Security

Hello Guys,

one of our customers currently face an issue, that windows 11 clients cannot connect to 802.1X with EAP-TLS. Clearpass rejects them with unknown_ca.

The clients are all upgraded from windows 10 (where the connections are working).

We deleted the computer certificate, intermediate and root CA and reissued from scratch. Same error. 

When importing intermediate and root ca to ClearPass we get the message, that the certifcates are already in the trust list (of course it is).

I followed a trace for Microsofts Credential Guard, but it only matters with PEAP, not EAP-TLS.

The next trace we are trying to check if TLS 1.3 is used. According to W11 documentation its activated by default. But that would also mean, that the option changes with upgrading. We still have no answer to that question. We did some tcpdumps and saw some "Encrypted Alert" packets.

We are also approaching the GPO-Admins to check their configuration.

Our internal W11 have no issues with 802.1X. We updated from W10 to W11 and didn't have to change any configurations on client or server side.

Are there any known issues with Windows 11 and EAP-TLS?

Best regards

Morris

Hello Guys,

one of our customers currently face an issue, that windows 11 clients cannot connect to 802.1X with EAP-TLS. Clearpass rejects them with unknown_ca.

The clients are all upgraded from windows 10 (where the connections are working).

We deleted the computer certificate, intermediate and root CA and reissued from scratch. Same error. 

When importing intermediate and root ca to ClearPass we get the message, that the certifcates are already in the trust list (of course it is).

I followed a trace for Microsofts Credential Guard, but it only matters with PEAP, not EAP-TLS.

The next trace we are trying to check if TLS 1.3 is used. According to W11 documentation its activated by default. But that would also mean, that the option changes with upgrading. We still have no answer to that question. We did some tcpdumps and saw some "Encrypted Alert" packets.

We are also approaching the GPO-Admins to check their configuration.

Our internal W11 have no issues with 802.1X. We updated from W10 to W11 and didn't have to change any configurations on client or server side.

Are there any known issues with Windows 11 and EAP-TLS?

Best regards

Morris

In ClearPass Access Tracker, the unknown_ca is normally together with server or client, if it is server: unknown_ca, the client presents a certificate that is not trusted by the ClearPass, if it is client: unknown_ca, your client does not trust the ClearPass server certificate.

When reading @ahollifield's response, it probably is the client reporting the unknown CA, but good to make sure and avoid investigating in the wrong direction.

Hello Guys,

one of our customers currently face an issue, that windows 11 clients cannot connect to 802.1X with EAP-TLS. Clearpass rejects them with unknown_ca.

The clients are all upgraded from windows 10 (where the connections are working).

We deleted the computer certificate, intermediate and root CA and reissued from scratch. Same error. 

When importing intermediate and root ca to ClearPass we get the message, that the certifcates are already in the trust list (of course it is).

I followed a trace for Microsofts Credential Guard, but it only matters with PEAP, not EAP-TLS.

The next trace we are trying to check if TLS 1.3 is used. According to W11 documentation its activated by default. But that would also mean, that the option changes with upgrading. We still have no answer to that question. We did some tcpdumps and saw some "Encrypted Alert" packets.

We are also approaching the GPO-Admins to check their configuration.

Our internal W11 have no issues with 802.1X. We updated from W10 to W11 and didn't have to change any configurations on client or server side.

Are there any known issues with Windows 11 and EAP-TLS?

Best regards

Morris

In ClearPass Access Tracker, the unknown_ca is normally together with server or client, if it is server: unknown_ca, the client presents a certificate that is not trusted by the ClearPass, if it is client: unknown_ca, your client does not trust the ClearPass server certificate.

When reading @ahollifield's response, it probably is the client reporting the unknown CA, but good to make sure and avoid investigating in the wrong direction.

Hello Guys,

one of our customers currently face an issue, that windows 11 clients cannot connect to 802.1X with EAP-TLS. Clearpass rejects them with unknown_ca.

The clients are all upgraded from windows 10 (where the connections are working).

