Workaround for Wildcard in Radius Wifi Setup



  • Staff unable to connect to a new SSID.
  • Authenticators report an ‘access-reject’ being returned from the NPS/RADIUS server.
  • NPS rejecting with reason code 16 (Bad username/password)
  • You see NPS logs where you have an auth type of “PEAP” but the “EAP Type” is null / “-“

General background: dot1x/AD authentication for network connections can use either EAP or PEAP. EAP requires a valid certificate on the access point as well as on the NPS/RADIUS server. PEAP is transparent and you only need a valid certificate on the RADIUS/NPS server. By Valid – I mean trusted by the client; it does not need to explicitly be a public ca.


  • NPS Server is configured to serve a certificate with a wildcard in the subject “*” as an example.

  • The original SSID has “do not validate ssl certificate”

So in the new SSID the client is sent a certificate which has an invalid name, this invalid name. Because the certificate isn’t trusted it then doesn’t send the MSCHAPv2 credentials so you essentially are trying to login with a username but no password.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)