[SOLVED] Wireless 802.1x PEAP Windows 7 and Windows 2012 NPS and CA

Similar Messages

• OTP 2FA Problems with DA 2012 R2 and Windows 8.1 Client - Not prompting or OTP Code

  Hi 
  Just seeing if anyone has come across the same issue with their WIn 8.1 clients not prompting for 2FA once configured with DirectAccess 2012 R2?
  I have created the 2x OTP certificates, enabled OTP via PowerShell and set up the RADIUS server but whatever happens the Win 8.1 client does not get prompted for 2FA - They connect seamlessly?
  I have also configured the DAProbeUser on the RADIUS server
  Any help appreciated
  Thanks

  I was afraid that you'll said that
  I hate to be the annoying guy but take a look at this KB article:
  http://support.microsoft.com/kb/2787534
  Applied to: Windows 8\2012,
  Doesn't Apply to: Windows 8.1\2012 R2
  and - for a fact, doesn't include in Windows 8.1\2012 R2 as this bug still exists in those operating systems.
  another annoying fact - No other update was released for these version yet.
  this example approves that not every hotfix \ updates that was released for 8\2012 before 8.1\2012 R2, is already included in 8.1\2012 R2
  and allow me to add another fact.
  when you configure DirectAccess via the remote access wizard it creates a WMI query called
  DirectAccess - Laptop Only WMI Filter.
  after you create it in Windows Server 2012 R2 - look at the WMI Query and you'll see that by default it doesn't apply to version 6.3! the version for Windows 8.1.
  if you want to add the support for Windows 8.1 you have to modify manually the query which is of course, not supported by Microsoft.
  That is just another symptom that makes me wonder if Microsoft did ANY change or update to DirectAccess 2012 R2
  Tamir Levy

• Windows Live Mail 2012 Ovi Mail settings and delet...

  Hello
  Does anybody know the correct settings for Ovi Mail in Windows Live Mail 2012?
  And is it possible to recover deleted e-mails from your Ovi Mail?
  Lars

  Does this help?
  LVT89 wrote:
  Is it possible to recover deleted e-mails from your Ovi Mail?
  Does this help » Folder » Trash?

• Updates and Hotfixes for DirectAccess 2012 R2 and Windows 8.1

  for some of you who use DirectAccess probably familiar with the following link
  Recommended hotfixes and updates for Windows Server 2012 DirectAccess
  as far as I know and according to TechNet, DirectAccess hasn't change a bit from 2012 to 2012 R2 servers.
  I use DirectAccess on Windows Server 2012 R2 and I'm surprised to see that there is no single update from that list the applicable with either Server 2012 R2.
  if it's true - shouldn't there be a documentation that talks about the differences of the DirectAccess Client\Server from 2012\8 to 2012 R2 \ 8.1?
  I'm asking because I want to make sure those updates are already include or not needed for 2012 R2\8.1 and not "forgotten" or something.
  Tamir Levy

  I was afraid that you'll said that
  I hate to be the annoying guy but take a look at this KB article:
  http://support.microsoft.com/kb/2787534
  Applied to: Windows 8\2012,
  Doesn't Apply to: Windows 8.1\2012 R2
  and - for a fact, doesn't include in Windows 8.1\2012 R2 as this bug still exists in those operating systems.
  another annoying fact - No other update was released for these version yet.
  this example approves that not every hotfix \ updates that was released for 8\2012 before 8.1\2012 R2, is already included in 8.1\2012 R2
  and allow me to add another fact.
  when you configure DirectAccess via the remote access wizard it creates a WMI query called
  DirectAccess - Laptop Only WMI Filter.
  after you create it in Windows Server 2012 R2 - look at the WMI Query and you'll see that by default it doesn't apply to version 6.3! the version for Windows 8.1.
  if you want to add the support for Windows 8.1 you have to modify manually the query which is of course, not supported by Microsoft.
  That is just another symptom that makes me wonder if Microsoft did ANY change or update to DirectAccess 2012 R2
  Tamir Levy