We deleted the computer certificate, intermediate and root CA and reissued from scratch. Same error. 

When importing intermediate and root ca to ClearPass we get the message, that the certifcates are already in the trust list (of course it is).

I followed a trace for Microsofts Credential Guard, but it only matters with PEAP, not EAP-TLS.

The next trace we are trying to check if TLS 1.3 is used. According to W11 documentation its activated by default. But that would also mean, that the option changes with upgrading. We still have no answer to that question. We did some tcpdumps and saw some "Encrypted Alert" packets.

We are also approaching the GPO-Admins to check their configuration.

Our internal W11 have no issues with 802.1X. We updated from W10 to W11 and didn't have to change any configurations on client or server side.

Are there any known issues with Windows 11 and EAP-TLS?

Best regards

Morris

That is the client not trusting the ClearPass server certificate's Root CA. In the link share earlier about differences between Windows 10 and Windows 11, you can see a few suggestions around certificate trust.

Rebuilding your SSID sounds useless from what you have shared. This is with close to certainty a client configuration issue which needs to be fixed on the client side.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 19, 2023 05:05 AM
From: magro
Subject: 802.1X EAP-TLS with Windows 11

Original Message:
Sent: Dec 18, 2023 07:16 AM
From: Herman Robers
Subject: 802.1X EAP-TLS with Windows 11

In ClearPass Access Tracker, the unknown_ca is normally together with server or client, if it is server: unknown_ca, the client presents a certificate that is not trusted by the ClearPass, if it is client: unknown_ca, your client does not trust the ClearPass server certificate.

When reading @ahollifield's response, it probably is the client reporting the unknown CA, but good to make sure and avoid investigating in the wrong direction.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 15, 2023 06:26 AM
From: magro
Subject: 802.1X EAP-TLS with Windows 11

Hello Guys,

one of our customers currently face an issue, that windows 11 clients cannot connect to 802.1X with EAP-TLS. Clearpass rejects them with unknown_ca.

The clients are all upgraded from windows 10 (where the connections are working).

We deleted the computer certificate, intermediate and root CA and reissued from scratch. Same error. 

When importing intermediate and root ca to ClearPass we get the message, that the certifcates are already in the trust list (of course it is).

I followed a trace for Microsofts Credential Guard, but it only matters with PEAP, not EAP-TLS.

The next trace we are trying to check if TLS 1.3 is used. According to W11 documentation its activated by default. But that would also mean, that the option changes with upgrading. We still have no answer to that question. We did some tcpdumps and saw some "Encrypted Alert" packets.

We are also approaching the GPO-Admins to check their configuration.

Our internal W11 have no issues with 802.1X. We updated from W10 to W11 and didn't have to change any configurations on client or server side.

Are there any known issues with Windows 11 and EAP-TLS?

Best regards

Morris

I just got alerted (thanks to Jisc Eduroam UK) that there is a known issue with Windows 11 December 2023 update on Wi-Fi networks that have fast roaming (802.11r) enabled:

Check full message here.

Suggested workaround is to disable 802.11r or avoid installation of the specific patches (or uninstall them if installed already).

The issue may be different/unrelated, but wanted to share it anyway.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 19, 2023 07:35 AM
From: Herman Robers
Subject: 802.1X EAP-TLS with Windows 11

That is the client not trusting the ClearPass server certificate's Root CA. In the link share earlier about differences between Windows 10 and Windows 11, you can see a few suggestions around certificate trust.

Rebuilding your SSID sounds useless from what you have shared. This is with close to certainty a client configuration issue which needs to be fixed on the client side.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 19, 2023 05:05 AM
From: magro
Subject: 802.1X EAP-TLS with Windows 11

Original Message:
Sent: Dec 18, 2023 07:16 AM
From: Herman Robers
Subject: 802.1X EAP-TLS with Windows 11

In ClearPass Access Tracker, the unknown_ca is normally together with server or client, if it is server: unknown_ca, the client presents a certificate that is not trusted by the ClearPass, if it is client: unknown_ca, your client does not trust the ClearPass server certificate.

