We have a pilot 802.11 solution using an MS IAS server for authentication. We are using EAP-TLS authentication. We are having an issue with Machine authentication. We see the following error when the machine attempts to authenticate:

User host/F80096.mdta.ad.mdot.mdstate was denied access.
Fully-Qualified-User-Name = mdta.ad.mdot.mdstate/mdta/PoliceLaptops/F80096
NAS-IP-Address = 10.93.76.68
NAS-Identifier = 10.93.76.68
Called-Station-Identifier = 000B8641BBE0
Calling-Station-Identifier = 0012F08D4497
Client-Friendly-Name = mdta-fskpol-wswt1
Client-IP-Address = 10.93.76.68
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = MdTA-PEAP_&_TLS
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.

For more information, see Help and Support Center at

We have checked and reissued the machine certs to the test laptop and we see the cert in the machines local personal store. If we reconfigure for PEAP the laptop logs in perfectly so the IAS policy appears to be correct. Any ideas why EAP-TLS would fail but PEAP would work fine for machine autentication?

User authentication works fine with PEAP and TLS.