Win7 not accepting cert from NPS - WPA2-Enterprise

[Cooky]

An environment I'm working on has Cisco WLC, MS NPS RADIUS server, and some clients doing WPA2-Enterprise authentication.
For some reason, all the endpoints work, except Win7 clients.

With either self, or public signed certs, Win7 would prompt for username/password, but after clicking OK, authentication would fail.

Win7 does NOT prompt for user to accept cert, while NPS has a log saying cert is not trusted.
Why would Win7 not prompt for user to accept cert, and how do we enable that prompt?

 

[bruceb]

See if this can be of help:

https://documentation.meraki.com/MR...PA2-Enterprise_in_Windows_Vista_and_Windows_7

 

[Cooky]

Thank you for the link.

The step to uncheck the option to validate server cert is exactly what we did as temporary workaround in our test lab.
However, this is a higher ED, college environment, where manually configuring that option isn't going to be feasible.

I don't remember having to do this extra step in all of my previous WPA2-Enterprise deployments...did Win7 clients change this behavior somehow in the past year or two?

BTW - do you really look like the picture in your profile??

 

[bruceb]

That is not my picture, just my chosen avatar image.

Some other clues to your issue here:

http://forums.iis.net/t/1185624.aspx?Not+getting+a+client+certificate+prompt

And also here:

https://blogs.msdn.microsoft.com/ieinternals/2009/09/02/client-certificate-selection-prompt/

 

[Elizine]

In Win 7 pro, Connection Properties check the security tab:

Under Advanced Settings >> check the "Specify Authentication Mode" is both "user or computer authentication"

Under Settings beside the network authentication method dropdown >> ensure the check boxes are selected and the appropriate server is in the "Connect to these servers" box. Down below on the PEAP properties, we have the Authentication method there as EAP-MSCHAP v2.

 

[Cooky]

Thanks but we never had to change anything for Win7 clients to connect to WPA2-Enterprise.

After we changed the CN of cert to another name, and created DNS entry for it, clients are now prompted w/ warning. (cert was signed by a public CA, but whose signing cert isn't popular enough to be trusted by clients by default)

So...do Windows clients do a DNS lookup on the CN to see if there's an A record, and if not, they just silently drop the authentication?!
None of the other clients we tested had this behavior...Mac, iPhone, and Android.