Attempting to connect to a wireless network requiring machine certificate authentication fails with: “Can’t connect to this network”

Problem

You’ve configured a new Network Policies policy on your Microsoft NPS server:

… with the following settings that will authenticate devices with machine certificates:

You configure the SSID on the wireless client with the certificate with the following settings:

… but notice that you receive the following error when attempting to connect:

Reviewing the INXXXX.log file in the directory C:\Windows\System32\LogFiles on the NPS server show that the wireless client authentication makes the connection attempt and the policy is matched:

"DC03","IAS",07/07/2016,20:32:46,3,,"contoso.internal/contoso/Computers/Desktops/Victoria_Place/IT/WKS-MXL2451S3K",,,,,,,,9,"10.80.9.249","contosobm-wlc2500-1",,,,,,,5,"Secure Wireless Connections Machine Authentication",262,"311 1 10.70.1.3 07/07/2016 23:09:55 79",,,,"Microsoft: Smart Card or other certificate",,,,,"577ee697/60:57:18:a7:ea:18/70380",,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,

Reviewing the Security event logs on the NPS server show the following event ID 6273 Audit Failure event from the Microsoft Windows security auditing source:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
    Security ID:            contoso\WKS-MXL2451S3K$
    Account Name:            host/WKS-MXL2451S3K.contoso.internal
    Account Domain:            contoso
    Fully Qualified Account Name:    contoso.internal/contoso/Computers/Desktops/Victoria_Place/IT/WKS-MXL2451S3K

Client Machine:
    Security ID:            NULL SID
    Account Name:            -
    Fully Qualified Account Name:    -
    OS-Version:            -
    Called Station Identifier:        d8-b1-90-d0-6c-b0:corp-data
    Calling Station Identifier:        60-57-18-a7-ea-18

NAS:
    NAS IPv4 Address:        10.80.9.249
    NAS IPv6 Address:        -
    NAS Identifier:            contosobm-wlc2500-1
    NAS Port-Type:            Wireless - IEEE 802.11
    NAS Port:            13

RADIUS Client:
    Client Friendly Name:        contosobm-wlc2500-1
    Client IP Address:            10.80.9.249

Authentication Details:
    Connection Request Policy Name:    Use Windows authentication for all users
    Network Policy Name:        Secure Wireless Connections Machine Authentication
    Authentication Provider:        Windows
    Authentication Server:        SVRARDC03.contoso.internal
    Authentication Type:        EAP
    EAP Type:            Microsoft: Smart Card or other certificate
    Account Session Identifier:        35373765653762652F36303A35373A31383A61373A65613A31382F3730333831
    Logging Results:            Accounting information was written to the local log file.
    Reason Code:            262
    Reason:                The supplied message is incomplete.  The signature was not verified.

Solution

The key indicator of what would be causing this issue is the following line in the security event entry:

Reason:                The supplied message is incomplete.  The signature was not verified.

This usually indicates that the certificate presented by the NPS (RADIUS) server is not trusted by the wireless client.  The wireless client in this situation was not joined to the domain and since the certificate used by the server to verify its identity:

… is signed by an internal Microsoft CA, the wireless client did not trust it.  To correct the issue, simply export the Root and any intermediate CA certificates and import it onto the wireless client’s local computer store.