A common failure with EAP-TLS configuration is when the user or client certificate is not being generated properly. The User Principal Name must be included in the Subject Alternative Name (SubjectAltName) extension in the certificate. By default, the standard certificate templates in Active Directory are not configured this way. For more information, see the following documentation from Microsoft: Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS.
Your Active Directory administrator or certificate administrator may need to ensure that the template being used for the user certificate is set to use the UPN in the Subject Alternative Name field.
The following screenshot illustrates the proper setting:
The Subject Alternative Name in the AD-issued certificate when using the default template was:
After the template change, the Subject Alternative Name in the AD-issued certificate became the following, and the connection was successful:
Additional Information for Further Troubleshooting
For a walk-through of the troubleshooting wireless process, see the following documentation from Microsoft:
A Support Guide for Wireless Diagnostics and Troubleshooting
For more information on troubleshooting EAP-TLS connections, see the following webpage:
802.1X EAP-TLS Machine Authentication in Mt. Lion with AD Certificates