\u00a0<\/p>
![\"\"](\"http:\/\/pariswells.com\/blog\/wp-content\/uploads\/2022\/09\/img_631af396b2d44.png\")
<\/p>
\u00a0<\/p>
General background: dot1x\/AD authentication for network connections can use either EAP or PEAP. EAP requires a valid certificate on the access point as well as on the NPS\/RADIUS server. PEAP is transparent and you only need a valid certificate on the RADIUS\/NPS server. By Valid \u2013 I mean trusted by the client; it does not need to explicitly be a public ca.<\/p>
\u00a0<\/p>
Cause:<\/p>
- NPS Server is configured to serve a certificate with a wildcard in the subject \u201c*.yarracm.com\u201d as an example.<\/li><\/ul>
![\"\"](\"http:\/\/pariswells.com\/blog\/wp-content\/uploads\/2022\/09\/img_631af3ed3c3b2.png\")
<\/p>\u00a0<\/p>
- The original SSID has \u201cdo not validate ssl certificate\u201d<\/li><\/ul>
![\"\"](\"http:\/\/pariswells.com\/blog\/wp-content\/uploads\/2022\/09\/img_631af3963cc0f.png\")
<\/p>\u00a0<\/p>
\u00a0<\/p>
So in the new SSID the client is sent a certificate which has an invalid name, this invalid name. Because the certificate isn\u2019t trusted it then doesn\u2019t send the MSCHAPv2 credentials so you essentially are trying to login with a username but no password.<\/p>
\u00a0<\/p>","protected":false},"excerpt":{"rendered":"
\u00a0Staff unable to connect to a new SSID.Authenticators report an \u2018access-reject\u2019 being returned from the NPS\/RADIUS server.NPS rejecting with reason code 16 (Bad username\/password)You see NPS logs […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[3974,3976,3975,2782,2551,2481],"class_list":["post-6151","post","type-post","status-publish","format-standard","hentry","category-research","tag-authentication-failed-due-to-user-credentials-mistmatch","tag-either-the-user-name-provided-does-not-map","tag-peap","tag-radius","tag-wifi","tag-wildcard"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6151","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=6151"}],"version-history":[{"count":1,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6151\/revisions"}],"predecessor-version":[{"id":6158,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6151\/revisions\/6158"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=6151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=6151"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=6151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- The original SSID has \u201cdo not validate ssl certificate\u201d<\/li><\/ul>