This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 86%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
I've been struggling for a day or so now trying to get EAP-TLS authentication working with our ios devices. We've previously had it configured requiring username and password however I want to authenticate purely with certificates.
The certificates are requested via MDM (maas360) and appear valid.
I've got the connection request and network policies configured however I'm getting the below authentication failure when a users device tries to connect:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: DOMAIN\example
Account Name: testuser
Account Domain: DOMAIN
Fully Qualified Account Name: domain/ou/example user
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 80-2A-A8-17-C1-89:DCP
Calling Station Identifier: 04-72-95-AB-91-46
NAS:
NAS IPv4 Address: -
NAS IPv6 Address: -
NAS Identifier: 802aa817c189
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: -
RADIUS Client:
Client Friendly Name: Unifi AP
Client IP Address: *****
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Cert Authentication
Authentication Provider: Windows
Authentication Server: Radius.***.local
Authentication Type: EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier: 39363442454142353338324546383435
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
I can't work out what would be causing this authentication failure. Could anyone point me in the right direction?
Solved the issue myself. when Mass360 was requesting the certificates they were getting pushed to AD under the service account it uses so it wasn't present under the user attempting to connect. Turning publish to AD off within the cert template and regenerating allowed devices to connect straight away without issues.
