Cert-based EAP-TLS Wireless using NPS as RADIUS client, server 2016 not working
I'm about ready to pull my hair out and I've definitely grown a few new grey hairs in the last 72 hours trying to figure this out.
Background -
Client's corporate Office has APs, their DC/CA/NPS server is up in the cloud (we host it in our Datacenter). It does absolutely nothing other than Syncing AD to Azure and handling of NPS & Client certificates, all files, etc are in 365.
Configuring this with PEAP, it works flawlessly, but the client does not want users to be prompted for credentials, they want "touchless wifi" as it was described - so certificates.
I initially was blaming this on an MTU issue, but NPS has been configured with an MTU-Frame of 1344, as recommended by Cisco, and the VPN Tunnel has its MTU set to 1400 with a MSS of 1360.
I've run wireshark on the source Network & the destination network and the packets are (at least now) being re-assembled properly from what I can tell.
Issue:
Whether trying the Intune-configured network or one I manually setup on the client for WPA2-Enterprise, the result is the same. It spins and spins and spins, then eventually does nothing. Client-side event logs show 12011 then 12014, 12014, etc until it just fails to connect (Authentication started, restart, restarted)
On the server, in Network Policy and Access Services Logs - I get nothing, nada, zilch - PEAP connections are logged here, but apparently not EAP?
If I open up the IAS accounting file, however, I can see the connection attempt. But nothing else past that. (below)
<Event>
<Timestamp data_type="4">11/26/2021 18:12:42.011</Timestamp>
<Computer-Name data_type="1">CLOUD-ADC1</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Class data_type="1">311 1 10.2.34.10 11/26/2021 23:00:00 48</Class>
<Session-Timeout data_type="0">30</Session-Timeout>
<Acct-Session-Id data_type="1">488D4B96855EE3F4</Acct-Session-Id>
<Client-IP-Address data_type="3">172.16.1.242</Client-IP-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">b4:fb:e4:c0:51:86</Client-Friendly-Name>
<Proxy-Policy-Name data_type="1">Secure Wireless Profile</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<SAM-Account-Name data_type="1">DOMAIN\username</SAM-Account-Name>
<Fully-Qualifed-User-Name data_type="1">DOMAIN\username</Fully-Qualifed-User-Name>
<Authentication-Type data_type="0">5</Authentication-Type>
<NP-Policy-Name data_type="1">Secure Wireless for Employees</NP-Policy-Name>
<Packet-Type data_type="0">11</Packet-Type>
<Reason-Code data_type="0">0</Reason-Code>
</Event>