This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 28.000000000000004%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
So we had our Root CA Certificate expire, and I renewed it the same day it expired. Since then the wireless clients that connected via a certificate from the CA can no longer connect to the wireless. They simply receive the error "Can't connect to this network"
Here's the setup:
Users connect to the WiFi via a Ruckus Access Point system, which is configured to use a RADIUS server on our DCs for authentication.
The Ruckus controller has the Root CA Certificate added to its Trusted CA Certificates/Chain (external) list.
The RADIUS server is running on our domain controllers (NPS on Windows Server), which also have the renewed CA Certificate and the RADIUS authentication certificate installed.
Wireless authentication is configured using EAP, and both the CA Certificate and the Wireless Authentication Enrollment Certificates are deployed to clients via Group Policy.
What I've done so far:
I renewed the Root CA Certificate on the CA server the same day it expired.
Deleted the old certificates (both Root CA and any client certificates issued before renewal) from all domain controllers and clients.
Pushed the renewed CA Certificate to all domain-joined devices via Group Policy.
Verified that the renewed CA Certificate is installed in the Trusted Root Certification Authorities store on all devices (clients and servers).
Verified that the Wireless Authentication Enrollment Certificate is being issued from the CA server to clients and installed correctly.
Event Log on the NPS server shows:
Reason Code: 295
Reason: A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
The Root CA certificate expired and was renewed, but wireless clients can no longer authenticate via EAP. Despite having the correct certificates installed and trusted on all devices, the NPS server continues to reject authentication attempts with Reason Code 295, citing a trust issue with the CA chain.
Any thoughts on what I might be missing or what else to try? Thank you for reading!
So we had our Root CA Certificate expire, and I renewed it the same day it expired. Since then the wireless clients that connected via a certificate from the CA can no longer connect to the wireless. They simply receive the error "**Can't connect to this network**"
Here's the setup:
Users connect to the WiFi via a Ruckus Access Point system, which is configured to use a RADIUS server on our DCs for authentication.
The Ruckus controller has the Root CA Certificate added to its Trusted CA Certificates/Chain (external) list.
The RADIUS server is running on our domain controllers (NPS on Windows Server), which also have the renewed CA Certificate and the RADIUS authentication certificate installed.
Wireless authentication is configured using EAP, and both the CA Certificate and the Wireless Authentication Enrollment Certificates are deployed to clients via Group Policy.
What I've done so far:
I renewed the Root CA Certificate on the CA server the same day it expired.
Deleted the old certificates (both Root CA and any client certificates issued before renewal) from all domain controllers and clients.
Pushed the renewed CA Certificate to all domain-joined devices via Group Policy.
Verified that the renewed CA Certificate is installed in the Trusted Root Certification Authorities store on all devices (clients and servers).
Verified that the Wireless Authentication Enrollment Certificate is being issued from the CA server to clients and installed correctly.
**Event Log on the NPS server shows:**
**Reason Code: 295**
**Reason:** A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
The Root CA certificate expired and was renewed, but wireless clients can no longer authenticate via EAP. Despite having the correct certificates installed and trusted on all devices, the NPS server continues to reject authentication attempts with **Reason Code 295**, citing a trust issue with the CA chain.
Any thoughts on what I might be missing or what else to try? Thank you for reading!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 44%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENE%3C/text%3E%3C/svg%3E)
Make sure your client side group policies have the new Root CA selected in the "Trusted Root Certification Authorities" selection criteria under the 802.1X settings - Authentication Methods. That fixed this for us.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Hi SkyCC,
As you are seeing error 295 on the NPS server (which I understand is also your DC), I would start looking there.
I would enable CAPI2 log on that server. Note this may rollover quickly so you may want to increase the log size a bit AND time your test to minimise noise. e.g. enable CAPI2 log. Perform test, disable CAPI2 log.
Then look through the logs. From this log you should be able to determine which certificate and where in the chain, the validation fails.
I can't see in your description, if you have more than just a root (i.e. do you have a 2 tier PKI with issuing CAs) so I am just assuming you have only a root CA.
I aslo cannot see any indication of how you performed the Root CA cert renewal. If I recall correctly there are some scenarios where you need to keep the old Root CA in the systems to enable cross certification between old CA cert and new CA cert, however, I am not sure if that is relevant in your situation, especially with the old Root expired.
Regardless, the CAPI2 log should tell you where the validation is failing and on which certificate.
CAPI2 logs are in eventvwr under "Applications and services" -> Microsoft -> Windows -> CAPI2
Good luck