This is an automated archive made by the Lemmit Bot.
The original was posted on /r/sysadmin by /u/Laxarus on 2026-03-28 14:32:47+00:00.
This is becoming frustrating for me now.
Environment:
Servers: ADCS, DC etc all use
Windows Server 2025
Clients:
Windows 11 Enterprise
Trying to setup PEAP EAP-TLS
All unsecure methods unchecked in NPS
I have read all about the requirements in Microsoft Docs
Created my cert templates according to the docs and published them.
Straight EAP-TLS works fine (selecting only the “Microsoft: Smart Card or other certificate (EAP-TLS)”) but as soon as I encapsulate EAP-TLS with PEAP, it fails.
When setting up PEAP in NPS only “Microsoft: Smart Card or other certificate (EAP-TLS)” is selected, no EAP-MSCHAPv2
but still when trying to connect to wifi using PEAP EAP-TLS, it asks me for a username and password whereas using straight EAP-TLS directly connects.
I have not yet deployed GPO to auto connect so I am testing manually to try and connect to wifi
When using PEAP EAP-TLS event logs generate two entries with event IDs 6273, one for user and one for computer. I am not sure why the user event is even registered since I dont have any mschap options enabled.
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:DOMAIN\user
Account Name:user@domain.com
Account Domain:DOMAIN
Fully Qualified Account Name:domain.com/OU/user
Client Machine:
Security ID:NULL SID
Account Name:-
Fully Qualified Account Name:-
Called Station Identifier:E6-38-12-41-DA-21:wifi
Calling Station Identifier:84-9A-51-61-45-CA
NAS:
NAS IPv4 Address:192.168.1.6
NAS IPv6 Address:-
NAS Identifier:e6388325dd21
NAS Port-Type:Wireless - IEEE 802.11
NAS Port:1
RADIUS Client:
Client Friendly Name:Unifi
Client IP Address:192.168.1.6
Authentication Details:
Connection Request Policy Name:test
Network Policy Name:Unifi wifi
Authentication Provider:Windows
Authentication Server:WINSERVER1.domain.com
Authentication Type:EAP
EAP Type:-
Account Session Identifier:42373443354146383235334530434530
Logging Results:Accounting information was written to the local log file.
Reason Code:22
Reason:The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
and for the computer
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:DOMAIN\PC$
Account Name:host/PC.domain.com
Account Domain:DOMAIN
Fully Qualified Account Name:domain.com/OU/PCs/Windows PCs/Windows Computers/Windows 11 Computers/PC
Client Machine:
Security ID:NULL SID
Account Name:-
Fully Qualified Account Name:-
Called Station Identifier:E6-38-12-41-DA-21:wifi
Calling Station Identifier:84-9A-51-61-45-CA
NAS:
NAS IPv4 Address:192.168.1.6
NAS IPv6 Address:-
NAS Identifier:e6388325dd21
NAS Port-Type:Wireless - IEEE 802.11
NAS Port:1
RADIUS Client:
Client Friendly Name:Unifi
Client IP Address:192.168.1.6
Authentication Details:
Connection Request Policy Name:test
Network Policy Name:Unifi wifi
Authentication Provider:Windows
Authentication Server:WINSERVER1.domain.com
Authentication Type:PEAP
EAP Type:-
Account Session Identifier:30423230453941343330464433433831
Logging Results:Accounting information was written to the local log file.
Reason Code:300
Reason:No credentials are available in the security package
Did anyone come across a similar issue? How did you solve this?