• 802.1x peap mschap v2 with MAC Filter + IP Address Permanent

  Hi my name is Ivan, i have an issue
  I have one cisco wlc 5508 with  ios 7.4.100 with a ssid is working with 802.1x peap mschap v2 with mac filter, and I need configure in the web page of the WLC Security > Mac Filter, a MAC and one IP Address permanent to the users.
  I have a service dhcp into the wlc to this profile.
  This configuration works fine for 3 or 4 days. At the  fifth day , my users renew the ip address, and they can not surfing to internet, because in my firewall i have a policy to the users with exactly ip address, for example.
  MAC Filter - IP Address A - UserA
  My policy say:
  PolicyUserA - Internet
  Please, i can establish an filter mac associate to one ip address permanent to one user, when service dhcp in the cisco wlc is active?
  I possible to do it?.
  How can i do it?

  Hi Ivan,
  You can not map the mac-ip address pairs on the WLC DHCP.
  The WLC has a limited DHCP server functionalities. You better to use an external DHCP server with full functionalities and then you can configure the DHCP server to provide the same IP address everytime to each client in your network.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Windows multipoint server 2012 wmsShell error

  I'm using windows multipoint server 2012 premium and i have connected 16 nos of Atrust m320 zero client, it was working fine for 1 month, but now it has some problem. when i switch on my server after windows boot i'm not getting login screen and it is directly
  login to wmsShell user, same time keyboard mouse not detecting and clients are not connecting to server. Please give me some solution.
  click on below link to see the problem
  https://www.youtube.com/watch?v=N36zOBndfPs&feature=youtu.be

  I have the same problem when Microsoft Updates are installed that after the reboot it automatically logs into the WmShell account and displays the My Documents folder of WmShell. 
  I resolved the issue by exiting the Document Folder, doing a CTRL+ALT+DEL, signing out of the WmShell account, and logging back in as Administrator > Local Machine name.
  Once in go to Control Panel > User Accounts and delete all references to wm???????
  Reboot the server and it should come back into normal client mode.

• SCVMM and SCOM 2012 Integration Issues

  Hello, I have integrated SCOM 2012 RTM and SCVMM 2012 RTM and am having lots of issues that were not present with 2007/2008 family integration.  For starters, my SCOM environment manages multiple untrusted domains, etc.  When enabling VMM integration
  I now get hundreds of alerts about "Unable to verify Run As Account", stating that is cannot login as the VMM service account for all clients that don't live in same domain as SCVMM server.  For starters why do my physical servers, and all VMs need
  to be distributed with this account?  The alert is also expected logically, because this is impossible to distribute a Run As account to every agent in a multi-domain untrusted environment.  Also according to this configuration, the Virtual
  Machine Manager Connection Account created in SCOM is set to less secure (distributed to all agents), which is why the alert is coming up; additionally less secure setting is typically bad practice.  Why does SCVMM do this by default?  Can it be
  changed?  What are options here?  It seems to me only the SCOM management server should need this Run As account, not every agent?  Thoughts on this?  Thanks!

  I'm running SCVMM 2012 R2 and OpsMgr 2012 R2.  I have the integration setup and have had the same issue with the RunAs account logging on to workgroup computers.
  I tried changing the account distribution to More secure and only targeting my two management servers and the VMM server.  I also changed the profile so that it targeted only the Windows Computer object for the same three servers.  I came in this
  morning and I do not have the "Run As Account Could Not Log On" message anymore on the workgroup computer, but now I have an alert "VMM Agent Not Monitored By Operations Manager" for the VMM server.  I look at the Health Explorer and see that the agent
  is reachable but its not being monitored.
  I tried changing the RunAs profile back to "All Targeted Objects" but monitoring still didn't restart.  Then I tried restarting the OpsMgr agent and then the VMM agent, but still the status did not change.  Now, I have just set the account back
  to Less secure and have again received the warning from the workgroup computer about not being able to log on.  I'll wait a little longer to see if the VMM server begins to be managed.
  Any experience with this?

