Many customers using Mobility with certificate-based authentication methods are facing problems in the wake of the latest Cumulative Update from Microsoft.
Microsoft has posted an article regarding the specifics here. KB5014754
The originating update is KB5013943, though the cumulative updates will have different update numbers. Commonly seen cumulative updates are KB5013943, KB5013952, KB5009472, KB5014001, KB5014011
At this time, if you are using the Windows Server Network Policy Server role for your Mobility RADIUS authentication, you may encounter authentication errors preventing users from connecting. This is not a bug in Mobility.
Within Mobility's event logs you may see:
EAP authentication failed for Device CLIENTNAME, session SESSIONID, session handle HANDLE, state FAILURE
The event log for the Network Policy Server role may indicate:
Reason Code 16, Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Microsoft has issued an Out-Of-Band update to resolve this issue which can be downloaded from the link above. This update must be applied to domain controllers according to Microsoft.
We have seen cases where installing the update on any Windows Server's running the Network Policy Server (NPS), Enterprise Certificate Authority (ECA) or Active Directory Domain Services (ADDS) roles was required to resolve this issue despite the statement from Microsoft. For help with installing updates to Windows Server, please contact Microsoft.