We have a CP 220.127.116.11567 and have loaded a wildcard server cert with the full chain and the intermediate certs are also trusted.
We can get IOS, Mac-OS and Android devices successfully onboarded and then use EAP-TLS to connect to a Secure SSID.
All this work fine except for windows devices running Win7 devices that can’t connect after a successful onboard process.
Please refer : http://support.microsoft.com/kb/814394
- The computer certificate on the server chains to one of the following:
- A trusted Microsoft root CA.
- A Microsoft stand-alone root or third-party root CA in an Active Directory domain that has an NTAuthCertificates store that contains the published root certificate. For more information about how to import third-party CA certificates, click the following article number to view the article in the Microsoft Knowledge Base: 295663
- The IAS or the VPN server computer certificate is configured with the Server Authentication purpose. The object identifier for Server Authentication is 18.104.22.168.22.214.171.124.1.
- The computer certificate does not fail any one of the checks that are performed by the CryptoAPI certificate store, and it does not fail any one of the requirements in the remote access policy.
- The name in the Subject line of the server certificate matches the name that is configured on the client for the connection.
- For wireless clients, the Subject Alternative Name (SubjectAltName) extension contains the server's fully qualified domain name (FQDN).
- If the client is configured to trust a server certificate with a specific name, the user is prompted to make a decision about trusting a certificate with a different name. If the user rejects the certificate, authentication fails. If the user accepts the certificate, the certificate is added to the local computer trusted root certificate store.
It is a server cert validation issue. If we manually un-check it on the client it will work.
Navigate to "Control Panel\Network and Internet\Network and Sharing Center" and click on "Manage Wireless Networks"
Right Click on the Wireless Network connection which is for the Onboard SSID and go to properties.
Click on Settings, and un-check the "Validate Server Certificate" option.
Save the settings and try to authenticate again. It would work now.