• Wireless 802.1x with Window 7

  I have a WLC 6.0,  ACS 3.3 and the SSID is setup to use 802.1x with Peap Authentication.   The clients are using Windows 7 to connect to wireless.     To get the clients connected they have to go into there network properties if the wireless card,  configure the client to use PEAP,  uncheck validate server certificate, and also uncheck use computer name to login into windows.  This works fine and the user to able to connect to to wireless after dong all these steps and then entering in there Windows Username and Password.    The customer is saying that this is to many steps for the end user and they just want the user to to click on the SSID and connect.  If wireless could also be setup to use  there windows username and password   would be a bonus.  I'm basically looking for a solution that is simple but is also secure as well.  I know that's an oxymoron.   Is there anything I could do to make the wireless process simpler.  Either by going with a different security authentication or by doing something different on the clients computers.   Thanks for any help and suggestions. 

  This is a script that we use on our campus (University of Leeds), that self configures an 802.1x connection and when a user connects to an 802.1x connection merely asks them for their username and password, which then remained cached.
  The .exe you create takes away all the techy bits that do 'confuse' some users, even if they are provided with well written documentation.
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  https://sourceforge.net/projects/su1x/
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  http://lsayregj.swan.ac.uk/su1x/SU1X_User_Guide-v104.pdf
  Features include:
  - Automation of configuration of a PEAP wireless connection on XP(SP3),Vita and Win 7
  - Can set EAP credentials without additional user interaction (avoids tooltip bubble)
  - Installation of a certificate (silent)
  - Checks for WPA2 compatibility and falls back to a WPA profile
  - Third party supplicant check -SSID removal and priority setting
  - Support tab: (checks: adapter, wzc service, profile presence, IP)
  - Outputs check results to user with tooltip and/or to file
  - Printer tab to add/remove networked printer
  This tool is very cleverly written by Gareth Ayres at Swansea University

• SPS224 and Windows XP SP3 802.1x supplicant problem

  Hi everybody
  We run MS Active Directory based network (Windows Server 2008, MS NPS as RADIUS server) and have Windows XP SP3 and 7 in it. We have a lot of SPS224 (with the latest SW version 1.0.6) as the access switches, and we are trying to implement 802.1x in our network to authenticate users by their AD domain computer accounts. Also, we want to use dynamic VLAN assignment using RADIUS attributes. The authentication by PEAP-MSCHAPv2 works fine on all workstations but we have a problem with the dynamic VLAN assignment in case Windows XP machines are used. The problem is that after a successful authentication and VLAN assignment on a switch port, the Windows XP supplicant is trying to re-authenticate after several seconds. However, the switch port state remains authorized and the workstation does not lose connection. So, the only problem we see is that the state of supplicant does not correspond the switch port state. We have notice that the problem occurs when the "multiple sessions mode" is used (it is needed to enable VLAN  assignment by RADIUS attributes). We have tried the built-in Windows XP SP3 supplicant and Cisco Secure Services Client with the similar result. At the same time, the Windows 7 workstation works just fine, without any problems. Is anybody has faced this problem with Windows XP and has a workaround? Any help will be appreciated!

  Not exactly sure what could be the problem. It should be working - it's definitely supported (I'm currently typing this via a XP SP3 machine using PEAP WPA2/AES via WZC). The only things I can think of to check are:
  - Make sure your wireless drivers are up to date *this is a must*
  - Make sure the other supplicant is completely disabled (uninstall it if you really need to rule it out)
  - Try disabling the server certificate check in the WZC profile for this network (do you know for sure that your laptop trusts the IAS server's certificate)?
  - Are you doing machine or user authentication for PEAP - make sure you have the WZC profile properly configured
  - Are you 100% sure that you've configured everything properly for the network (WPA vs WPA2? AES vs. TKIP? etc.)

