Security

I have a customer indicating that their Windows laptops (not sure what OS) used to automatically connect to their backed Windows Radius server via 802.1x (i.e. they would click on the secure SSID and it would prompt them for their username and password)

Sometime over the past few months, this changed and they now need to create a wireless network profile and un-check validate server cert and do not use their Windows logon credentials.  This is now a real pain.

I have not been able to check and see if this is Windows 7 and 8 only or if it also happened on Windows XP.  By the way, on IOS or OS/X all works normal and Apple prompts them to install an untrusted certificate.

Any ideas

Are they getting an error when trying to connect without a profile? Unchecking validate server certificate is not a good idea. Did they change the PEAP certificate? If the profile is set to only trust a particular CA, then a new certificate signed by a different CA will cause the connection to fail. (This is by design for security reasons)

Are these domain joined computers? Windows will automatically use Windows credentials (which includes a realm ie DOMAIN\tim) when you first connect to an enterprise SSID.

They are not getting an error on the client side.  It just does not connect (Have to setup a Wireless Network profile manually)

These are domain computers

Any logs for the connection attempt on the RADIUS server? Also, try show auth-tracebuf <macaddress> to see the EAP messages.

What is the root CA for the PEAP server certificate? Can you try turning back on validate cert and check the box for the appropriate root CA?

To look at the auth-trace output, you need to put a user's mac address in user-debug mode:

(config)# logging level debugging user-debug <mac address>

i saw this myself, what i found was that dutch windows versions dont connect automatically (well you click the SSID and it works) but english ones do.

were foreign versions involved for you also?