Forum Discussion
Connect a Workgroup device on 802.1x Network with NPS
We have an 802.1X-secured Wi-Fi network using EAP-TLS authentication with machine certificates. Domain-joined devices connect and authenticate successfully.
However, we have a scenario where some non-domain (Workgroup) Windows 11 devices must connect to this network — and they fail to authenticate.
What we've tested so far:
User Certificate Approach:
- Created a duplicate of the User certificate template.
- Set Compatibility to Windows Server 2008 (to enable key storage provider support).
- Set Application Policies to include only Client Authentication.
- Set Subject Name to Supply in the request.
- During enrollment, we ensured the UPN in the certificate matches the AD user's UPN (e.g., mailto:user@domain).
- We verified the certificate appears under Published Certificates in the AD user's account.
Machine Certificate Approach:
- Created a certificate with:
- CN=host/hostname.domain.local in the Subject
- DNS=hostname.domain.local in the SAN
- Client Authentication EKU
- Ensured the certificate is installed in the Local Machine store with private key.
- In AD:
- Created a Computer object matching the machine name.
- Added the ServicePrincipalName (SPN): host/hostname.domain.local
- Added altSecurityIdentities: "X509:<i>CN=CA Name,DC=domain,DC=local<s>CN=host/hostname.domain.local</s></i>"
What we observe in NPS Event Viewer:
Each connection attempt from a Workgroup machine — even with valid certificate, and proper mapping — results in:
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.We also ensured that:
- NPS has a valid certificate with Server Authentication EKU
- The authentication method used is Microsoft: Smart card or other certificate (EAP-TLS)
- The policies are configured for certificate-based authentication only
The question
How can we make NPS map a client certificate (from a non-domain device) to a user or computer account in Active Directory, so that authentication succeeds?
Are there additional requirements for altSecurityIdentities, or limitations for Workgroup clients that we're missing?
1 Reply
I have been working on a similar 802.1x wired networking test scenario in one of my Labs. I have a Windows Server 2022 DC with AD Certificate Services & Network Policy Server. Very vanilla / base installs with no hardening or specific configuration. I am testing with a Juniper switch configured to authenticate a Standalone Windows laptop. I was able to authenticate a domain joined system relatively easy. I was receiving similar errors to what you were seeing for my standalone system.
Today, I literally made the breakthrough to get my standalone authenticated. The combo was to issue a certificate with the <hostname>.domain.local in the CN and DNS SAN name. On the AD Computer object, it was the "servicePrincipleName" of "HOST/<hostname>.domain.local .
The other key was ensuring the client is configured properly. Importing the CA and Client certificate. Configuring the Authentication tab for PEAP, but in the advanced settings towards the bottom for authentication to make sure it said "SmartCard or other certificate". Also to validate the server in both areas, and check the Domain CA.
I also tested with just a HOSTNAME in the certificate and SPN and it seemed to work. I hope to do some more testing in the next few days to test different adapters, switch configuratoins, policies etc in my test Lab.