• Windows 7 and windows 8 desktop wired and 7510e printer connected to win 7 wireless

  I have a windows 7 64 bit HPavilion Elite 150f desktop set up wired with a 7510e photosmart printer connected to it wireless, now I  have purchased a windows 8 desktop HP envy 700-019 desktop.
  When I set up my new windows 8 desktop I  just plugged it into my wireless router/modem combo and it found my printer and I could just print from it, I did not download any software or drivers for my printer or set up a home group as I was not sure how to set it up but last night I tried to set up a homegroup,
  I used my wireless network key and entered it and pressed connect, then I entered the Homegroup password that was downloaded for me from Microsoft, but my windows 7 says homegroup and my windows 8 shows private network so I am not sure what I have done wrong, I chose to only share music and printers, can anyone tell me how to do this correctly as I am not sure that I have done it properly.
  On my windows 8 I can go to my printers web site by entering the static IP address that cloud support set up for me and it shows as connected but I do not want to enter any printer code as that is already set up on my windows 7, I can also scan to email on my windows 8 but I am not sure what if any security I have on my windows 8. The last time I had a homegroup set up I payed someone to do it for me so I did it by guess work more than anything, if someone can lead me through it step by step I would appreciate it.

  Hi @emma22 
  I would like to do my best to help, but please bear in mind the issue you are expressing is an inquiry for Microsoft not HP. I did find something I think will be most helpful, and I hope it resolves the issue, but if the issue persists, or you have additional questions, it might be best to reach out to the Microsoft community.
  Here is what I found; HomeGroup from start to finish.
  In the top right hand corner of the article, you can change it from WIndows 7 to Windows 8. I hope this helps.
  Please click the Thumbs up icon below to thank me for responding.
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Please click “Accept as Solution” if you feel my post solved your issue, it will help others find the solution.
  Sunshyn2005 - I work on behalf of HP

• Having a problem with wireless connection. On my Windows XP 32 bit system and a 6510 printer, initi

  On my Dell Latitude D620, Windows XP 32 bit system and my 6510 printer wireless connection (Linksys EA4500) , everything works fine after the computer is booted.  After a period of time (usually overnight), I lose connection to the printer (the scanner icon with a red x is shown on my Windows task bar and I can't print.  Ran Windows Fix and the HP fix programs.  The only thing that solves it is to reboot the computer.  A second symptom is that my IE8 stops connecting to the internet at the same time (gives a 'waiting for' response that never changes).  Firefox still connects OK when this is happening.  So I suspect the problem isn't with the printer, but with my Windows set up.  It is a fresh XP SP3 install (hard drive crashed, but it happened before also).  I reset IE, checked my proxy, no malware, happens with or without firewalls and security programs.
  Hoping that someone else has run into this problem.  Been all over Google, and the IE doesn't work / Firefox works is fairly common, but none of the fixes helps. 

  If you want you can reload Firefox 4.0 or the last "old" version is 3.6.16 and is available here:
  http://www.mozilla.com/en-US/firefox/all-older.html
  Just reinstall your choice of FF. The bookmarks are in a different directory and are NOT overwritten. Some of the Add-ons that worked in 3.6 DO NOT work with 4.0, pay attention and head any warnings when you start 4.0.
  I had to disable extensions: Flashblock and WOT
  Firefox SafeMode? - A troubleshooting mode.
  1.You can open the Firefox 4.0 SafeMode by holding the Shft key when you use the Firefox desktop or Start menu shortcut.
  To exit the Firefox Safe Mode, just close Firefox and wait a few seconds before using the Firefox shortcut to open it again.
  For more help, see this: http://support.mozilla.com/en-US/kb/troubleshooting+extensions+and+themes
  Hope this helps you out.
  Feedback is appreciated especially if this helps you out.

