Security

I am having an odd issue, I have a wired and wireless profile being pushed to machines from Microsoft Intune, on Windows 11 machines it works without issue but it will not connect Windows 10 machines. If I create the connection manually and tell the connection to not Verify the servers identity by validating the certificate on the first time the system is connected it connects, and then if I change the setting to verify afterwards the system will connect every additional time without issue. This only happens on Windows 10 machines and I can see in the Access Tracker that on that first attempt with the validation turned on the attempt does not show the certificate on the Input tab under Computed Attributes. Any ideas on why this could be happening?

have you nominated any CA's to trust for the server validation step?

is the client configured not to prompt user to trust new server certificates? If yes the client will fail silently if the cert is not from the designated root CA

Original Message:
Sent: Jul 25, 2022 12:20 PM
From: Chris Sunderland
Subject: Windows 10 EAP-TLS Profile from Intune Issue

I am having an odd issue, I have a wired and wireless profile being pushed to machines from Microsoft Intune, on Windows 11 machines it works without issue but it will not connect Windows 10 machines. If I create the connection manually and tell the connection to not Verify the servers identity by validating the certificate on the first time the system is connected it connects, and then if I change the setting to verify afterwards the system will connect every additional time without issue. This only happens on Windows 10 machines and I can see in the Access Tracker that on that first attempt with the validation turned on the attempt does not show the certificate on the Input tab under Computed Attributes. Any ideas on why this could be happening?

If I server validate on the initial connection then the connection fails, but if I do not do server validation on the initial connection it connects. After I have connected without server validation the first time if I go back and add server validation then the connection works without issue from then on.

------------------------------
ChrisSunderland
------------------------------

Original Message:
Sent: Aug 04, 2022 03:00 AM
From: Scott Doorey
Subject: Windows 10 EAP-TLS Profile from Intune Issue

have you nominated any CA's to trust for the server validation step?

is the client configured not to prompt user to trust new server certificates? If yes the client will fail silently if the cert is not from the designated root CA

Original Message:
Sent: Jul 25, 2022 12:20 PM
From: Chris Sunderland
Subject: Windows 10 EAP-TLS Profile from Intune Issue

I am having an odd issue, I have a wired and wireless profile being pushed to machines from Microsoft Intune, on Windows 11 machines it works without issue but it will not connect Windows 10 machines. If I create the connection manually and tell the connection to not Verify the servers identity by validating the certificate on the first time the system is connected it connects, and then if I change the setting to verify afterwards the system will connect every additional time without issue. This only happens on Windows 10 machines and I can see in the Access Tracker that on that first attempt with the validation turned on the attempt does not show the certificate on the Input tab under Computed Attributes. Any ideas on why this could be happening?

It might be (assumption) that if you click 'connect anyways' the first time, that Windows caches the certificates.

I would very carefully validate the certificates, server name setting, as there must be something wrong. Aruba Support may be  able to collect the relevant supplicant logging to find what is going on, or if you have access to Microsoft support you may ask them if they know what is going on here. It's also weird because Windows 11 works out of the box, so configuration must be (nearly) good.

Is you EAP certificate following the best-practices, like from a private CA, no wildcard, all ClearPass nodes share the same RADIUS certificate?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 04, 2022 12:17 PM
From: Chris Sunderland
Subject: Windows 10 EAP-TLS Profile from Intune Issue

If I server validate on the initial connection then the connection fails, but if I do not do server validation on the initial connection it connects. After I have connected without server validation the first time if I go back and add server validation then the connection works without issue from then on.

------------------------------
ChrisSunderland

Original Message:
Sent: Aug 04, 2022 03:00 AM
From: Scott Doorey
Subject: Windows 10 EAP-TLS Profile from Intune Issue

have you nominated any CA's to trust for the server validation step?

is the client configured not to prompt user to trust new server certificates? If yes the client will fail silently if the cert is not from the designated root CA

Original Message:
Sent: Jul 25, 2022 12:20 PM
From: Chris Sunderland
Subject: Windows 10 EAP-TLS Profile from Intune Issue

I am having an odd issue, I have a wired and wireless profile being pushed to machines from Microsoft Intune, on Windows 11 machines it works without issue but it will not connect Windows 10 machines. If I create the connection manually and tell the connection to not Verify the servers identity by validating the certificate on the first time the system is connected it connects, and then if I change the setting to verify afterwards the system will connect every additional time without issue. This only happens on Windows 10 machines and I can see in the Access Tracker that on that first attempt with the validation turned on the attempt does not show the certificate on the Input tab under Computed Attributes. Any ideas on why this could be happening?

I worked out the issue, it turned out to be something wonky on the certificate issued by Go Daddy, I got the certificate rekeyed and rebuilt, and this resolved the issue, thanks for all the input.

------------------------------
ChrisSunderland
------------------------------

Original Message:
Sent: Aug 08, 2022 08:02 AM
From: Herman Robers
Subject: Windows 10 EAP-TLS Profile from Intune Issue

It might be (assumption) that if you click 'connect anyways' the first time, that Windows caches the certificates.

