Security

 View Only
Expand all | Collapse all

802.1X EAP-TLS with Windows 11

This thread has been viewed 136 times
  • 1.  802.1X EAP-TLS with Windows 11

    Posted Dec 15, 2023 06:27 AM

    Hello Guys,

    one of our customers currently face an issue, that windows 11 clients cannot connect to 802.1X with EAP-TLS. Clearpass rejects them with unknown_ca.

    The clients are all upgraded from windows 10 (where the connections are working).

    We deleted the computer certificate, intermediate and root CA and reissued from scratch. Same error. 

    When importing intermediate and root ca to ClearPass we get the message, that the certifcates are already in the trust list (of course it is).

    I followed a trace for Microsofts Credential Guard, but it only matters with PEAP, not EAP-TLS.

    The next trace we are trying to check if TLS 1.3 is used. According to W11 documentation its activated by default. But that would also mean, that the option changes with upgrading. We still have no answer to that question. We did some tcpdumps and saw some "Encrypted Alert" packets.

    We are also approaching the GPO-Admins to check their configuration.

    Our internal W11 have no issues with 802.1X. We updated from W10 to W11 and didn't have to change any configurations on client or server side.

    Are there any known issues with Windows 11 and EAP-TLS?

    Best regards

    Morris



  • 2.  RE: 802.1X EAP-TLS with Windows 11

    Posted Dec 15, 2023 10:32 AM

    https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/windows-11-changes




  • 3.  RE: 802.1X EAP-TLS with Windows 11

    Posted Dec 18, 2023 07:16 AM

    In ClearPass Access Tracker, the unknown_ca is normally together with server or client, if it is server: unknown_ca, the client presents a certificate that is not trusted by the ClearPass, if it is client: unknown_ca, your client does not trust the ClearPass server certificate.

    When reading @ahollifield's response, it probably is the client reporting the unknown CA, but good to make sure and avoid investigating in the wrong direction.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: 802.1X EAP-TLS with Windows 11

    Posted Dec 19, 2023 05:06 AM
    unknown_ca
    Thats the error we receive.
    We will create a new SSID and start the configuration from scratch on in the new year. Current SSID is pushed by GPO and currently someone is either sick or on vacation.



  • 5.  RE: 802.1X EAP-TLS with Windows 11

    Posted Dec 19, 2023 07:36 AM

    That is the client not trusting the ClearPass server certificate's Root CA. In the link share earlier about differences between Windows 10 and Windows 11, you can see a few suggestions around certificate trust.

    Rebuilding your SSID sounds useless from what you have shared. This is with close to certainty a client configuration issue which needs to be fixed on the client side.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: 802.1X EAP-TLS with Windows 11

    Posted Dec 20, 2023 05:19 AM
    Edited by Herman Robers Dec 20, 2023 05:21 AM

    I just got alerted (thanks to Jisc Eduroam UK) that there is a known issue with Windows 11 December 2023 update on Wi-Fi networks that have fast roaming (802.11r) enabled:

    Check full message here.

    Suggested workaround is to disable 802.11r or avoid installation of the specific patches (or uninstall them if installed already).

    The issue may be different/unrelated, but wanted to share it anyway.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: 802.1X EAP-TLS with Windows 11

    Posted Dec 20, 2023 07:21 AM

    Although we are not experiencing this issue on our campus a friend who works at UB's IT department trying to find a fix for a wifi issue they encountered after a windows 11 update (KB5032288), causing it to not be able to connect to eduroam. We have also heard other places are seeing the Windows 11 (KB5032288) seems to be the common denominator.  




  • 8.  RE: 802.1X EAP-TLS with Windows 11

    Posted Feb 01, 2024 02:53 AM

    Hi 

    January kb solves fast roaming issue. :-)




  • 9.  RE: 802.1X EAP-TLS with Windows 11

    Posted Jan 31, 2024 11:22 AM

    Were you able to overcome this issue?




  • 10.  RE: 802.1X EAP-TLS with Windows 11

    Posted Feb 01, 2024 03:30 AM

    We are still waiting for a computer that we can use for testing.




  • 11.  RE: 802.1X EAP-TLS with Windows 11

    Posted Feb 06, 2024 06:13 AM

    Quick update: We have created a new 802.1X SSID so that the client can connect manually. The productive SSID is GPO-configured so that we could not make any changes on the client side.

    Result: 802.1X works now with W11 and the same certificate.

    We are now analysing which GPO configuration is the reason for our problems. The conductor configuration and the certificate are identical. W10 works, W11 doesn't..




  • 12.  RE: 802.1X EAP-TLS with Windows 11

    Posted Feb 17, 2024 07:18 AM

    Thanks for the update.  For our lab we were able to get this working on W10 and W11 by disabling a setting in our Clearpass Radius Server parameters called "Disable RSA-PSS Signature Suite in EAP-TLS".  I read in some other forums that there was possibly some Windows bugs in dealing with RSA-PSS.  




  • 13.  RE: 802.1X EAP-TLS with Windows 11

    Posted Feb 19, 2024 03:29 AM

    There is a known bug in Trusted Platform Module (TPM) 2.0 v1.16 for secure key storage, which does not allow the use of RSA-PSS. This is a client side issue and upgrading the TPM version may or may not be possible, and it should only occur with clients that store certificates in hardware/TPM.

    Here is an external link that describes the issue in pretty good detail.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 14.  RE: 802.1X EAP-TLS with Windows 11

    Posted Mar 04, 2024 04:41 AM

    We have obviously found out what the problem was, but we can't make any sense of it.

    In the GPO, the checkbox in the upper circle was active (which translates as "Check the identity of the server using certificate verification"). At the same time, only one root certificate was selected in the lower circle (as a reminder: this setting works with W10, but not with W11).

    If we deactivate the checkboxes, everything works. If we activate the upper checkbox and all(!) three root CAs, it also works.




  • 15.  RE: 802.1X EAP-TLS with Windows 11

    Posted Mar 11, 2024 05:46 AM

    Hi magro,

    maybe this helps:

    I answered it before in another thread.
    Windows 11 wants the IP address, and Windows 10 wants the DNS name.
    You can seperate the addresses with ;

    https://community.arubanetworks.com/discussion/eap-tls-auth-issues-with-windows-11#bm8fbe89b9-213d-4a8b-8b82-018aa753cf21