We've been trying to correct our problem with a certificate in both our wired and wireless environments. I'm not sure the history of it, as I only recently started here. For the purpose of this post, I'm just addressing the wired problem with using 802.1x authentication. I figure if I can solve that problem then I can tackle the wireless. When we connect via our wired network we are able to connect to the domain but get an error that authentication failed. The message appears as pop up in the network connection. There is no error in the eventviewer on the client or on the IAS server. The IAS server has a rule called ethernet that checks the user and then should supply the appropriate certificate. I've spent over 10 hours on the phone with Microsoft support creating what they said is the appropriate cert. But no matter how long we look at this we have not been able to solve it. There is no group policy on this just the policy on the IAS server. A couple of questions.. 1. Exactly what type of cert should it be? We've made a few and in some of the documentation it feels vague compared to what I see on my screen. We now have server and client authentication in the cert. 2. Should the cert only reside on the IAS server. Does it have to be copied to the client and if yes where? 3. If we ever get this to work, do we use the same type of cert with the same type of authentication for wireless? I have attached a word doc with screen shots of the client and the IAS server and its policy. I've also attached a copy of the cert as a txt file. Any help is appreciated. The MIcrosoft support team has been very willing to help but after days of this, I really need to move on to something else. Thanks.

1. Use the template "RAS and IAS Server" or a copy of that template to issue a certificate to your IAS/NPS server. Creating a Certificate Template for IAS Server Authentication IAS servers require a server certificate to authenticate computers to clients during the EAP-TLS protocol handshake. The Certificate Services administrator should perform the following steps to create a server authentication certificate template for use by the IAS servers. To create a certificate template for server authentication Log on to the issuing CA with a CA Administrative group account and run the Certificate Templates MMC. Create a duplicate of the RAS and IAS Server certificate template. On the General tab of the new template’s properties, in theTemplate display name field, type RAS and IAS Server Authentication. On the Extensions tab ensure that the Issuance policies only include Server Authentication (OID 1.3.6.1.5.5.7.3.1). Also, in the Extensions tab, edit the Issuance policies to add the Medium Assurance policy. On the Subject Name tab, select Build from this Active Directory information. Also ensure that the Subject Name Formatis set to Common Name and that only DNS Name is selected under Include This Information in Subject Alternative Name. On the Request Handling tab, click the CSPs button, ensure that Requests Must Use One of the Following CSPs is selected and that only the Microsoft RSA SChannel Cryptographic Provider is selected. On the Security tab, add the AutoEnroll RAS and IAS Server Authentication Certificate security group with Read, Enroll. If Autoenrollment is desired the Autoenroll permissions must be added. 2. The certificate only resides on the IAS/NPS server and the issuer of the server certificate must be trusted on all clients. 3. You only need one certificate per IAS/NPS server, the same certificate can be used for all EAP authentication types requiring a certificate Creating an IAS Remote Access Policy for WLANs Use the Internet Authentication Service MMC snap-in on the primary IAS server to configure IAS with a remote access policy as follows. To create a remote access policy Right-click the Remote Access Policies folder, and then click Create New Remote Access Policy. Name the new policy Allow Wireless/Wired Access and instruct the wizard to set up A Typical Policy for a Common Scenario. Select Wireless o Wired for the access method. Grant access based on groups and use the Remote Access Policy – Wireless Access security group. Choose Smart Card or Other Certificate for the Extensible Authentication Protocol (EAP) type and then select the server authentication certificate installed for IAS. Finish and exit the wizard. Open the properties of the newly created policy and then click Edit Profile. On the Advanced tab, add the Ignore-User-Dialin-Properties attribute, set it to True, and then add the Termination-Actionattribute and set it to RADIUS Request. There are no differences in IAS the policy to handle WLAN and Wired access an you can combine both types of access in the same policy. It is highly recommended to use Group Policy to configure 802.1x policies on the clients. /Hasain