One of the laptop could not log on the campus WIFI with machine account.

Found the log in Event viewer on NPS server:


Network Policy Server denied access to a user.Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.

User: Security ID: DOMAIN\2017-P446-SARS$ 
Account Name: host/ 
Account Domain: DOMAIN 
Fully Qualified Account Name: 
Authentication Details: 

Connection Request Policy Name: xxxxx

Network Policy Name: xxxxx

Authentication Provider: Windows 

Authentication Server:

Authentication Type: PEAP 

EAP Type: - Account Session Identifier: 35653332323539622F30303A32343A64363A63313A38373A34332F39343338 

Logging Results: Accounting information was written to the local log file. 

Reason Code: 265 

Reason: The certificate chain was issued by an authority that is not trusted.

The line we should pay attention is “Authentication Type: PEAP”, and “Reason: The certificate chain was issued by an authority that is not trusted.”

Log on the NPS server:

Go to the Polices > Network Policies > right click the policy xxxxx , click properties, > click Constraints tab, click Authentication Methods > find the Microsoft: Protected EAP (PEAP) and select it, click Edit button. Note down the Certificate info here. click Cancel to close all the windows.

Log on the client machine:

type mmc.exe, add Certificates Snap-in, choose Local Computer, under Trusted Root Certification Authorities, see if the certificate you noted down is here, if not, import it from your CA server.