Ok I have it working and it turned out the Windows 10 computers needed an extra Root Cert be pushed out that the Windows 11 systems didn't seem to need.
For the Windows 11 computers I added the cert from the CPPM Radius server which was created by our internal CA. I added it to Intune and attached it as a Root cert to both our WiFi and Wired profiles that I push to our computers. That allowed them to trust our Radius server and got rid of the message we saw when they attempted to connect to WiFi.
The Windows 11 computers weren't able to connect to the Wired network but could connect Wireless when I clicked connect. After the Radius cert was added to the profiles they could connect normally both wired and wireless.
While looking for other people with a similar issue I found another discussion that was similar but got me thinking about our internal CA. I decided to try adding the Root cert from the Internal CA to the Networking profiles as well and when the Windows 10 devices synced to Intune they were able to connect to the network.
Hopefully this helps someone in the future with similar issues.
Original Message:
Sent: Feb 23, 2024 01:36 PM
From: RandalPruss
Subject: Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8
I enabled Radius Debug in the logs to see what TLS protocols were being used. Without making any changes it communications on 1.2 and if I use the Registry entry in that article to force it to 1.1 or 1.0 it doesn't make a difference. The Error's still seem to point to a CA issue where the Windows 10 devices are unable to resolve the CA but the Windows 11 ones can.
Original Message:
Sent: Feb 23, 2024 11:34 AM
From: RandalPruss
Subject: Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8
Thanks Stephane,
I'll check this out. I remember seeing this before in some of my initial research, but at the time I tried making it communicate on 1.2, Maybe I'll see if I force it to 1.1 if it connects.
Randal
Original Message:
Sent: Feb 23, 2024 03:11 AM
From: St�phane LALARDIE
Subject: Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8
Hi,
Could it be linked to this Win 10 bug in TLS 1.2 ?
https://support.microsoft.com/en-us/topic/windows-10-devices-can-t-connect-to-an-802-1x-environment-179ef277-e6ef-8ea3-cb0e-11a6b80fa955
------------------------------
StephaneLALARDIE
Original Message:
Sent: Feb 22, 2024 07:48 PM
From: RandalPruss
Subject: Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8
Ok that's a possibility, Looks like 1.0 and 1.1 are not disabled and it's hard to see in the Access tracker what TLS version is used by the failing computers, but in the error above it does say tlsv1 alert unknown ca which might be indicating 1.0 but it's hard to know for sure. I don't see any other indication of TLS version in the logs.
I checked the logs of computers that can connect in the access tracker and I don't see TLS version mentioned for them.
I'll do some testing in the morning. I may have to wait for our outage to disable those and make sure it doesn't cause issues for other devices. I may be able to force the Windows 10 computer to not use 1.0 or 1.1 which I'll try first tomorrow.
If that fixes it I'll update here.
Thanks
Original Message:
Sent: Feb 22, 2024 06:23 PM
From: ariyap
Subject: Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8
ok have you disabled TLS1.0 and TLSv1.1 on clearpass? its under Administration > Server Configuration > Cluster-wide Parameters > General,
also check in access tracker, you should be able to see what TLS version the client is using
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Feb 22, 2024 05:28 PM
From: RandalPruss
Subject: Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8
Thanks Ariya,
Yes that has been done.
Randal
Original Message:
Sent: Feb 22, 2024 05:02 PM
From: ariyap
Subject: Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8
You need to upload and trust the certificate for the root CA that signed those user/device certificate in ClearPass.
Has that been done?
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Feb 22, 2024 04:08 PM
From: RandalPruss
Subject: Intune enrolled Windows 10 devices having trouble with ClearPass 6.10.8
We're in the midst of migrating from on prem device management to Intune Managed for our organization.
We have new OOB Win 11 laptops which when deployed with Autopilot are able to connect to the secure WiFi and the Wired network through ClearPass without issue.
When I try taking one of our existing Windows 10 laptops, which while domain joined have no issues with ClearPass, and reset them and enroll them through Intune they have trouble connecting either through our Secure WiFi or via Wired connection.
The errors seem to point to Certificate Authority issues but all of the certificates pushed through Intune are on the devices and If I upgrade them to Windows 11 the issue seems to go away.
In the logs for the connection attempts I see this group of errors on either WiFi or Wired attempts.
ERROR RadiusServer.Radius - TLS Alert read:fatal:unknown CA
ERROR RadiusServer.Radius - TLS_accept:failed in error
ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
ERROR RadiusServer.Radius - rlm_eap_tls: TLS Handshake failed
Wondering if anyone else has seen this and knows what the issue could be?
Randal