Security

 View Only
  • 1.  Windows 10 and 11 TLS Differences?

    Posted Nov 29, 2023 09:55 AM

    We're trying to migrate from EAP-PEAP/MSCHAP to either EAP-TLS or TEAP.  In my test environment, I'm trying to get my GPO working for both Windows 10 and Windows 11 computers.  The issue I'm seeing is that if a Windows10 computer connects, it shows the certificate with the ClearPass FQDN.  If a Windows 11 computer connects, it shows the certificate with the VIP IP address instead of the FQDN.  If I have certificate validation turned on, I can only get it to work for one of the OS's.  Has anyone ran into this?



  • 2.  RE: Windows 10 and 11 TLS Differences?

    Posted Nov 29, 2023 10:22 AM

    Always use certificate validation, never disable this; you will open yourself up to MITM attacks.  

    https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/windows-11-changes




  • 3.  RE: Windows 10 and 11 TLS Differences?

    Posted Nov 29, 2023 10:42 AM

    Definitely want to leave that on, but I don't understand why Windows 10 sees the cert coming from FQDN and Windows 11 sees the cert coming from the VIP?




  • 4.  RE: Windows 10 and 11 TLS Differences?

    Posted Nov 29, 2023 11:03 AM

    Are you in compliance with the link I shared?  Is the VIP IP in the certificate SAN field?  Where exactly are you seeing the VIP and not the IP?  Within a certificate warning on the PC?




  • 5.  RE: Windows 10 and 11 TLS Differences?

    Posted Nov 29, 2023 12:51 PM

    As far as I can tell, we're in compliance.  The cert has the FQDN of VIP and both cluster members as well as the VIP and IPs of each cluster member.  On the GPO, I went in and added both FQDN and VIP IP in the "Connect to these servers" box.  That seems to fix it, but I'm still stumped why there's a difference between the OS types.




  • 6.  RE: Windows 10 and 11 TLS Differences?

    Posted Nov 29, 2023 01:15 PM

    Maybe WIndows 11 is looking at the SAN field and seeing the VIP IP?  Typically I don't recommend configuring the "connect only to these servers"  what is your use-case for this?  IMHO certificate trust should handle that piece.




  • 7.  RE: Windows 10 and 11 TLS Differences?

    Posted Nov 29, 2023 01:54 PM

    That's my misunderstanding then, I thought you had to put something there.  I'm going to test without it.  Thanks!




  • 8.  RE: Windows 10 and 11 TLS Differences?

    Posted Nov 29, 2023 02:17 PM

    Yeah its not required, its a "slight" security measure but it makes things like adding/changing RADIUS servers/DNS names really unnecessarily complex




  • 9.  RE: Windows 10 and 11 TLS Differences?

    Posted Dec 05, 2023 11:47 AM

    I 'slightly' disagree as this is only true if you can guarantee that nobody else can create a server certificate from any of the trusted CAs in your supplicant configuration. Changing the EAP certificate CN will cause issues on many other platforms, and on Windows you can easily push out an update through GPO or Intune/MDM. For me setting the RADIUS server names is something I have always done, and never let me go, except when I mistyped the name in which case it's even better that the authentication fails.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 10.  RE: Windows 10 and 11 TLS Differences?

    Posted Dec 05, 2023 11:41 AM
    Edited by Herman Robers Dec 05, 2023 11:56 AM

    How does your certificate look like? Which CA issued it? Public? Private? And do you have the same certificate installed on each of your ClearPass servers?

    If you didn't get a proper certificate, it may be that Windows 10 shows the CN and Windows 11 shows the first SAN. Following the certificate standards you should have the CN also as the first SAN.

    You should not be seeing any certificate if you have your clients properly configured (Group Policy/MDM).



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------