One of the laptop could not log on the campus WIFI with machine account.
Found the log in Event viewer on NPS server:
Network Policy Server denied access to a user.Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID: DOMAIN\2017-P446-SARS$ Account Name: host/2017-P446-SARS.xxx.xxx Account Domain: DOMAIN Fully Qualified Account Name: xxx.xxx/xxx Authentication Details: Connection Request Policy Name: xxxxx Network Policy Name: xxxxx Authentication Provider: Windows Authentication Server: xxx.xxx.xxxx Authentication Type: PEAP EAP Type: - Account Session Identifier: 35653332323539622F30303A32343A64363A63313A38373A34332F39343338 Logging Results: Accounting information was written to the local log file. Reason Code: 265 Reason: The certificate chain was issued by an authority that is not trusted.
The line we should pay attention is “Authentication Type: PEAP”, and “Reason: The certificate chain was issued by an authority that is not trusted.”
Log on the NPS server:
Go to the Polices > Network Policies > right click the policy xxxxx , click properties, > click Constraints tab, click Authentication Methods > find the Microsoft: Protected EAP (PEAP) and select it, click Edit button. Note down the Certificate info here. click Cancel to close all the windows.
Log on the client machine:
type mmc.exe, add Certificates Snap-in, choose Local Computer, under Trusted Root Certification Authorities, see if the certificate you noted down is here, if not, import it from your CA server.