Log Name: Microsoft-Windows-WLAN-AutoConfig/Operational

Source: Microsoft-Windows-WLAN-AutoConfig

Date: 8/15/2016 1:11:20 PM

Event ID: 11006

Task Category: MsmSecurity

Level: Error

Keywords: (1024),(512)

User: SYSTEM

Computer: computer.domain.com

Description:

Wireless security failed.

Network Adapter: Intel(R) Dual Band Wireless-AC 7265

Interface GUID: {32a54564-27eb-479a-82f3-10a9b736f9d8}

Local MAC Address: AA:BB:CC:DD:EE:FF

Network SSID: CHC1

BSS Type: Infrastructure

Peer MAC Address: 00:11:22:33:44:55

Reason: Explicit Eap failure received

Error: 0x80070285

Log Name: Microsoft-Windows-WLAN-AutoConfig/Operational

Source: Microsoft-Windows-WLAN-AutoConfig

Date: 8/15/2016 1:11:20 PM

Event ID: 12013

Task Category: OneXAuthentication

Level: Error

Keywords: (1024),(512)

User: SYSTEM

Computer: computer.domain.com

Description:

Wireless 802.1x authentication failed.

Network Adapter: Intel(R) Dual Band Wireless-AC 7265

Interface GUID: {32a54564-27eb-479a-82f3-10a9b736f9d8}

Local MAC Address: AA:BB:CC:DD:EE:FF

Network SSID: CHC1

BSS Type: Infrastructure

Peer MAC Address: 00:11:22:33:44:55

Identity: host/computer.domain.com

User:

Domain:

Reason: Explicit Eap failure received

Error: 0x80070285

EAP Reason: 0x285

EAP Root cause String: There was an internal authentication error.

EAP Error: 0x285

Credential Guard also does not allow unconstrained Kerberos delegation, NTLMv1, MS-CHAPv2, Digest, CredSSP, and Kerberos DES encryption.

Recently, I ran into an issue with computers running windows 10 that would not connect to our WPA2-Enterprise encrypted wifi network. When it failed to connect, there was no indication of why, only the message "Can't connect to this network." The computers were able to connect to unencrypted networks and networks using a Pre-shared key for WPA encryption without issue.Checking the event logs on the RADIUS server to see why the comptuer failed to connect, there was no log entry for a connection attempt from the affected system. The WLAN-Auto-Config log on the client listed a couple of errors, including Event ID 11006 and 12013, but other than showing that the failure reason was "Explicit EAP failure received", they didn't give much to go on:After spending significant time toubleshooting the issue, I found that the issue was caused by the new "Credential Guard" feature in windows 10. In the technet article documenting this new feature, there is a single line which explains why this was happening:As it turns out, our radius server and the GPO which pushed our wireless settings out to clients were configured to use MS PEAP for authentication. At first glance, that doesn't seem to conflict with the statement above, but the P in PEAP stands for protected. It basically creates an encrypted tunnel first, over which standard EAP authentication takes place. The EAP communication travelling through that encrypted connection can be configured to use either "Secured Password (EAP-MSCHAP v2)" or "Smart Card or other Certificate". You can guess which mine was using.For a Credential Guard enabled computer to authenticate to a WPA2-Enterprise wireless network, the network must use certificate based authentication. In my case, we already had the PKI in place, so it was a simple matter of configuring the RADIUS server to accept certificate based authentication and changing the Wireless Settings in our GPO to use a certificate for authentication instead of the Secured Password option. After making these changes and connecting these clients to ethernet to get a group policy update, they were able to successfully authenticate with and connect to the WPA2-Enterprise encrypted network. If you don't already have a Public Key Infrastructure (PKI) set up, this will require installing configuring the Certificate Authority role on a Windows server, and issuing certificates to users and/or computers. (Ideally, configuring computers to auto enroll with the CA for computer certificates.)When I was searching online for what could possibly cause my issue, searching for the error message and event details I had turned up nothing useful. Any posts I found from others with similar errors turned out to be unrelated. In the end, I did find a single page by Nigel Kemp documenting his experience with this issue, but only after I had already identified the likely culprit and searched specifically for "Credential Guard breaks Wifi". Still, I was thankful to have the confirmation that I was on the right track. I hope that by including the specific errors and events in this blog post, it will help others find the solution to this problem a little easier.