Security

 View Only
Expand all | Collapse all

EAP-TLS failure after upgrade to Windows 11

This thread has been viewed 49 times
  • 1.  EAP-TLS failure after upgrade to Windows 11

    Posted Nov 06, 2024 08:02 AM

    Hi All,

    After upgrade to Windows 11 from 10 for both LAN and WLAN dot1x authentication is failing with this error:


    In ClearPass all TLS versions are enabled as by default.
    What do check else in ClearPass and client side?

    Thanks


  • 2.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Nov 06, 2024 08:13 AM

    Hi

    I have never seen this error message, but apperantly the client and ClearPass server can't negotiate the signature algorithm.

    Do you have FIPS mode enabled in ClearPass or do you have hardened Windows clients? FIPS mode will disable several different algorithms.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Nov 06, 2024 08:19 AM

    Hi,
    FIPS is disabled.




  • 4.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Nov 06, 2024 08:30 AM

    Hello harutyun.hakobyan,

    Did you get to see the show log of the screenshot you sent us to see if there are any more details? 
    You can look at your Windows PC logs as well, to see if there are any details of the device negotiation. 
    And what you could also do is a PCAP capture, to see the TLS negotiations. 
    Normally TLS is enabled in ClearPass. But you can try to disable TLS 1.2 momentarily and test. Not always, but there are some devices that do not support TLS 1.2, and this may be the case. 
    To disable TLS 1.2 in the service parameters part, inside the Radius service, you can do it.



    ------------------------------
    Daniel Ruiz
    -----------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support.
    Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
    ------------------------------



  • 5.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Nov 06, 2024 09:03 AM

    Do you have your client certificates stored in the TPM of your client? In that case, you may have hit a known bug in some TPMs. Disable RSA-PSA in that case to work around that:



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Nov 07, 2024 03:57 AM

    Temporary disabled TLS 1.2 on ClearPass, didn't help.

    "RSA-PSS Signature Suit in EAP-TLS" was initially disabled, but it also didn't help.

    This is log on ClearPass:

    And this is on Windows 11:




  • 7.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Nov 07, 2024 04:09 AM

    Have you verified with more than one Windows 11 client, just to eliminate an issue with a specific client?

    If you have tested more clients, have they been deployed in the same way? Can you try to get a Windows 11 client deployed from USB device and without GPO or Intune policies, and just configure the 802.1x settings manually. This will ofcourse also include installing a certificate manually or just include the client in the certificate enrollment policy. 

    This test will show if there are any issues with settings applied by company policies in GPO or Intune.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 8.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Nov 07, 2024 05:42 AM

    Update: after disabling TLSv1.3 support in Cluster-Wide Parameters, Windows 11 clients succeeded dot1x authentication for both LAN and WLAN:


    What does it mean here Admin and Network options?




  • 9.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Nov 07, 2024 06:54 AM

    Hi

    If Network is selected TLS 1.3 is only disabled during network authentication, but is still in use for the admin web GUI. If Admin is selected TLS 1.3 is disabled for the admin web GUI but is still in use for network authentications.

    When All is selected TLS 1.0 is disabled for both functions, and with None TLS 1.3 is enabled.

    The behavior of your Windows 11 clients is strange, as both Windows 10 and 11 supports TLS 1.3.

    Do you know if there are any special configurations done on the Windows 11 clients.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 10.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Nov 07, 2024 07:42 AM
    Edited by harutyun.hakobyan Nov 07, 2024 07:43 AM

    Windows clients configuration is via MS Intune and Windows 11 was upgraded from 10, which was working fine.
    Could not find any difference in interface dot1x configurations between 10 and 11, therefore it was strange.

    And previous setting for "Disable TLSv1.3 support" was Admin.




  • 11.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted 26 days ago

    Update: Windows 11 forces the use of TLS 1.3 for EAP-TLS authentications, so it should be enabled in ClearPass side.