Security

 View Only
last person joined: 16 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

clear pass windows 11 22H2

This thread has been viewed 82 times

  • 1.  clear pass windows 11 22H2

    Posted Oct 25, 2022 05:14 PM
    Hello

    in recent days we updated some pc to Windows 11 22H2 and we start to get errors in machine authentication using clear pass once the token on clear pass exired. The result in our policy was the users were quarantinated.
    We tried to do some troubleshouting, restarting clear pass, update clear pass to last version, check domain controllers and wifi controllers too without success.
    We opened a support ticket and we found in access tracker that users credential logged were only the username, without the domain\ as we used to see for all users.

    Searching I found this post in Microsoft forum

    Windows 11 22H2 - Can't use saved credential - Microsoft Q&A

    The issue is related to Windows Defender Credential Guard, that is activated by default in Windows 11 22H2. I removed this configuration using a gpo as described in this article and the problem resolved after a reboot

    Manage Windows Defender Credential Guard (Windows) - Windows security

    The question is: is it a Microsoft problem or is it a Clear Pass problem?

    Disabling a default operating system feature is not something I like.
    I would like to understand if a solution can be found on the Clear Pass side with a patch to have the authentication working despite the device guard enabled.

    I hope this info can be useful to those who will have the same problem as me


  • 2.  RE: clear pass windows 11 22H2

    Posted Oct 26, 2022 07:46 AM
    Hello Andera, 
    Thanks for your info. We have been finding that Windows 11 22H2 has a ton of bugs.  The quick fix we found was to forget the SSID (enterprise) and reconnect, this fixes this issue, and you don't have to turn off Windows defender guard.
    Original Message


  • 3.  RE: clear pass windows 11 22H2

    Posted Oct 26, 2022 07:56 AM
    Hi Harris
    Thank you for your suggestion
    We tried, but didn't work for us, maybe because in our enviroment SSID is deployed with a GPO.
    I will try to exclude one pc from policy and try your solution.
    Original Message


  • 4.  RE: clear pass windows 11 22H2

    EMPLOYEE
    Posted Oct 26, 2022 07:53 AM
    This has been discussed before here and here.

    If you need a 'suspect', it would be Windows 11. ClearPass has no role in Credential Guard.

    Microsoft seems to use this as part of their recommendation to move away from MSCHAPv2. Using PEAP/MSCHAPv2 is something you should not do, unless you have full control over your clients and still then you should consider a move to EAP-TLS which is not too hard to deploy when you have full control over your clients. So you are right that it is not good to disable a security feature in your clients, especially if that feature is (finaly) preventing you from using insecure protocols.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message