When reading @ahollifield's response, it probably is the client reporting the unknown CA, but good to make sure and avoid investigating in the wrong direction.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 15, 2023 06:26 AM
From: magro
Subject: 802.1X EAP-TLS with Windows 11

Hello Guys,

one of our customers currently face an issue, that windows 11 clients cannot connect to 802.1X with EAP-TLS. Clearpass rejects them with unknown_ca.

The clients are all upgraded from windows 10 (where the connections are working).

We deleted the computer certificate, intermediate and root CA and reissued from scratch. Same error. 

When importing intermediate and root ca to ClearPass we get the message, that the certifcates are already in the trust list (of course it is).

I followed a trace for Microsofts Credential Guard, but it only matters with PEAP, not EAP-TLS.

The next trace we are trying to check if TLS 1.3 is used. According to W11 documentation its activated by default. But that would also mean, that the option changes with upgrading. We still have no answer to that question. We did some tcpdumps and saw some "Encrypted Alert" packets.

We are also approaching the GPO-Admins to check their configuration.

Our internal W11 have no issues with 802.1X. We updated from W10 to W11 and didn't have to change any configurations on client or server side.

Are there any known issues with Windows 11 and EAP-TLS?

Best regards

Morris

I just got alerted (thanks to Jisc Eduroam UK) that there is a known issue with Windows 11 December 2023 update on Wi-Fi networks that have fast roaming (802.11r) enabled:

Check full message here.

Suggested workaround is to disable 802.11r or avoid installation of the specific patches (or uninstall them if installed already).

The issue may be different/unrelated, but wanted to share it anyway.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 19, 2023 07:35 AM
From: Herman Robers
Subject: 802.1X EAP-TLS with Windows 11

That is the client not trusting the ClearPass server certificate's Root CA. In the link share earlier about differences between Windows 10 and Windows 11, you can see a few suggestions around certificate trust.

Rebuilding your SSID sounds useless from what you have shared. This is with close to certainty a client configuration issue which needs to be fixed on the client side.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 19, 2023 05:05 AM
From: magro
Subject: 802.1X EAP-TLS with Windows 11

Original Message:
Sent: Dec 18, 2023 07:16 AM
From: Herman Robers
Subject: 802.1X EAP-TLS with Windows 11

In ClearPass Access Tracker, the unknown_ca is normally together with server or client, if it is server: unknown_ca, the client presents a certificate that is not trusted by the ClearPass, if it is client: unknown_ca, your client does not trust the ClearPass server certificate.

When reading @ahollifield's response, it probably is the client reporting the unknown CA, but good to make sure and avoid investigating in the wrong direction.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 15, 2023 06:26 AM
From: magro
Subject: 802.1X EAP-TLS with Windows 11

Hello Guys,

one of our customers currently face an issue, that windows 11 clients cannot connect to 802.1X with EAP-TLS. Clearpass rejects them with unknown_ca.

The clients are all upgraded from windows 10 (where the connections are working).

We deleted the computer certificate, intermediate and root CA and reissued from scratch. Same error. 

When importing intermediate and root ca to ClearPass we get the message, that the certifcates are already in the trust list (of course it is).

I followed a trace for Microsofts Credential Guard, but it only matters with PEAP, not EAP-TLS.

The next trace we are trying to check if TLS 1.3 is used. According to W11 documentation its activated by default. But that would also mean, that the option changes with upgrading. We still have no answer to that question. We did some tcpdumps and saw some "Encrypted Alert" packets.

We are also approaching the GPO-Admins to check their configuration.

Our internal W11 have no issues with 802.1X. We updated from W10 to W11 and didn't have to change any configurations on client or server side.

Are there any known issues with Windows 11 and EAP-TLS?

Best regards

Morris

In ClearPass Access Tracker, the unknown_ca is normally together with server or client, if it is server: unknown_ca, the client presents a certificate that is not trusted by the ClearPass, if it is client: unknown_ca, your client does not trust the ClearPass server certificate.

