Security

 View Only
last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8

This thread has been viewed 33 times
  • 1.  Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8

    Posted Feb 22, 2024 04:52 PM

    We're in the midst of migrating from on prem device management to Intune Managed for our organization.

    We have new OOB Win 11 laptops which when deployed with Autopilot are able to connect to the secure WiFi and the Wired network through ClearPass without issue.

    When I try taking one of our existing Windows 10 laptops, which while domain joined have no issues with ClearPass, and reset them and enroll them through Intune they have trouble connecting either through our Secure WiFi or via Wired connection.

    The errors seem to point to Certificate Authority issues but all of the certificates pushed through Intune are on the devices and If I upgrade them to Windows 11 the issue seems to go away.


    In the logs for the connection attempts I see this group of errors on either WiFi or Wired attempts.

    ERROR RadiusServer.Radius - TLS Alert read:fatal:unknown CA
    ERROR RadiusServer.Radius - TLS_accept:failed in error
    ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
    ERROR RadiusServer.Radius - rlm_eap_tls: TLS Handshake failed
    Wondering if anyone else has seen this and knows what the issue could be?
    Randal


  • 2.  RE: Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8

    EMPLOYEE
    Posted Feb 22, 2024 05:03 PM

    You need to upload and trust the certificate for the root CA that signed those user/device certificate in ClearPass.

    Has that been done?



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8

    Posted Feb 22, 2024 05:29 PM

    Thanks Ariya,

    Yes that has been done.

    Randal




  • 4.  RE: Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8

    EMPLOYEE
    Posted Feb 22, 2024 06:24 PM

    ok have you disabled TLS1.0 and TLSv1.1 on clearpass? its under Administration  > Server Configuration > Cluster-wide Parameters > General,

    also check in access tracker, you should be able to see what TLS version the client is using



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 5.  RE: Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8

    Posted Feb 22, 2024 07:49 PM

    Ok that's a possibility, Looks like 1.0 and 1.1 are not disabled and it's hard to see in the Access tracker what TLS version is used by the failing computers, but in the error above it does say tlsv1 alert unknown ca which might be indicating 1.0 but it's hard to know for sure. I don't see any other indication of TLS version in the logs.

    I checked the logs of computers that can connect in the access tracker and I don't see TLS version mentioned for them.

    I'll do some testing in the morning. I may have to wait for our outage to disable those and make sure it doesn't cause issues for other devices. I may be able to force the Windows 10 computer to not use 1.0 or 1.1 which I'll try first tomorrow.

    If that fixes it I'll update here.

    Thanks




  • 6.  RE: Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8

    EMPLOYEE
    Posted Feb 22, 2024 08:04 PM

    ok if TLS v1 and 1.1 are not disabled in Clearpass then that's not an issue. it would have been an issue it they were disabled and the client cert was using it.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 7.  RE: Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8

    Posted Feb 23, 2024 03:11 AM

    Hi,

    Could it be linked to this Win 10 bug in TLS 1.2 ?

    https://support.microsoft.com/en-us/topic/windows-10-devices-can-t-connect-to-an-802-1x-environment-179ef277-e6ef-8ea3-cb0e-11a6b80fa955



    ------------------------------
    StephaneLALARDIE
    ------------------------------



  • 8.  RE: Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8

    Posted Feb 23, 2024 03:41 AM

    Which Radius Server certificate is used? Public signed or private signed?
    Do the Intune enrolled devices trust this certificate?



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 9.  RE: Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8

    Posted Feb 23, 2024 11:39 AM

    Thanks,

    I do have the Radius certificate as part of the trusted root certs for the Intune devices. That was part of getting my initial Windows 11 systems to connect automatically to the Secure WiFi without user intervention solution. I think it was also what allowed them to connect to the Wired network successfully as well.

    The Windows 10 systems are getting them from the same policy and I see all the certs on the systems.

    Randal




  • 10.  RE: Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8

    Posted Feb 23, 2024 11:35 AM

    Thanks Stephane,

    I'll check this out. I remember seeing this before in some of my initial research, but at the time I tried making it communicate on 1.2, Maybe I'll see if I force it to 1.1 if it connects.

    Randal




  • 11.  RE: Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8

    Posted Feb 23, 2024 01:37 PM

    I enabled Radius Debug in the logs to see what TLS protocols were being used. Without making any changes it communications on 1.2 and if I use the Registry entry in that article to force it to 1.1 or 1.0 it doesn't make a difference. The Error's still seem to point to a CA issue where the Windows 10 devices are unable to resolve the CA but the Windows 11 ones can.




  • 12.  RE: Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8

    Posted Feb 26, 2024 07:03 PM

    Ok I have it working and it turned out the Windows 10 computers needed an extra Root Cert be pushed out that the Windows 11 systems didn't seem to need.

    For the Windows 11 computers I added the cert from the CPPM Radius server which was created by our internal CA. I added it to Intune and attached it as a Root cert to both our WiFi and Wired profiles that I push to our computers. That allowed them to trust our Radius server and got rid of the message we saw when they attempted to connect to WiFi.

    The Windows 11 computers weren't able to connect to the Wired network but could connect Wireless when I clicked connect. After the Radius cert was added to the profiles they could connect normally both wired and wireless.
    While looking for other people with a similar issue I found another discussion that was similar but got me thinking about our internal CA. I decided to try adding the Root cert from the Internal CA to the Networking profiles as well and when the Windows 10 devices synced to Intune they were able to connect to the network.
    Hopefully this helps someone in the future with similar issues.