Security

 View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Windows 11 22h2 & 23h2 Authenticating

This thread has been viewed 59 times
  • 1.  Windows 11 22h2 & 23h2 Authenticating

    Posted Nov 30, 2023 05:42 PM

    Hello,

    I have come across a situation where windows recently updated and within the Windows 11 22h2 & 23h2 latest update. There is authentication EAP-TLS 1.3 which is on by default, from my gathering currently. I on the other hand also know that ClearPass cannot authenticate devices yet with EAP-TLS 1.3. Is there any way to bypass this and allow ClearPass to authenticate devices again? Anything helps, thanks.



  • 2.  RE: Windows 11 22h2 & 23h2 Authenticating

    Posted Nov 30, 2023 07:59 PM

    The devices should fail back to TLS 1.2 though.   Is there a GPO or some other mechanism that is enforcing TLS 1.3 for EAP?  What EAP type are you using?  




  • 3.  RE: Windows 11 22h2 & 23h2 Authenticating

    Posted Dec 01, 2023 08:20 AM

    EAP-TLS 1.2 and 1.3 are currently both on for any device. Is there anything to check to make sure that it is supposed to fall back, that I have mis checked?  The EAP types are in use TLS and PEAP.




  • 4.  RE: Windows 11 22h2 & 23h2 Authenticating

    Posted Dec 01, 2023 08:27 AM
    Are both failing? Do you have credential guard disabled? Without credential guard disabled via registry, PEAP will not work on Windows 11. You should migrate to certificate based authentication methods




  • 5.  RE: Windows 11 22h2 & 23h2 Authenticating

    Posted Dec 01, 2023 08:50 AM

    I currently am still learning this whole process; I do not know how to tell if both are failing. But ClearPass used to have all the information in it right away. Now it takes a few hours for ClearPass to see the device, then it takes a few hours for the device to get all the attributes except one(the domain = true). Credential guard I will double check on. Thanks.




  • 6.  RE: Windows 11 22h2 & 23h2 Authenticating

    MVP
    Posted Dec 12, 2023 11:04 AM

    The lastes ClearPass 6.11 patches permit you to turn off the problematic encryption. Bad TPM firmware corrupts the stored certificates



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------