I'm tryng to fix my Microsoft Server 2016 Network Policy Server configuration as radius server, with PEAP-MSChapv2.
As well known some modern devices are not able to "not validate" server certificate because this is option is too weak and had been disabled (for example some android 11 devices)
For what I know there should be the solution to add a internal CA certificate, to these (non domain) devices so that they can authenticate the nps server certificate (and avoiding manage client certificates).
I've found the nps server certificate issued by, a Internal CA and the certificate of this internal ca is self signed (issued by itself).
Ive tried to export the ca cert (without private key) , and import it in in the devices, but for now, whitout success I've received error 22 : Eap type cannot be processed by server
or
error 265: the certificate chain was issued by an auuthority not trusted
Not clear if I've obtained 265 only when I've changed the field domain, on the client, to only the domain of the FQDN in cn name of the nps server certificate.
How can I implement correctly this (PEAP-MSchapv2 with server authentication on non domain client)?
Note:
Now It works fine, for "old" wireless clients: They correctly athenticates as AD users, and gain network access, so I desire to correct the settings only for these newer devices not changing radically it.
