I 'slightly' disagree as this is only true if you can guarantee that nobody else can create a server certificate from any of the trusted CAs in your supplicant configuration. Changing the EAP certificate CN will cause issues on many other platforms, and on Windows you can easily push out an update through GPO or Intune/MDM. For me setting the RADIUS server names is something I have always done, and never let me go, except when I mistyped the name in which case it's even better that the authentication fails.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Nov 29, 2023 02:17 PM
From: ahollifield
Subject: Windows 10 and 11 TLS Differences?
Yeah its not required, its a "slight" security measure but it makes things like adding/changing RADIUS servers/DNS names really unnecessarily complex
Original Message:
Sent: Nov 29, 2023 01:53 PM
From: JLester
Subject: Windows 10 and 11 TLS Differences?
That's my misunderstanding then, I thought you had to put something there. I'm going to test without it. Thanks!
Original Message:
Sent: Nov 29, 2023 01:15 PM
From: ahollifield
Subject: Windows 10 and 11 TLS Differences?
Maybe WIndows 11 is looking at the SAN field and seeing the VIP IP? Typically I don't recommend configuring the "connect only to these servers" what is your use-case for this? IMHO certificate trust should handle that piece.
Original Message:
Sent: Nov 29, 2023 12:50 PM
From: JLester
Subject: Windows 10 and 11 TLS Differences?
As far as I can tell, we're in compliance. The cert has the FQDN of VIP and both cluster members as well as the VIP and IPs of each cluster member. On the GPO, I went in and added both FQDN and VIP IP in the "Connect to these servers" box. That seems to fix it, but I'm still stumped why there's a difference between the OS types.
Original Message:
Sent: Nov 29, 2023 11:03 AM
From: ahollifield
Subject: Windows 10 and 11 TLS Differences?
Are you in compliance with the link I shared? Is the VIP IP in the certificate SAN field? Where exactly are you seeing the VIP and not the IP? Within a certificate warning on the PC?
Original Message:
Sent: Nov 29, 2023 10:41 AM
From: JLester
Subject: Windows 10 and 11 TLS Differences?
Definitely want to leave that on, but I don't understand why Windows 10 sees the cert coming from FQDN and Windows 11 sees the cert coming from the VIP?
Original Message:
Sent: Nov 29, 2023 10:21 AM
From: ahollifield
Subject: Windows 10 and 11 TLS Differences?
Always use certificate validation, never disable this; you will open yourself up to MITM attacks.
https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/windows-11-changes
Original Message:
Sent: Nov 29, 2023 09:54 AM
From: JLester
Subject: Windows 10 and 11 TLS Differences?
We're trying to migrate from EAP-PEAP/MSCHAP to either EAP-TLS or TEAP. In my test environment, I'm trying to get my GPO working for both Windows 10 and Windows 11 computers. The issue I'm seeing is that if a Windows10 computer connects, it shows the certificate with the ClearPass FQDN. If a Windows 11 computer connects, it shows the certificate with the VIP IP address instead of the FQDN. If I have certificate validation turned on, I can only get it to work for one of the OS's. Has anyone ran into this?