Let me start by mentioning that
you should avoid PEAP-MSCHAPv2 as it uses broken cryptography and if you have an issue like this, it's likely that your credentials can be captured by a rogue/malicious network.
Then, I believe that Windows caches the certificates that have been trusted. So, you may try again and fully remove the SSID and configure again with just the Digicert servers. It should not connect, with the message that Ariyap shared. Also, the server name is normally the DNS name of the RADIUS server certificate, it looks like you entered an email address in there. Have you double-checked that the internal CA is not also enabled in the list of Trusted Root CAs?
If the client still connects, I would be worried but that is a Microsoft issue as the configuration seem correct to limit the client to connect only to a RADIUS server that has a certificate with a CN/SAN of
NPSINTERNL@internal.mycompany.com and issued by one of the CAs selected.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Nov 24, 2022 04:40 PM
From: stever robichaud
Subject: Queston On Protected EAP Properties In WIFI Properties
I am trying to understand what the verify the server identity by validating the certificate does.
We have an ClearPass server signed by our internal CA. The root ca is installed on the laptops.
In the windows PEAP properties I choose connect to these server and listed my internal ClearPass server.
For a test I then pointed the trusted root certification server to one of the Digicert Global root CA for a test. I thought by doing this I would fail authentication because my ClearPass serve is using a different CA no the Digicert Global CA. But to my suprise I was able to connect to the WIFI network
------------------------------
stever
------------------------------