Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

EAP-TLS Auth issues with Windows 11

This thread has been viewed 133 times
  • 1.  EAP-TLS Auth issues with Windows 11

    Posted Sep 14, 2023 01:58 PM

    I have deployed a new Clearpass server and 2019 active directory domain controller in my lab. I have deployed certificates to Clearpass and two test clients via group policy. My Windows 10 client works perfectly and does machine and user authentication. The Windows 11 client fails machine auth with error 215 'EAP-TLS: fatal alert by client - access denied'. 

    If I log in to the machine, I can connect but only after clicking the 'Continue Connecting?' prompt and showing the certificate details. 

    Both machines have the user and computer certs in the correct location and also have a copy of the root cert. The difference must be with how Windows 11 operates.

    Does anyone have an idea how to correct this?



    ------------------------------
    --------------------
    Stewart Smith
    ACMX, ACDX, ACCP, ACSA
    --------------------
    ------------------------------


  • 2.  RE: EAP-TLS Auth issues with Windows 11

    Posted Sep 14, 2023 04:43 PM

    Case match?  Newer versions of Windows 11 are now case sensitive (or soon will be, I can't remember the timing)




  • 3.  RE: EAP-TLS Auth issues with Windows 11

    Posted Sep 16, 2023 03:00 AM

    Thanks for the reply.

    the only area where the case would be an issue is in the 'connect to these servers' in the group policy wireless settings and I have this in the correct case that matches the Clearpass server certificate. 



    ------------------------------
    --------------------
    Stewart Smith
    ACMX, ACDX, ACCP, ACSA
    --------------------
    ------------------------------



  • 4.  RE: EAP-TLS Auth issues with Windows 11

    Posted Sep 19, 2023 11:17 AM

    Hi ssmith.

    You can define multiple servers.

    What I found out: Windows 11 wants the IP address, Windows 10 wants the DNS name of the certificate.

    So my settings looks like this: IP;name




  • 5.  RE: EAP-TLS Auth issues with Windows 11

    Posted Sep 19, 2023 11:17 AM

    Hi ssmith,

    Windows 11 wants the IP address, and Windows 10 wants the DNS name.

    So you could add both servers.

    IP;DNS




  • 6.  RE: EAP-TLS Auth issues with Windows 11

    Posted Sep 20, 2023 04:51 AM

    Hi, I tried this today. it does not work for me unfortunately



    ------------------------------
    --------------------
    Stewart Smith
    ACMX, ACDX, ACCP, ACSA
    --------------------
    ------------------------------



  • 7.  RE: EAP-TLS Auth issues with Windows 11

    Posted Sep 18, 2023 05:13 AM

    A few more details:

    For both user and computer the same error is in the logs: ERROR RadiusServer.Radius - TLS Alert read:fatal:access denied

    The ClearPass cert contains the common name in the SAN:

    The GPO Settings look like this, where crucial.CRUCIAL-DC.CA is the cert authority. There are two instances in the list. If I click both it makes no difference and when I close the details and open them again only one is ticked. The case and spelling of the CPPM server is correct and this address is registered in DNS

    In 'Advanced', I have these ticked but it makes no difference



    ------------------------------
    --------------------
    Stewart Smith
    ACMX, ACDX, ACCP, ACSA
    --------------------
    ------------------------------



  • 8.  RE: EAP-TLS Auth issues with Windows 11
    Best Answer

    Posted Sep 18, 2023 06:41 AM
    What if you change the hostname to lowercase? If you turn off “only connect to these servers” checkbox does it then work?

    Personally, I’ve never understood the use-case for this. Just let TLS certificate trust take care of itself




  • 9.  RE: EAP-TLS Auth issues with Windows 11

    Posted Sep 18, 2023 07:26 AM

    OK, changing to lowercase does not work, but removing the tick does! I find it really strange that enabling the tick works for Windows 10 but not Windows 11.

    Anyway, many thanks for this 



    ------------------------------
    --------------------
    Stewart Smith
    ACMX, ACDX, ACCP, ACSA
    --------------------
    ------------------------------



  • 10.  RE: EAP-TLS Auth issues with Windows 11

    Posted Sep 21, 2023 11:02 AM

    try to turn off Credencitial Guard: https://www.groovypost.com/howto/turn-off-credential-guard-on-windows-11/




  • 11.  RE: EAP-TLS Auth issues with Windows 11

    Posted Sep 21, 2023 11:02 AM

    try to turn off credential guard.

    https://www.groovypost.com/howto/turn-off-credential-guard-on-windows-11/




  • 12.  RE: EAP-TLS Auth issues with Windows 11

    Posted Sep 19, 2023 07:28 AM

    I believe "Only connect to these servers" can be useful if your RADIUS certificate was issued from a public CA chain. Otherwise somebody else could get a certificate from the same chain and do a MITM attack, for example.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 13.  RE: EAP-TLS Auth issues with Windows 11

    EMPLOYEE
    Posted Sep 21, 2023 04:35 PM

    Seeing two instances there leads me to believe that you have two copies of the CA cert in the certificate store and maybe they are different CA certs with different signatures. Could you delete both CA certs and push only the correct CA using GPO (or manually) and try with the tick enabled again?




  • 14.  RE: EAP-TLS Auth issues with Windows 11

    Posted Sep 22, 2023 04:14 AM

    Every time I have deployed a CA there have been two instances of the root cert in the list in the group policy setting. As far as I know, the root certificate is deployed automatically to all devices that are domain members. The devices only have one copy of the root cert

    Looking at the two certificates in the group policy settings - they are identical



    ------------------------------
    --------------------
    Stewart Smith
    ACMX, ACDX, ACCP, ACSA
    --------------------
    ------------------------------