Hello, I have configured an NPS server in server 2019 standard.
It is authenticating username/password via PEAP and MAC address objects via PAP perfectly.
The only thing failing is EAP-TLS. I have proven that my client-side NIC EAP-TLS configuration is correct as I have had this working in another domain. The only difference is that I am now using a new NPS server which belongs to our new domain.
I can confirm that the test client workstation has the correct new domain CA certificate installed and also that the NPS server has the correct certificates installed and is enabled to perform domain authentication.
I can confirm that the switch NAS configuration is correct because it was working on the old domain with 802.1x. Additionally, I can see the EAP-TLS attempts coming through on the NPS server under the NPS logs.
Does anyone have any ideas as to what might be the problem ?
Here is an example of an EAP-TLS request coming in from a Windows 7 workstation. This is as far as it gets i.e. the client workstation fails authentication and there are no further logs in NPS suggesting what happened:
<Event><Timestamp data_type="4">10/10/2020 12:52:40.359</Timestamp>
<Computer-Name data_type="1">MYNPSSERVER</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<User-Name data_type="1">host/790-GHTTC2S.mydomain.local</User-Name>
<Service-Type data_type="0">2</Service-Type>
<Framed-MTU data_type="0">1500</Framed-MTU>
<Called-Station-Id data_type="1">C4-14-3C-22-E5-27</Called-Station-Id>
<Calling-Station-Id data_type="1">D4-BE-D9-A3-E7-83</Calling-Station-Id>
<NAS-Port-Type data_type="0">15</NAS-Port-Type>
<NAS-Port data_type="0">50239</NAS-Port>
<NAS-Port-Id data_type="1">GigabitEthernet2/0/39</NAS-Port-Id>
<NAS-IP-Address data_type="3">192.168.8.42</NAS-IP-Address>
<Client-IP-Address data_type="3">192.168.8.42</Client-IP-Address>
<Client-Vendor data_type="0">9</Client-Vendor>
<Client-Friendly-Name data_type="1">myswitch</Client-Friendly-Name>
<Proxy-Policy-Name data_type="1">CR-Cisco-Wired</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<SAM-Account-Name data_type="1">MYDOMAIN\790-GHTTC2S$</SAM-Account-Name>
<Fully-Qualifed-User-Name data_type="1">MYDOMAIN\790-GHTTC2S$</Fully-Qualifed-User-Name>
<Class data_type="1">311 1 10.17.0.22 09/25/2020 01:46:19 4894</Class>
<Packet-Type data_type="0">1</Packet-Type>
<Reason-Code data_type="0">0</Reason-Code></Event>