question

ErjenRijnders-1198 avatar image
0 Votes"
ErjenRijnders-1198 asked Jason-MSFT commented

Azure AD Joined devices - NPS - Eap types "Secure password (EAP-MSCHAP v2)"

For some time, we use Meraki Access Points with Radius authentication. The NPS configuration is straight forward, we configured a network policy > Authentication Methods > EAP types: "Microsoft: Protected EAP (PEAP).
On the "Edit" page below EAP type, we used "Secured password (EAP-MSCHAP v2) and we configured the certificate that must be used.

Now this works great for domain joined devices. Even pre-logon works great, so before the user is logged in we already have Wi-Fi connection.

But for Azure AD Joined devices (using PIN login), this doesn't work as expected. As soon as you try to connect, it asks for a password. If you fill in the password, you are connected. Even if you somehow login to the network with a password, it's also working perfect. And logging in with a password in the User Account on the Windows Logon screen, it also works.

In the NPS-log, I do see a successful login, even though it's not working. If I check the security eventlog, it tells me that the logon has failed with "bad username or password".
97535-2021-05-18-14-53-06-photos.png

We use Windows Hello for Business (which works great for drive mappings and other applications).

I found a recent blog that could be the problem: https://sysmansquad.com/2021/04/27/working-around-nps-limitations-for-aadj-windows-devices/
Maybe NPS needs to find the computer object. But I want to verify it here first, could that be the problem? I have not configured a condition in NPS that checks for a domain computers group for example.

Can someone shed some light on this problem, why it's failing? Thanks a lot in advance.


azure-ad-device-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered Jason-MSFT commented

Maybe NPS needs to find the computer object.

Not maybe, definitely. The blog you linked to as well as the Q&A thread that it links to calls this out. The blog presents a possible workaround. Other alternatives include only using user auth (meaning there is no pre-logon, device-based auth).

Yes, this is a known issue and in the backlog to be addressed but with no commitment at this time.

(This is unrelated to Intune so I'm removing the Intune tag as well.)

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Jason,

Unfortunately, this is not the problem. We checked it multiple times but even with dummy devices, the login fails. We don't use devices in the conditions tab so that can't even be the issue.

Just one more detail to add. As soon as we connect to any SSID that's just using wpa2 key and then try to access my shares. That works so also WH4B works fine. After that, I try to connect through RADIUS and I am directly connected. So somehow the WH4B sign in process must be triggered everytime and is failing with NPS.

Any idea's how we could solve this?

0 Votes 0 ·

Sorry, not following the comment here or what dummy devices have to do with this. NPS when used for device auth (as with 802.1x) requires the devices to have a local AD account. This is fact and is unrelated to WHfB. This may or may not be your only issue, but it is certainly an issue.

0 Votes 0 ·
ErjenRijnders-1198 avatar image
0 Votes"
ErjenRijnders-1198 answered

Thank you for confirmation! I had some doubts because that Q&A didn't mention Windows Hello for Business.
We will try the workaround. Thanks again.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ErjenRijnders-1198 avatar image
0 Votes"
ErjenRijnders-1198 answered Jason-MSFT commented

Thank you Jason for your help. We weren't actually using device auth in NPS, that's what I meant.
Luckily, we found the issue. The issue was related to WH4B because the WiFi settings on the device were configured to use the Windows username and password for automatic sign on to the WiFi network but that was failing because of WH4B (as WH4B uses smartcard auth).
Unchecking that checkbox solved our issue.
101501-2021-06-01-20-05-20-windows-10-wireless-setup-info.png

Thanks again!



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Makes sense and glad you found it.

0 Votes 0 ·