topic Re: Radius Clients no longer connecting after updating Windows Server 2022 with 2025-06 update in Wireless

Radius Clients no longer connecting after updating Windows Server 2022 with 2025-06 update

JordanN — Mon, 07 Jul 2025 19:54:48 GMT

We have 6 sites that each have a DC. The DC also operates as the Windows NPS (Network Policy Server) performing the RADIUS authentication. We have an SSID setup called "Secured" configured as follows:

Security - Enterprise with my RADIUS server

WiFi Personal Network - Disabled

WPA Encryption - WPA2 Only

802.11r - Disabled

802.11w - Disabled

Splash Page - None

RADIUS is on site DC using port 1812

External DHCP in Bridge mode

I followed this article (or a similar previous one) using the NPS +AD configuration:

Configuring RADIUS Authentication with WPA2-Enterprise - Cisco Meraki Documentation

All the domain computers are setup with a GPO that has them auto-enroll and auto-renew their certificates. They expire at random times so it is not due to a expiration on the client. The Windows CA server does not appear to expire until mid 2027.

This has been working perfectly for about 2 years, but over the weekend we applied the Windows Server 2022 21H2 Cumulative Update for 2025-06. This morning we discovered that the Secured wireless SSID could no longer authenticate any clients on that SSID.

We have 3 other SSIDs that did not appear to be affected. A Guest that uses sponsored logons. An Employee Personal that also uses sponsored logons. The third also uses RADIUS, but only does MAC authentication and appears to work fine.

We also use the AnyConnect client for VPN access and also have that setup with Certificate authentication as well (user based certs). This appears to be working fine.

Nothing other than applying that cumulative update was done over the weekend. All the servers were rebooted a couple of times and rechecked for any additional patches just to be sure they are up to date until our next maintenance window.

Just curious if anyone else has experience something similar after applying a cumulative update.

Re: Radius Clients no longer connecting after updating Windows Server 2022 with 2025-06 update

aleabrahao — Mon, 07 Jul 2025 20:08:45 GMT

It's a little older., but, according to Microsoft KB5043417, the update introduced a security enhancement that enforces stricter compliance with RADIUS standards.

KB5043417: RADIUS authentication to NPS might fail with the July 2024 security update and later updates - Microsoft Support

In this case, please make sure your Meraki devices are running the latest firmware, and if possible I suggest you open a support case.

Re: Radius Clients no longer connecting after updating Windows Server 2022 with 2025-06 update

Brash — Mon, 07 Jul 2025 23:56:18 GMT

What was the Windows version prior to deploying the cumulative updates?

As @alessandrodematos said, Microsoft introduced additional security measures with 802.1x certificates and NPS. This was introduced last year with an option to ignore but became mandatory earlier this year.

Additionally, what are the NPS event logs showing?

The error there should give some indication of where to look.

Re: Radius Clients no longer connecting after updating Windows Server 2022 with 2025-06 update

JordanN — Tue, 08 Jul 2025 02:29:01 GMT

The servers are all Windows Server 2022. Proir to applying the Cumulative Update 2025-06, it could have been a year since they were all patched because we only shutdown for maintenance once a year. The only other significant patch that was applied was a .Net cumulative update as well.

In the meraki dashboard in the connection log, I am seeing these messages:

Client failed 802.1X authentication to the RADIUS server.
auth_mode='wpa2-802.1x' radius_proto='ipv4' radius_ip='192.168.xxx.yyy' reason='radius_login_failure' radio='1' vap='3' channel='44' rssi='30'

In Windows Event viewer I am seeing:

Event ID 39

Kerberos-Key-Distribution-Center

The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). Such certificates should either be replaced or mapped directly to the user via explicit mapping. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more.

User: mycomputer$
Certificate Subject: @@@CN=ABC-USERPC.corp.mydomain.com
Certificate Issuer: corp-myCAServerName
Certificate Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Certificate Thumbprint: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Certificate Issuance Policies:

It could just be that I need to update my configurations on my NPS servers (DCs). My Meraki firmware is up to date as of less than one month ago. Is there a new article on how to configure wireless clients to use NPS + AD authentication?

Re: Radius Clients no longer connecting after updating Windows Server 2022 with 2025-06 update

Brash — Tue, 08 Jul 2025 03:31:08 GMT

As the NPS error indicates, this is due to the introduction of strong mapping for certificates.

From memory, the actual change for this is with the update on the domain controller, not the NPS.

You will need to look at implementing some sort of strong mapping for certificates and reissuing them.

For anything domain joined, newly issued certificates will automatically have the strong mapping. Existing certificates need to be re-issued to have the strong mapping.

For Intune SCEP certificates, you need to update your SCEP configuration and reissue certificates

For anything else non-domain joined, you need to look at the applicable documentation for what option is best.

KB5014754: Certificate-based authentication changes on Windows domain controllers - Microsoft Support

Re: Radius Clients no longer connecting after updating Windows Server 2022 with 2025-06 update

JordanN — Tue, 08 Jul 2025 12:32:45 GMT

Thank Brash,

One thing I forgot to include in my original post was that only 1 site's DC was still working. It got the same updates over the weekend, but this one is still working wich is unexpected given all the info you and others have provided.

I pointed all the Meraki sites SSIDs to that DC to get back up and running, but after reading the article you posted, I am wondering if this is just a ticking timebomb and will fail in September 2025.

Re: Radius Clients no longer connecting after updating Windows Server 2022 with 2025-06 update

JordanN — Tue, 08 Jul 2025 15:13:07 GMT

After doing some more research on the issue I would like to see if the steps I have put together will resolve the issue. It appears as though the problem is my clients are getting a Schema 1 version of a certificate (Windows 2003/XP compatible) instead of at least Schema 3 versions or higher with of a cert template.

Here is what I have setup ready to deploy

Copy the certificate template that I am currently using to a new template "MyComputersV4"
Change the compatibility to Server 2016 for Cert Authority
Change the compatibility to Server 2016/ Windows 10 for Cert Recipient
On Crypto tab, change Provider Category from Legacy to Key Storage Provider
Algorithm set to RSA
Min Key Size to 2048
Select Microsoft Key Storage Provider from the Providers list
Set Has to SHA256
Temporarly unchecked Auto Enroll for Domain Computers on security tab
Added the new "MyComputersV4" to the Certificate template list so it can be deployed later. Left my old "MyComputers" template as is for now until I cut over.

When ready to deploy I can adjust the security to Enable the Enroll and Auto Enroll settings on the new template and disable them on the old tempates. After force a script down to the computers to run:

gpupdate /force

certutil -pulse

I think this should get the clients up to date, but I should I also be doing something similar for the Domain Controller template? I see that this is still Schema version 1. Do the DCs templates need to be updated?