When reading @ahollifield's response, it probably is the client reporting the unknown CA, but good to make sure and avoid investigating in the wrong direction.

Hello Guys,

one of our customers currently face an issue, that windows 11 clients cannot connect to 802.1X with EAP-TLS. Clearpass rejects them with unknown_ca.

The clients are all upgraded from windows 10 (where the connections are working).

We deleted the computer certificate, intermediate and root CA and reissued from scratch. Same error. 

When importing intermediate and root ca to ClearPass we get the message, that the certifcates are already in the trust list (of course it is).

I followed a trace for Microsofts Credential Guard, but it only matters with PEAP, not EAP-TLS.

The next trace we are trying to check if TLS 1.3 is used. According to W11 documentation its activated by default. But that would also mean, that the option changes with upgrading. We still have no answer to that question. We did some tcpdumps and saw some "Encrypted Alert" packets.

We are also approaching the GPO-Admins to check their configuration.

Our internal W11 have no issues with 802.1X. We updated from W10 to W11 and didn't have to change any configurations on client or server side.

Are there any known issues with Windows 11 and EAP-TLS?

Best regards

Morris

Were you able to overcome this issue?

In ClearPass Access Tracker, the unknown_ca is normally together with server or client, if it is server: unknown_ca, the client presents a certificate that is not trusted by the ClearPass, if it is client: unknown_ca, your client does not trust the ClearPass server certificate.

When reading @ahollifield's response, it probably is the client reporting the unknown CA, but good to make sure and avoid investigating in the wrong direction.

Hello Guys,

one of our customers currently face an issue, that windows 11 clients cannot connect to 802.1X with EAP-TLS. Clearpass rejects them with unknown_ca.

The clients are all upgraded from windows 10 (where the connections are working).

We deleted the computer certificate, intermediate and root CA and reissued from scratch. Same error. 

When importing intermediate and root ca to ClearPass we get the message, that the certifcates are already in the trust list (of course it is).

I followed a trace for Microsofts Credential Guard, but it only matters with PEAP, not EAP-TLS.

The next trace we are trying to check if TLS 1.3 is used. According to W11 documentation its activated by default. But that would also mean, that the option changes with upgrading. We still have no answer to that question. We did some tcpdumps and saw some "Encrypted Alert" packets.

We are also approaching the GPO-Admins to check their configuration.

Our internal W11 have no issues with 802.1X. We updated from W10 to W11 and didn't have to change any configurations on client or server side.

Are there any known issues with Windows 11 and EAP-TLS?

Best regards

Morris

We are still waiting for a computer that we can use for testing.

Were you able to overcome this issue?

In ClearPass Access Tracker, the unknown_ca is normally together with server or client, if it is server: unknown_ca, the client presents a certificate that is not trusted by the ClearPass, if it is client: unknown_ca, your client does not trust the ClearPass server certificate.

When reading @ahollifield's response, it probably is the client reporting the unknown CA, but good to make sure and avoid investigating in the wrong direction.

Hello Guys,

one of our customers currently face an issue, that windows 11 clients cannot connect to 802.1X with EAP-TLS. Clearpass rejects them with unknown_ca.

The clients are all upgraded from windows 10 (where the connections are working).

We deleted the computer certificate, intermediate and root CA and reissued from scratch. Same error. 

When importing intermediate and root ca to ClearPass we get the message, that the certifcates are already in the trust list (of course it is).

I followed a trace for Microsofts Credential Guard, but it only matters with PEAP, not EAP-TLS.

The next trace we are trying to check if TLS 1.3 is used. According to W11 documentation its activated by default. But that would also mean, that the option changes with upgrading. We still have no answer to that question. We did some tcpdumps and saw some "Encrypted Alert" packets.

We are also approaching the GPO-Admins to check their configuration.

