[T57W] 802.1X EAP-TLS Authentication problem

[HelmiSokrates]

Hello,

we are struggling with implementing 802.1x Authentication on our T57W phones.
But NPS denies the connection due to different reasons.

I'll try to explain our config as simple as possible:

Active Directory
Created AD user with MAC address as username

Microsoft CA (server role)
General / Publish in AD: yes
Certificate template for Client Authentication
Subject Name / Build from AD information: yes
Subject Name / Build from AD information / settings: Fully dist. name, include UPN
Issuance Requirements / This number of authorized signatures: 1
Request Handling / Purpose: Signature and encryption
Request Handling / Allow private key to be exported: yes
Request Handling / Enroll subject without requiring user input: yes
Cryptography / Provider Category: Key Storage Provider
Cryptography / Algorithm: ECDH_P384
Cryptography / Minimum size: 384
Cryptography / Provider: Microsoft Software Key Storage Provider
Cryptography / Request Hash: SHA256

-> I created a cert from this template on behalf of the user created before and this cert is available in the users "Published Certificates" tab

Phone UI settings
For testing I configured the settings directly via the Phone UI (attachment 802.1x_DeviceSettings.png).

• here i uploaded the user certificate as device certificate
• CA cert is our root CA certificate
• identity is the MAC adress of the phone
• MD5 pwd is empty
  

Microsoft NPS

NPS Connection Request Policy
Conditions
User Name regex MAC address
Settings
Authentication: Local Computer
-> this works

NPS Network Policy
Conditions
Nas Port Type = Ethernet
User Groups = AD group that contains specified AD user
Constraints
Authentication Methods = EAP/PEAP (with EAP type "smartcard or certificate")
Certificate for identification: server cert of NPS server

Result
NPS show following in the event log (shortened):

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: DOMAIN\123456789012
Account Name: 123456789012
Account Domain: DOMAIN
Fully Qualified Account Name: domain.local/802.1X/Phones/123456789012

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 10-4f-58-97-ba-00
Calling Station Identifier: 12-34-56-78-90-12

Authentication Details:
Connection Request Policy Name: ConReqPolPhone
Network Policy Name: NetPolPhone
Authentication Provider: Windows
Authentication Server: server.domain.local
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 300
Reason: No credentials are available in the security package

I think I missed a simple setting or something like that, but I don't have any idea what I can try else.

I also read the Whitepaper before, but that doesn't help me:
https://support.yealink.com/forward2down...8apeJJtP8=

Regards
Florian