• TCP Timeouts in Native Windows 7 64-bit (wired and wireless)

  I am having some major headaches with this new laptop in regards to network stability.  I have a W510 4318CTO with the Ultimate-N 6300 AGN adapter.  Here is what I'm seeing:
  Prior to installing Virtual PC/XP Mode, whenever I am browsing the web or accessing samba shares, I occasionally get spurts of timeouts.  Sometimes the timeouts are inescapable, but oddly enough the issue surfaces less after a hibernation than after a reboot or shutdown/start.  Google Docs is one thing that is especially unstable.  Either the icons don't load or the style sheet doesn't load or I can't click on anything or I can't save a document or open a document.  This happens across all browsers when run in regular old Windows 7.  I tried adjusting affinity and resetting tcp and reinstalling the network drivers and scanning for malware and yada yada yada.
  I have made queries on Microsoft Connect and TechSupportForum and nothing I've tried is helping.  This problem doesn't happen on my XP desktop at all, and very strangely, this doesn't happen in XP Mode on the same laptop at the same time as the issue surfaces in native win7.  If I ping the gateway, I get timeouts at the same time as the issue manifests and I get longer response times when making network requests.  I have been hammering this issue for the entire month and can't get past it.  I've tried uninstalling Lenovo's Access Connection tool and that didn't help either.   I tried this over the 82577LM gigabit wired adapter as well and have the same issues but they occur less than in wireless mode (which I would expect).
  I am quite an expert on Windows, but this issue has brought me to my wits end.  I am an inch away from blowing the preinstall away and starting from scratch, but I just don't want to invest so much time in reinstalling everything.  I've had enough trouble with working around power management issues on this new laptop and I just want this fixed.
  If you can solve this, I would be forever grateful.  I feel like I'm in the empty hell of a network admin's nightmare.
  - Steve

  Hello,
  If go into the Device Manager (filename: DEVMGMT.MSC), select View→Show Hidden Devices and examine the Non-Plug and Play Drivers tree, are there any old device drivers left over from previously installed security or connectivity software?  If so, perhaps one of those is the culprit and disabling or uninstalling it will solve the problem.
  Another possibility is that the automatic network tuning enhancements (a feature first introduced in Windows Vista) in Windows 7's network stack are changing the TCP window size until it reaches a value which is incompatible with your router.  That is fairly simple to test, though:  Open an elevated Command Prompt (filename: CMD.EXE) and issue a "netsh int tcp set global autotuninglevel=disabled" command and see if that makes any difference.  If that makes no difference, repeat the Netsh command with "autotuning=enabled" to restore the previous values and we can continue troubleshooting.
  Regards,
  Aryeh Goretsky
  I am a volunteer and neither a Lenovo nor a Microsoft employee. • Dexter is a good dog • Dexter je dobrý pes
  S230u (3347-4HU) • X220 (4286-CTO) • W510 (4318-CTO) • W530 (2441-4R3) • X100e (3508-CTO) • X120e (0596-CTO) • T61p (6459-CTO) • T43p (2678-H7U) • T42 (2378-R4U) • T23 (2648-LU7)
    Deutsche Community   Comunidad en Español Русскоязычное Сообщество

• T420 - Intel Wireless and Windows XP issue?

  Has anyone else seen any issues with using the Intel Wireless Advanced-N 6205 card on Windows XP? I have a 4178-6UU and it will work for a while, then just stop receiving packets, but will not disconnect even though it doesn't work and I am no longer able to ping it.
  I have the latest driver available from Intel and Lenovo (14.0.1.2), and also the latest BIOS (1.22). Unfortunately, I have to have XP/SP3 on these T420's. Any suggestions or is anyone else seeing any issues?

  Have you solved this issue? If so how? I think I may have the same issue. I don't understand all terminology in the post such as "ping", so I can't be certain if it is exactly the same issue. Also I use Windows 7 Pro. However in certain locations but not all, my wireless capabilities are horrible. The same locations that worked just fine with my Dell E6400, that I recently switched from are not working on my lenovo T420 4178-6UU. The internet access is constantly loss and I have to reconnect over and over again throughout the work day. HELP!!!! (SN: This keyboard is the best I have ever worked on, I don't think I will ever buy a different kind of PC, that is if I can resolve this wireless issue).

• 802.1x EAP PEAP MSCHAPv2 on Windows 7 Client.

