In our enterprise, we have roughly 30 users that access our networks through a VPN connection. The topology, is as follows: Apple End User Device ( iOS, macOS ) <--> Juniper SRX Firewall <--> RADIUS <--> Microsoft NPS ( Windows Server 2019 ).
All of these VPN connections work without incident for the users, with the exception of my personal user account - this fails to connect every time.
The Event Viewer app indicates that "Network Policy Server has denied access to a user" and indicates reason code 23.
I've had a look at the IAS/NPS logs both with a text editor, and using a tool like DeepSoftware's IAS log viewer. The error listed in those logs is still error 23, and there is no additional information.
In Event Viewer, I have enabled CAPI2 logging. I can see that my enterprise trust chain is successfully validated, but I see no information about my personal certificate.
I have verified that the server certificate is valid, and that my personal user certificate is valid. On the same macOS device that I am testing with, 802.1X authentication works using my user certificate.
I have an open support ticket with Microsoft, but the company they subcontract their enterprise support to ( Convergsys, I believe ) has proven to be beyond useless.
I did look into Microsoft's documentation for enabling EAPHost tracing, but sadly, the .etl log files that logman produces are gibberish without access to the PDB files/debugging symbols.
My next step has been to use Microsoft's Capimon.exe tool in an attempt to get some helpful debugging information. However, since EAP authentication and NPS run as services that use svchost.exe as the parent executable, I can't figure out how to provide the proper executable image path to use when running Capimon.exe -setup.
Any ideas would be super helpful!
