HomeGuidesAPI Reference
Guides
Contact UsFoxpass Free TrialLog In
Start typing to searchā€¦

RADIUS Authentication Debugging: Certificate Selection Issues During EAP-TLS Roaming (Windows)

Windows Certificate Selection During Fast Roaming (EAP-TLS)

šŸ“˜

Important: Windows 10/11 roaming behavior in multi-certificate environments

In Windows 10 and Windows 11 environments where devices have multiple valid client certificates installed (for example, domain-issued machine certificates alongside Foxpass-issued SCEP certificates), certificate selection during Wi-Fi roaming can impact EAP-TLS stability.

When WPA2-Enterprise fast roaming (PMK caching / pre-authentication) is not properly configured, Windows may re-evaluate available certificates mid-roam and present a different valid certificate than expected. This can result in intermittent EAP failures or disconnects, even when certificates and trust chains are correctly configured.

Symptoms may appear as one or more of the following:

  • Intermittent EAP-TLS authentication failures
  • Wi-Fi disconnects when moving between access points
  • Authentication succeeds on initial connection but fails during roaming
  • Foxpass RADIUS logs show an unexpected client certificate
  • The presented certificate is valid but issued by a different CA than intended
  • These symptoms are often inconsistent and difficult to reproduce in static testing.

Root Cause

On Windows 10 and Windows 11, if fast roaming is not enabled, roaming between access points can trigger a full EAP reauthentication.

During this reauthentication:

  • Windows re-runs certificate selection
  • Any valid client certificate matching EAP-TLS requirements may be chosen
  • The selected certificate may differ from the one originally used

This can occur even when the Wi-Fi profile is configured to trust a specific issuing CA.

The result is intermittent authentication failures caused by certificate re-selection during roaming, not by PKI trust, certificate validity, or Foxpass RADIUS policy.

Resolution: Enable Fast Roaming for Windows Clients

To prevent certificate re-selection during roaming, Foxpass recommends enabling fast roaming for Windows Wi-Fi profiles.

At a minimum, this includes:

  • 802.11r (Fast BSS Transition)
  • PMK caching or pre-authentication

These settings prevent full EAP renegotiation during roaming and ensure Windows continues using the originally selected or explicitly trusted client certificate.

Where to Apply the Fix

The mitigation is applied in the client configuration (Microsoft Intune Wi-Fi profiles / Group Policy Wi-Fi profiles), not in Foxpass:

Roaming / Fast Transition

  • Enable fast roaming (802.11r / Fast BSS Transition): Enabled (if supported by the WLAN infrastructure)
  • PMK caching: Enabled
  • Pre-authentication: Enabled

These settings ensure Windows maintains the existing EAP security context and does not re-run certificate selection or perform a full EAP renegotiation during roaming, which is the condition under which Windows may select an unintended client certificate.

Updated about 12 hours ago

Copyright Ā© 2025 Foxpass, Inc.
Copyright Ā© 2020 Foxpass, Inc.
Ɨ

Sign up now

Use your G Suite or Office 365 account, or sign up with your email address.


(Have an account already? Click here to log in.)

By signing up, you agree to our terms of use and privacy policy.