RADIUS authentication went haywire after a root CA was renewed RRS feed

  • Question

  • We had an intermediate certificate about to expire. We renewed it and everything went fine. The new CA cert was added to the domain controller, the same PKI was used, the cert was cross published to forest with certutil's crossCA capability.

    Strangely enough RADIUS did not like the cert. Even more strange: NAP RADIUS authentication stopped working on all domain controllers, even those that did not use the renewed root CA for authentication.

    Eventually we requested a new certificate for 802.1x specifically and everything worked again. I'm just curious if anyone can explain what went wrong? Why would RADIUS break because of a root CA change when RADIUS isn't pointing at that root CA?

    Monday, June 15, 2015 5:07 PM


  • Hi,

    According to your description, my understanding is that renewed CA causes RADIUS authentication failed. And replaced with a new certificate resolved this problem.

    You have mentioned that this CA is not used for RADIUS, but since renewed CA causes authenticated failed, there might be something related. Detailed error message, logs and event might be helpful for further identify the problem.

    Besides, links below provides detailed description about certificates and NPS, just for your reference:

    Best Regards,
    Eve Wang                                                                                                                                

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, June 17, 2015 6:13 AM