Windows XP PEAP Computer Authentication Fails

Hello,

I am trying to setup a wireless network access policy which allows client computers to authenticate with their computer credentials for wireless access. Clients connect to the SSID which is controlled by a Cisco WLAN controller.  The WLAN Controller points to NPS server which is a Windows server 2008 R2 which is also an AD Domain Controller. The only condition that I have currently setup is a Machine Group rule that the computer must be part of theDomain Computers AD group.

My Policy works on Windows 7/8 Computers but does not work on Windows XP computers. All Computers are using windows wzcsvc to manage wireless networks. Everything works when using Domain Users as the NPS condition but we must use Computer authentication instead.

By looking at the NPS logs I see that there is a difference between authentication attempts from Windows XP computer and Windows 7 computers. The logs of the NPS server only shows authentication attempts with the user name for Windows XP Computers but they show the computer name for Windows 7.

In Windows XP, I have tried setting forcing Computer Authentication by changeing the registry value HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode to 2. The Authmode dword was missing from this Registry Key so I had to create it but it did not help anything.

I have tried everything on three different Windows XP laptops with the same result.

The SSID Properties in XP are set to:

Authenticaiton: WPA2

Data Encryption: AES

EAP type: PEAP

"Authenticate as computer when computer information is available" isChecked

The NPS log below show that the RADIUS User ID being sent to NPS is the computer name on Windows 7 but on Windows XP it's the user's name. I don't know what I'm doing wrong but I suspect this is part of the issue.

Thanks!

LOG FOR SUCCESSFUL ATTEMPT (Windows 7)

Network Policy Server granted full access to a user because the host met the defined health policy.

User:
    Security ID:            ''DOMAINNAME"\''COMPUTERNAME''$
    Account Name:            host/''COMPUTERNAME''.''FULLDOMAINNAME"
    Account Domain:            ''DOMAINNAME"
    Fully Qualified Account Name:    ''DOMAINNAME"\''COMPUTERNAME''$

Client Machine:
    Security ID:            NULL SID
    Account Name:            -
    Fully Qualified Account Name:    -
    OS-Version:            -
    Called Station Identifier:        d0-c7-89-b8-6a-40:"SSIDNAME"
    Calling Station Identifier:        3c-a9-f4-1f-a5-18

NAS:
    NAS IPv4 Address:        192.168.5.251
    NAS IPv6 Address:        -
    NAS Identifier:            "WLC-CONTROLLERNAME"
    NAS Port-Type:            Wireless - IEEE 802.11
    NAS Port:            13

RADIUS Client:
    Client Friendly Name:       "WLC-CONTROLLERNAME"
    Client IP Address:            192.168.5.251

Authentication Details:
    Connection Request Policy Name:    Use Windows authentication for all users
    Network Policy Name:        Wireless Access
    Authentication Provider:        Windows
    Authentication Server:        "NPSSERVER-FQDN"
    Authentication Type:        PEAP
    EAP Type:            Microsoft: Secured password (EAP-MSCHAP v2)
    Account Session Identifier:        -

Quarantine Information:
    Result:                Full Access
    Extended-Result:            -
    Session Identifier:            -
    Help URL:            -
    System Health Validator Result(s):    -

----------------------------------------------------------------------------

LOG FOR UNSUCCESFUL ATTEMPT (Windows XP)

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
    Security ID:            "DOMAINNAME"\"USERNAME"
    Account Name:            "DOMAINNAME"\"USERNAME"
    Account Domain:            "DOMAINNAME"
    Fully Qualified Account Name:    "FULLDOMAINNAME"/OU/OU/"USERACCOUNTNAME"

Client Machine:
    Security ID:            NULL SID
    Account Name:            -
    Fully Qualified Account Name:    -
    OS-Version:            -
    Called Station Identifier:        d0-c7-89-a1-2d-f0:"SSIDNAME"
    Calling Station Identifier:        00-16-6f-45-9e-ac

NAS:
    NAS IPv4 Address:        192.168.5.251
    NAS IPv6 Address:        -
    NAS Identifier:            "WLC-CONTROLLERNAME"
    NAS Port-Type:            Wireless - IEEE 802.11
    NAS Port:            13

RADIUS Client:
    Client Friendly Name:        "WLC-CONTROLLERNAME"
    Client IP Address:            192.168.5.251

Authentication Details:
    Connection Request Policy Name:    Use Windows authentication for all users
    Network Policy Name:        Connections to other access servers
    Authentication Provider:        Windows
    Authentication Server:        "NPSSERVER-FQDN"
    Authentication Type:        EAP
    EAP Type:            -
    Account Session Identifier:        -
    Logging Results:            Accounting information was written to the local log file.
    Reason Code:            65
    Reason:                The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.