Original Message:
Sent: Nov 07, 2024 07:42 AM
From: harutyun.hakobyan
Subject: EAP-TLS failure after upgrade to Windows 11
Windows clients configuration is via MS Intune and Windows 11 was upgraded from 10, which was working fine.
Could not find any difference in interface dot1x configurations between 10 and 11, therefore it was strange.
And previous setting for "Disable TLSv1.3 support" was Admin.
Original Message:
Sent: Nov 07, 2024 06:54 AM
From: jonas.hammarback
Subject: EAP-TLS failure after upgrade to Windows 11
Hi
If Network is selected TLS 1.3 is only disabled during network authentication, but is still in use for the admin web GUI. If Admin is selected TLS 1.3 is disabled for the admin web GUI but is still in use for network authentications.
When All is selected TLS 1.0 is disabled for both functions, and with None TLS 1.3 is enabled.
The behavior of your Windows 11 clients is strange, as both Windows 10 and 11 supports TLS 1.3.
Do you know if there are any special configurations done on the Windows 11 clients.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Nov 07, 2024 05:41 AM
From: harutyun.hakobyan
Subject: EAP-TLS failure after upgrade to Windows 11
Update: after disabling TLSv1.3 support in Cluster-Wide Parameters, Windows 11 clients succeeded dot1x authentication for both LAN and WLAN:
Original Message:
Sent: Nov 07, 2024 03:56 AM
From: harutyun.hakobyan
Subject: EAP-TLS failure after upgrade to Windows 11
Temporary disabled TLS 1.2 on ClearPass, didn't help.
"RSA-PSS Signature Suit in EAP-TLS" was initially disabled, but it also didn't help.
This is log on ClearPass:
And this is on Windows 11:
Original Message:
Sent: Nov 06, 2024 09:02 AM
From: Herman Robers
Subject: EAP-TLS failure after upgrade to Windows 11
Do you have your client certificates stored in the TPM of your client? In that case, you may have hit a known bug in some TPMs. Disable RSA-PSA in that case to work around that:
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Nov 06, 2024 08:01 AM
From: harutyun.hakobyan
Subject: EAP-TLS failure after upgrade to Windows 11
Hi All,
After upgrade to Windows 11 from 10 for both LAN and WLAN dot1x authentication is failing with this error:
What do check else in ClearPass and client side?
Thanks