Our internal W11 have no issues with 802.1X. We updated from W10 to W11 and didn't have to change any configurations on client or server side.

Are there any known issues with Windows 11 and EAP-TLS?

Best regards

Morris

Quick update: We have created a new 802.1X SSID so that the client can connect manually. The productive SSID is GPO-configured so that we could not make any changes on the client side.

Result: 802.1X works now with W11 and the same certificate.

We are now analysing which GPO configuration is the reason for our problems. The conductor configuration and the certificate are identical. W10 works, W11 doesn't..

We are still waiting for a computer that we can use for testing.

Were you able to overcome this issue?

In ClearPass Access Tracker, the unknown_ca is normally together with server or client, if it is server: unknown_ca, the client presents a certificate that is not trusted by the ClearPass, if it is client: unknown_ca, your client does not trust the ClearPass server certificate.

When reading @ahollifield's response, it probably is the client reporting the unknown CA, but good to make sure and avoid investigating in the wrong direction.

Hello Guys,

one of our customers currently face an issue, that windows 11 clients cannot connect to 802.1X with EAP-TLS. Clearpass rejects them with unknown_ca.

The clients are all upgraded from windows 10 (where the connections are working).

We deleted the computer certificate, intermediate and root CA and reissued from scratch. Same error. 

When importing intermediate and root ca to ClearPass we get the message, that the certifcates are already in the trust list (of course it is).

I followed a trace for Microsofts Credential Guard, but it only matters with PEAP, not EAP-TLS.

The next trace we are trying to check if TLS 1.3 is used. According to W11 documentation its activated by default. But that would also mean, that the option changes with upgrading. We still have no answer to that question. We did some tcpdumps and saw some "Encrypted Alert" packets.

We are also approaching the GPO-Admins to check their configuration.

Our internal W11 have no issues with 802.1X. We updated from W10 to W11 and didn't have to change any configurations on client or server side.

Are there any known issues with Windows 11 and EAP-TLS?

Best regards

Morris

Thanks for the update.  For our lab we were able to get this working on W10 and W11 by disabling a setting in our Clearpass Radius Server parameters called "Disable RSA-PSS Signature Suite in EAP-TLS".  I read in some other forums that there was possibly some Windows bugs in dealing with RSA-PSS.  

Quick update: We have created a new 802.1X SSID so that the client can connect manually. The productive SSID is GPO-configured so that we could not make any changes on the client side.

Result: 802.1X works now with W11 and the same certificate.

We are now analysing which GPO configuration is the reason for our problems. The conductor configuration and the certificate are identical. W10 works, W11 doesn't..

We are still waiting for a computer that we can use for testing.

Were you able to overcome this issue?

In ClearPass Access Tracker, the unknown_ca is normally together with server or client, if it is server: unknown_ca, the client presents a certificate that is not trusted by the ClearPass, if it is client: unknown_ca, your client does not trust the ClearPass server certificate.

When reading @ahollifield's response, it probably is the client reporting the unknown CA, but good to make sure and avoid investigating in the wrong direction.

Hello Guys,

one of our customers currently face an issue, that windows 11 clients cannot connect to 802.1X with EAP-TLS. Clearpass rejects them with unknown_ca.

The clients are all upgraded from windows 10 (where the connections are working).

We deleted the computer certificate, intermediate and root CA and reissued from scratch. Same error. 

When importing intermediate and root ca to ClearPass we get the message, that the certifcates are already in the trust list (of course it is).

I followed a trace for Microsofts Credential Guard, but it only matters with PEAP, not EAP-TLS.

The next trace we are trying to check if TLS 1.3 is used. According to W11 documentation its activated by default. But that would also mean, that the option changes with upgrading. We still have no answer to that question. We did some tcpdumps and saw some "Encrypted Alert" packets.

We are also approaching the GPO-Admins to check their configuration.

Our internal W11 have no issues with 802.1X. We updated from W10 to W11 and didn't have to change any configurations on client or server side.

Are there any known issues with Windows 11 and EAP-TLS?

