seem to matter if that box was checked or not. But, for some reason on Wired it depends on the PC whether or not it will work.

We are using a variety of Lenovo ThinkPads *(X1, T470, T470s, T480, T480s, T14, T460, T460s).

It seems very odd that a PC can auth just fine on Wireless, but not Wired, when the same cert is being used for BOTH NAS-Port Types, i.e. wired or wireless...

For the PCs that wouldn't work with this option enabled, I tried re-issuing their certs. But that didn't seem to change anything.

Any help would be greatly appreciated!

-Matt

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,266 questions
Windows Network
Windows Network
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Network: A group of devices that communicate either wirelessly or via a physical connection.
639 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,747 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Jing Zhou 1,475 Reputation points Microsoft Vendor
    2024-04-05T01:39:10.5666667+00:00

    Hello,

     

    Thank you for posting in Q&A forum.

    If "Use simple certificate selection" option is checked, NPS server will select the certificate used for 802.1x authentication automatically. However, it may bring some issue if it selects a wrong Root CA.

    To further check this issue, you need to:

    1.Check the certificate configured on the Lan connection.

    2.Check the Root CA used for wired authentication in NPS policy on the server.

    3.Compare the two certificate matches or not and if it's trusted on NPS server.

     

    Hope this answer can help you well.

     

    Best regards,

    Jill Zhou

    0 comments No comments