802.1x authentication is enabled on our switch access ports and wireless APs. RADIUS requests are sent to a Server 2012R2 NPS server.
This NPS server has two network policies configured:
Authentication via EAP-TLS (using a machine certificate that is automatically distributed to all AD domain-joined machines by our AD Certificate Authority) - priority #1
Authentication via PEAP (this allows authentication via AD username and provided, provided that the user is part of a specific security group) - priority #2
When an Android or IOS device connects to the network, it attempts EAP-TLS certificate authentication first, and then when it fails it prompts for username/password credentials. This is the behaviour we want.
However, a domain joined Windows 10 machine will not try EAP-TLS and then fallback to EAP-PEAP. It will only try EAP-TLS if the 'Authentication' tab on the NIC is changed from 'Smart Card or Other Certificate' to EAP-PEAP and 'user authentication' is specified.
We would like Windows clients to behave like Android/IOS clients. Does anyone know if this automatic fall back is possible?
