NPS- PEAP - certificate authentication failure

Question

Hi,

I have configured an NPS server in Server 2019 standard.

PEAP/Secured Password (EAP-MSCHAP2 v2) is working perfectly.
PEAP/Smart card or other certificate is not working.

The test client workstation has the correct new domain computer/user CA certificate installed and NPS server has the correct CA certificates installed and is enabled to perform domain authentication.

Does anyone have any ideas what might be the problem?

Here is an example of NPS server log:

<Event><Timestamp data_type="4">04/06/2021 10:42:53.944</Timestamp><Computer-Name data_type="1">NPS01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Service-Type data_type="0">2</Service-Type><Framed-MTU data_type="0">9198</Framed-MTU><Called-Station-Id data_type="1">00-62-EC-18-CD-81</Called-Station-Id><Calling-Station-Id data_type="1">54-EE-75-31-24-20</Calling-Station-Id><Framed-IP-Address data_type="3">172.18.110.3</Framed-IP-Address><NAS-IP-Address data_type="3">172.18.114.2</NAS-IP-Address><NAS-Port-Id data_type="1">GigabitEthernet1/0/1</NAS-Port-Id><NAS-Port-Type data_type="0">15</NAS-Port-Type><NAS-Port data_type="0">50101</NAS-Port><Client-IP-Address data_type="3">172.18.114.2</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">Switch</Client-Friendly-Name><Cisco-AV-Pair data_type="1">method=dot1x</Cisco-AV-Pair><Cisco-AV-Pair data_type="1">service-type=Framed</Cisco-AV-Pair><Cisco-AV-Pair data_type="1">audit-session-id=0A9C2582000010E46DA2F630</Cisco-AV-Pair><User-Name data_type="1">host/test500.DOMAIN.com</User-Name><Proxy-Policy-Name data_type="1">CERTIFIKAT</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">DOMAIN\TEST500$</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">DOMAIN\TEST500$</Fully-Qualifed-User-Name><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">Copy of Certifikat - TEST</NP-Policy-Name><Class data_type="1">311 1 172.18.66.62 04/05/2021 08:54:19 1589</Class><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

<Event><Timestamp data_type="4">04/06/2021 10:42:53.944</Timestamp><Computer-Name data_type="1">NPS01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 172.18.66.62 04/05/2021 08:54:19 1589</Class><Session-Timeout data_type="0">60</Session-Timeout><NP-Policy-Name data_type="1">Copy of Certifikat - TEST</NP-Policy-Name><Client-IP-Address data_type="3">172.18.114.2</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">Switch</Client-Friendly-Name><Authentication-Type data_type="0">5</Authentication-Type><Proxy-Policy-Name data_type="1">CERTIFIKAT</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">DOMAIN\TEST500$</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">DOMAIN\TEST500$</Fully-Qualifed-User-Name><Packet-Type data_type="0">11</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

Answer 1

Hi,

It is hard for to do troubleshooting if there is no specific event/error about the problem. In such case, we need to trace and monitoring logs to analyze the cause. However, analysis of log is beyond our forum support level and due to forum security policy, we have no such channel to collect user log information. So, we recommend you open a case with MS Professional tech support service, they will help you open a phone or email case to Microsoft, so that you would get a technical support on a one-to-one basis while ensuring privileged information.

Here is the link:

https://support.microsoft.com/en-us/gp/customer-service-phone-numbers

Best Regards,
Candy

--------------------------------------------------------------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.