Best regards

Morris

Quick update: We have created a new 802.1X SSID so that the client can connect manually. The productive SSID is GPO-configured so that we could not make any changes on the client side.

Result: 802.1X works now with W11 and the same certificate.

We are now analysing which GPO configuration is the reason for our problems. The conductor configuration and the certificate are identical. W10 works, W11 doesn't..

We are still waiting for a computer that we can use for testing.

Were you able to overcome this issue?

In ClearPass Access Tracker, the unknown_ca is normally together with server or client, if it is server: unknown_ca, the client presents a certificate that is not trusted by the ClearPass, if it is client: unknown_ca, your client does not trust the ClearPass server certificate.

When reading @ahollifield's response, it probably is the client reporting the unknown CA, but good to make sure and avoid investigating in the wrong direction.

Hello Guys,

one of our customers currently face an issue, that windows 11 clients cannot connect to 802.1X with EAP-TLS. Clearpass rejects them with unknown_ca.

The clients are all upgraded from windows 10 (where the connections are working).

We deleted the computer certificate, intermediate and root CA and reissued from scratch. Same error. 

When importing intermediate and root ca to ClearPass we get the message, that the certifcates are already in the trust list (of course it is).

I followed a trace for Microsofts Credential Guard, but it only matters with PEAP, not EAP-TLS.

The next trace we are trying to check if TLS 1.3 is used. According to W11 documentation its activated by default. But that would also mean, that the option changes with upgrading. We still have no answer to that question. We did some tcpdumps and saw some "Encrypted Alert" packets.

We are also approaching the GPO-Admins to check their configuration.

Our internal W11 have no issues with 802.1X. We updated from W10 to W11 and didn't have to change any configurations on client or server side.

Are there any known issues with Windows 11 and EAP-TLS?

Best regards

Morris

We have obviously found out what the problem was, but we can't make any sense of it.

In the GPO, the checkbox in the upper circle was active (which translates as "Check the identity of the server using certificate verification"). At the same time, only one root certificate was selected in the lower circle (as a reminder: this setting works with W10, but not with W11).

If we deactivate the checkboxes, everything works. If we activate the upper checkbox and all(!) three root CAs, it also works.

Quick update: We have created a new 802.1X SSID so that the client can connect manually. The productive SSID is GPO-configured so that we could not make any changes on the client side.

Result: 802.1X works now with W11 and the same certificate.

We are now analysing which GPO configuration is the reason for our problems. The conductor configuration and the certificate are identical. W10 works, W11 doesn't..

We are still waiting for a computer that we can use for testing.

Were you able to overcome this issue?

In ClearPass Access Tracker, the unknown_ca is normally together with server or client, if it is server: unknown_ca, the client presents a certificate that is not trusted by the ClearPass, if it is client: unknown_ca, your client does not trust the ClearPass server certificate.

When reading @ahollifield's response, it probably is the client reporting the unknown CA, but good to make sure and avoid investigating in the wrong direction.

Hello Guys,

one of our customers currently face an issue, that windows 11 clients cannot connect to 802.1X with EAP-TLS. Clearpass rejects them with unknown_ca.

The clients are all upgraded from windows 10 (where the connections are working).

We deleted the computer certificate, intermediate and root CA and reissued from scratch. Same error. 

When importing intermediate and root ca to ClearPass we get the message, that the certifcates are already in the trust list (of course it is).

I followed a trace for Microsofts Credential Guard, but it only matters with PEAP, not EAP-TLS.

The next trace we are trying to check if TLS 1.3 is used. According to W11 documentation its activated by default. But that would also mean, that the option changes with upgrading. We still have no answer to that question. We did some tcpdumps and saw some "Encrypted Alert" packets.

We are also approaching the GPO-Admins to check their configuration.

Our internal W11 have no issues with 802.1X. We updated from W10 to W11 and didn't have to change any configurations on client or server side.

Are there any known issues with Windows 11 and EAP-TLS?

Best regards

Morris