- Staff unable to connect to a new SSID.
- Authenticators report an ‘access-reject’ being returned from the NPS/RADIUS server.
- NPS rejecting with reason code 16 (Bad username/password)
- You see NPS logs where you have an auth type of “PEAP” but the “EAP Type” is null / “-“
General background: dot1x/AD authentication for network connections can use either EAP or PEAP. EAP requires a valid certificate on the access point as well as on the NPS/RADIUS server. PEAP is transparent and you only need a valid certificate on the RADIUS/NPS server. By Valid – I mean trusted by the client; it does not need to explicitly be a public ca.
- NPS Server is configured to serve a certificate with a wildcard in the subject “*.yarracm.com” as an example.
- The original SSID has “do not validate ssl certificate”
So in the new SSID the client is sent a certificate which has an invalid name, this invalid name. Because the certificate isn’t trusted it then doesn’t send the MSCHAPv2 credentials so you essentially are trying to login with a username but no password.