Forum Discussion

AndreITQ's avatar
AndreITQ
Copper Contributor
May 20, 2025

Connect a Workgroup device on 802.1x Network with NPS

We have an 802.1X-secured Wi-Fi network using EAP-TLS authentication with machine certificates. Domain-joined devices connect and authenticate successfully.

However, we have a scenario where some non-domain (Workgroup) Windows 11 devices must connect to this network — and they fail to authenticate.

What we've tested so far:

User Certificate Approach:

  • Created a duplicate of the User certificate template.
  • Set Compatibility to Windows Server 2008 (to enable key storage provider support).
  • Set Application Policies to include only Client Authentication.
  • Set Subject Name to Supply in the request.
  • During enrollment, we ensured the UPN in the certificate matches the AD user's UPN (e.g., mailto:user@domain).
  • We verified the certificate appears under Published Certificates in the AD user's account.

Machine Certificate Approach:

  • Created a certificate with:
    • CN=host/hostname.domain.local in the Subject
    • DNS=hostname.domain.local in the SAN
    • Client Authentication EKU
  • Ensured the certificate is installed in the Local Machine store with private key.
  • In AD:
    • Created a Computer object matching the machine name.
    • Added the ServicePrincipalName (SPN): host/hostname.domain.local
    • Added altSecurityIdentities: "X509:<i>CN=CA Name,DC=domain,DC=local<s>CN=host/hostname.domain.local</s></i>"

       

 

What we observe in NPS Event Viewer:

Each connection attempt from a Workgroup machine — even with valid certificate, and proper mapping — results in:

Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

We also ensured that:

  • NPS has a valid certificate with Server Authentication EKU
  • The authentication method used is Microsoft: Smart card or other certificate (EAP-TLS)
  • The policies are configured for certificate-based authentication only

The question

How can we make NPS map a client certificate (from a non-domain device) to a user or computer account in Active Directory, so that authentication succeeds?

Are there additional requirements for altSecurityIdentities, or limitations for Workgroup clients that we're missing?

Active Directory
computer authentication
Networking
nps
windows 11
Wireless
No RepliesBe the first to reply

Resources