Original Message:
Sent: Dec 20, 2023 05:19 AM
From: Herman Robers
Subject: 802.1X EAP-TLS with Windows 11
I just got alerted (thanks to Jisc Eduroam UK) that there is a known issue with Windows 11 December 2023 update on Wi-Fi networks that have fast roaming (802.11r) enabled:
Check full message here.
Suggested workaround is to disable 802.11r or avoid installation of the specific patches (or uninstall them if installed already).
The issue may be different/unrelated, but wanted to share it anyway.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Dec 19, 2023 07:35 AM
From: Herman Robers
Subject: 802.1X EAP-TLS with Windows 11
That is the client not trusting the ClearPass server certificate's Root CA. In the link share earlier about differences between Windows 10 and Windows 11, you can see a few suggestions around certificate trust.
Rebuilding your SSID sounds useless from what you have shared. This is with close to certainty a client configuration issue which needs to be fixed on the client side.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Dec 19, 2023 05:05 AM
From: magro
Subject: 802.1X EAP-TLS with Windows 11
Thats the error we receive.
We will create a new SSID and start the configuration from scratch on in the new year. Current SSID is pushed by GPO and currently someone is either sick or on vacation.
Original Message:
Sent: Dec 18, 2023 07:16 AM
From: Herman Robers
Subject: 802.1X EAP-TLS with Windows 11
In ClearPass Access Tracker, the unknown_ca is normally together with server or client, if it is server: unknown_ca, the client presents a certificate that is not trusted by the ClearPass, if it is client: unknown_ca, your client does not trust the ClearPass server certificate.
When reading @ahollifield's response, it probably is the client reporting the unknown CA, but good to make sure and avoid investigating in the wrong direction.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Dec 15, 2023 06:26 AM
From: magro
Subject: 802.1X EAP-TLS with Windows 11
Hello Guys,
one of our customers currently face an issue, that windows 11 clients cannot connect to 802.1X with EAP-TLS. Clearpass rejects them with unknown_ca.
The clients are all upgraded from windows 10 (where the connections are working).
We deleted the computer certificate, intermediate and root CA and reissued from scratch. Same error.
When importing intermediate and root ca to ClearPass we get the message, that the certifcates are already in the trust list (of course it is).
I followed a trace for Microsofts Credential Guard, but it only matters with PEAP, not EAP-TLS.
The next trace we are trying to check if TLS 1.3 is used. According to W11 documentation its activated by default. But that would also mean, that the option changes with upgrading. We still have no answer to that question. We did some tcpdumps and saw some "Encrypted Alert" packets.
We are also approaching the GPO-Admins to check their configuration.
Our internal W11 have no issues with 802.1X. We updated from W10 to W11 and didn't have to change any configurations on client or server side.
Are there any known issues with Windows 11 and EAP-TLS?
Best regards
Morris