I have deployed a new Clearpass server and 2019 active directory domain controller in my lab. I have deployed certificates to Clearpass and two test clients via group policy. My Windows 10 client works perfectly and does machine and user authentication. The Windows 11 client fails machine auth with error 215 'EAP-TLS: fatal alert by client - access denied'.
If I log in to the machine, I can connect but only after clicking the 'Continue Connecting?' prompt and showing the certificate details.
Both machines have the user and computer certs in the correct location and also have a copy of the root cert. The difference must be with how Windows 11 operates.
Does anyone have an idea how to correct this?
Case match? Newer versions of Windows 11 are now case sensitive (or soon will be, I can't remember the timing)
Thanks for the reply.
the only area where the case would be an issue is in the 'connect to these servers' in the group policy wireless settings and I have this in the correct case that matches the Clearpass server certificate.
You can define multiple servers.
What I found out: Windows 11 wants the IP address, Windows 10 wants the DNS name of the certificate.
So my settings looks like this: IP;name
--------------------------------------------------Stewart SmithACMX, ACDX, ACCP, ACSA--------------------------------------------------
Windows 11 wants the IP address, and Windows 10 wants the DNS name.
So you could add both servers.
Hi, I tried this today. it does not work for me unfortunately
A few more details:
For both user and computer the same error is in the logs: ERROR RadiusServer.Radius - TLS Alert read:fatal:access denied
The ClearPass cert contains the common name in the SAN:
The GPO Settings look like this, where crucial.CRUCIAL-DC.CA is the cert authority. There are two instances in the list. If I click both it makes no difference and when I close the details and open them again only one is ticked. The case and spelling of the CPPM server is correct and this address is registered in DNS<o:p></o:p>
The GPO Settings look like this, where crucial.CRUCIAL-DC.CA is the cert authority. There are two instances in the list. If I click both it makes no difference and when I close the details and open them again only one is ticked. The case and spelling of the CPPM server is correct and this address is registered in DNS
OK, changing to lowercase does not work, but removing the tick does! I find it really strange that enabling the tick works for Windows 10 but not Windows 11.
Anyway, many thanks for this
try to turn off Credencitial Guard: https://www.groovypost.com/howto/turn-off-credential-guard-on-windows-11/
try to turn off credential guard.
I believe "Only connect to these servers" can be useful if your RADIUS certificate was issued from a public CA chain. Otherwise somebody else could get a certificate from the same chain and do a MITM attack, for example.
Seeing two instances there leads me to believe that you have two copies of the CA cert in the certificate store and maybe they are different CA certs with different signatures. Could you delete both CA certs and push only the correct CA using GPO (or manually) and try with the tick enabled again?
Every time I have deployed a CA there have been two instances of the root cert in the list in the group policy setting. As far as I know, the root certificate is deployed automatically to all devices that are domain members. The devices only have one copy of the root cert
Looking at the two certificates in the group policy settings - they are identical
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.