  I have problems autenticate a w7 client at our Enterprice WiFi network. XP, Apple clients and all SmartPhones works fine...  We use Radius assigned Vlans based on username and ream routed on our Meru Network to Navis radius as centralied point of
  autentication. Navis proxes client autenticatinon recuest to the customers Radiuses based on the realm.
  Windows 7 32 client use the radius CA (installed and ticked) and EAP PEAP MSCHAPv2 in the SSID settings. The customer radius is an Freeradius. In autentication logs we se that the client sends the Maschinename, eg. Machine-x200/username@realm
  even we in the client settings, under SSID Propirties, Security, MS Protected EAP(PEAP), Settings and EAP-MSCAPv2 Configuration, have removed tick on the default setting:
  Use Autom. Windows-username... AND under Security Advanced (back one step), in the 802.1X Settings, choose User autentication only! (not user and maschine, mascine only or guest) and we have saved corectly username@reame =(username here) and password...
  in the username password Setting.
  Is it possible edit or change the way the client PC is sett up to prevent this?
  Is there any way make a policy setting? or is there other solutions?
  I have teste te Cisco: PEAP option too, but stil noe autenticatoin from Radius
  Thanks

  Hi,
  As I know, this goal cannot be achieved.
  Reference:
  Use the 802.1X Wizard to Configure NPS Network Policies
  For authentication using Extensible Authentication Protocol – Transport Layer Security (EAP-TLS), select
  Microsoft: Smart Card or other certificate, click
  Configure, click
  OK, and then click
  Next.
  For authentication using Protected Extensible Authentication Protocol – Transport Layer Security (PEAP-TLS), select
  Microsoft: Protected EAP (PEAP). In
  Eap Types, click
  Add, click
  Smart Card or other certificate, click the
  Move Up button to position a smart card or other certificate at the top of the list, click
  OK, and then click
  Next.
  For secure password authentication using Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol
  version 2 (PEAP-MS-CHAP v2), select Microsoft: Protected EAP (PEAP). In
  Eap Types, click
  Add, click
  Secured password (EPA-MSCHAP v2), click the
  Move Up button to position the secured password authentication type at the top of the list, click
  OK, and then click
  Next.
  Regards,
  Sabrina
  TechNet Subscriber Support
  in forum.
  If you have any feedback on our support, please contact
  [email protected]
  This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
  This can be beneficial to other community members reading the thread.

• 802.1x PEAP Windows 2008 NPS Certificate

  I've setup a centrally switched SSID on a 5508 WLC utilising 802.1x PEAP authentication to a pair of Windows 2008 NPS which authenticate the PEAP username and password to our Active Directory domain.
  Currently the Windows 2008 NPS servers are utilsing a server certificate issued from our internal Certificate Authority with the certificate being presented to the device upon connection depending upon which server the WLC sends the authentication too. The servers names on the internally issued certificate are in the form of:
  Server01.domain.local
  Server02.domain.local
  Due to these certificates being internally issued certificates when some devices specifically Apple iPad and iPhones connect to the SSID initally they are prompted to accept the certificate but it is listed as not verified as its issued by an internal domain CA and not an external root certificate authority.
  I am going to be obtaining an external root CA issued certificate for both servers to replace the internally issued certifcates however I notice using the internal certificate if I connect a device to the SSID and accept the certificate of server with certificate name server01.domain.local and then if disable the ability for clients to connect to server01 the WLC will automatically forward the authentication connection to the next server on the list however as this server is presenting a different certificate "server02.domain.local" devices which are conducting certificate validation will fail to connect as the certificate does not match the previously accept certificate.
  Does anyone know a way around this?
  Will adding say server02.domain.local as an additional name to the certificate for server01.domain.local resolve this issue?

  Hi,
  Please confirm the Win7 clients has renew the certificate and deleted the old certificate. And confirm you are not using the default server certificate template.
  More information:
  Renew a Certificate
  http://technet.microsoft.com/en-us/library/cc730605.aspx
  NPS Server Certificate: Configure the Template and Autoenrollment
  http://msdn.microsoft.com/en-us/library/cc754198.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.