SSTP EAP-TLS and EAP-MSCHAPV2 authentication no longer working

[greentea]

Hi, I'm not sure what version of the app this stopped working but I am no longer able to authenticate with a Windows 2025 SSTP server with EAP-TLS and EAP-MSCHAPV2 auth options using app v1.02.27. The SSTP server is domain-joined with an internal CA that issues user certificates. The SSTP server is configured with NPS for authentication. The problem started with EAP-TLS auth, so I tried EAP-MSCHAPV2 in case I had some kind of certificate issue but that is also failing. I'm able to log in with a Windows 11 machine using same user and EAP-TLS and EAP-MSCHAPV2 both work so I don't think it's a misconfiguration of NPS or RRAS. This was working with previous versions of the app for about a year after migrating from Server 2016 to 2025 (and worked without issue in 2016 prior). I'm seeing the following errors in Windows security logs:

- EAP-TLS: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

- EAP-MSCHAPV2: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

The app just shows "authentication failed!" in the log.

Let me know if more information is needed to troubleshoot.

[admin]

Hello,

I ran some quick tests, and everything seems to be working fine. Something probably changed in the server-side configuration.
Are you sure you've configured EAP and not PEAP? PEAP is not currently supported.

[greentea]

I'm able to get EAP-MSCHAPV2 to work, when I added it before it was part of the PEAP authentication options. So that explains that issue with PEAP not being supported. However I'm unable to get EAP-TLS to work. Previously I had this as a secondary authentication option after PEAP-EAP-TLS:

NPS SSTP (Before).PNG (357.65 KiB) Viewed 41 times

I tried with PEAP completely removed and EAP-TLS as the only option and still get an authentication error in the app. NPS logs show same error as before: "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."

Working setup is below with only EAP-MSCHAPV2 working:

NPS SSTP (After).PNG (346.88 KiB) Viewed 41 times

Again, the first setup was working for some time so I'm not sure what has changed. I'll see if I can find more detailed logging from NPS, perhaps there is a CN mismatch or something with the client certificate.

[admin]

Have you checked if the certificate has expired?

[greentea]

Client certificate is not expired.