Forum Discussion

Tobias Ölander's avatar
Tobias Ölander
Copper Contributor
Jan 12, 2024

Intune: 802.1x Wi-Fi, NPS and user PKCS certificates

Im working on deploy WPA2 Enterprise Wifi with Intune for user. I have followed two blog posts
Deploy WPA2 Enterprise Wifi with Intune - VMLabBlog.com
&
Intune: 802.1x Wi-Fi, NPS and user PKCS certificates | Katy's Tech Blog (katystech.blog)

Great posts and i got it to work in my testlab.

Now when i try to get this to work in a production environment i ran in to some issues.
i have tried for quite a while to do some troubleshooting but it always ends up in a dead end.

 

The error i get in the NPS eventlog is:

Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
 
User:
Security ID: NULL SID
Account Name: email address removed for privacy reasons
Account Domain: -
Fully Qualified Account Name: -
 
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: aa-aa-aa-61-9C-49:Corp_Wifi
Calling Station Identifier: aa-aa-aa-69-CB-93
 
NAS:
NAS IPv4 Address: 172.16.3.254
NAS IPv6 Address: -
NAS Identifier: aaaaae4619c49
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: -
 
RADIUS Client:
Client Friendly Name: APGaroChargers.xyz.lan
Client IP Address: 172.16.3.254
 
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NPS01.xyz.lan
Authentication Type: Unauthenticated
EAP Type: -
Account Session Identifier: 33413046443538324535383032333938
Logging Results: Accounting information was written to the local log file.
Reason Code: 7
Reason: The specified domain does not exist.

In the testlab everything is fine:

Network Policy Server granted access to a user.
User:
Security ID: Home\test04
Account Name: email address removed for privacy reasons
Account Domain: Home
Fully Qualified Account Name: Home.local/AAD/Users/Test04
 
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: aa-aa-aa-aa-53-13:WiFi_WPA2_Ent
Calling Station Identifier: aa-aa-aa-aa-ED-5A
 
NAS:
NAS IPv4 Address: 192.168.1.102
NAS IPv6 Address: -
NAS Identifier: aaaaa2255313
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 2
 
RADIUS Client:
Client Friendly Name: AP1
Client IP Address: 192.168.1.102
 
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: WiFi_WPA2_Ent
Authentication Provider: Windows
Authentication Server: APP01.hemma.local
Authentication Type: EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier: 44304446443344314431433234374537
Logging Results: Accounting information was written to the local log file.
 
I have added in the Constraints/Authentication Methods/EAP Types: Microsoft Protected EAP (PEAP) on the NPS server just to see if something is wrong with the NPS but it works to authenticate with username and password
So there is something with the certificate but i have double and triple checked everything.

Any ideas are welcome

 
Best Regards

Tobias
  • I'm facing the same issue using EAP-TLS with Microsoft Cloud PKI issued user certificate.
  • Angell1's avatar
    Angell1
    Copper Contributor

    Tobias Ölander I found a solution for us in the end. The problem was that a handful of users had UPN's which did not match from AD to 365. Using powershell to update in 365 resolved problem after they where re-issued a certificate. 

Resources