I would very carefully validate the certificates, server name setting, as there must be something wrong. Aruba Support may be  able to collect the relevant supplicant logging to find what is going on, or if you have access to Microsoft support you may ask them if they know what is going on here. It's also weird because Windows 11 works out of the box, so configuration must be (nearly) good.

Is you EAP certificate following the best-practices, like from a private CA, no wildcard, all ClearPass nodes share the same RADIUS certificate?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 04, 2022 12:17 PM
From: Chris Sunderland
Subject: Windows 10 EAP-TLS Profile from Intune Issue

If I server validate on the initial connection then the connection fails, but if I do not do server validation on the initial connection it connects. After I have connected without server validation the first time if I go back and add server validation then the connection works without issue from then on.

------------------------------
ChrisSunderland

Original Message:
Sent: Aug 04, 2022 03:00 AM
From: Scott Doorey
Subject: Windows 10 EAP-TLS Profile from Intune Issue

have you nominated any CA's to trust for the server validation step?

is the client configured not to prompt user to trust new server certificates? If yes the client will fail silently if the cert is not from the designated root CA

Original Message:
Sent: Jul 25, 2022 12:20 PM
From: Chris Sunderland
Subject: Windows 10 EAP-TLS Profile from Intune Issue

I am having an odd issue, I have a wired and wireless profile being pushed to machines from Microsoft Intune, on Windows 11 machines it works without issue but it will not connect Windows 10 machines. If I create the connection manually and tell the connection to not Verify the servers identity by validating the certificate on the first time the system is connected it connects, and then if I change the setting to verify afterwards the system will connect every additional time without issue. This only happens on Windows 10 machines and I can see in the Access Tracker that on that first attempt with the validation turned on the attempt does not show the certificate on the Input tab under Computed Attributes. Any ideas on why this could be happening?

Hey, do you still have this issue or have you solved it?

Original Message:
Sent: Jul 25, 2022 12:20 PM
From: Chris Sunderland
Subject: Windows 10 EAP-TLS Profile from Intune Issue

I am having an odd issue, I have a wired and wireless profile being pushed to machines from Microsoft Intune, on Windows 11 machines it works without issue but it will not connect Windows 10 machines. If I create the connection manually and tell the connection to not Verify the servers identity by validating the certificate on the first time the system is connected it connects, and then if I change the setting to verify afterwards the system will connect every additional time without issue. This only happens on Windows 10 machines and I can see in the Access Tracker that on that first attempt with the validation turned on the attempt does not show the certificate on the Input tab under Computed Attributes. Any ideas on why this could be happening?

I solved the issue, it was a problem with the certificate issued by GoDaddy, I had the certificate rekeyed and re-imported. This resolved the issue. Strangely enough I am surprised to see that the certificate issues only happened on Windows 10 and not on Windows 11. It leads me to question the security practices of the newest version of Windows.

------------------------------
ChrisSunderland
------------------------------

Original Message:
Sent: Aug 15, 2022 01:30 PM
From: burbigo deen
Subject: Windows 10 EAP-TLS Profile from Intune Issue

Hey, do you still have this issue or have you solved it ?
Original Message:
Sent: Jul 25, 2022 12:20 PM
From: Chris Sunderland
Subject: Windows 10 EAP-TLS Profile from Intune Issue

I am having an odd issue, I have a wired and wireless profile being pushed to machines from Microsoft Intune, on Windows 11 machines it works without issue but it will not connect Windows 10 machines. If I create the connection manually and tell the connection to not Verify the servers identity by validating the certificate on the first time the system is connected it connects, and then if I change the setting to verify afterwards the system will connect every additional time without issue. This only happens on Windows 10 machines and I can see in the Access Tracker that on that first attempt with the validation turned on the attempt does not show the certificate on the Input tab under Computed Attributes. Any ideas on why this could be happening?

If you still have the old and new certificate, you may do a compare field by field to see the differences.

BTW, the recommendation is to use a private CA to issue your EAP Server Certificate instead of a public one. There are some challenges around renewal where the same public RootCA may not be available, and you may be forced to switch RootCA and touch all of your clients if they are not managed.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 26, 2022 12:49 PM
From: Chris Sunderland
Subject: Windows 10 EAP-TLS Profile from Intune Issue

I solved the issue, it was a problem with the certificate issued by GoDaddy, I had the certificate rekeyed and re-imported. This resolved the issue. Strangely enough I am surprised to see that the certificate issues only happened on Windows 10 and not on Windows 11. It leads me to question the security practices of the newest version of Windows.

------------------------------
ChrisSunderland

Original Message:
Sent: Aug 15, 2022 01:30 PM
From: burbigo deen
Subject: Windows 10 EAP-TLS Profile from Intune Issue

Hey, do you still have this issue or have you solved it ?
Original Message:
Sent: Jul 25, 2022 12:20 PM
From: Chris Sunderland
Subject: Windows 10 EAP-TLS Profile from Intune Issue

I am having an odd issue, I have a wired and wireless profile being pushed to machines from Microsoft Intune, on Windows 11 machines it works without issue but it will not connect Windows 10 machines. If I create the connection manually and tell the connection to not Verify the servers identity by validating the certificate on the first time the system is connected it connects, and then if I change the setting to verify afterwards the system will connect every additional time without issue. This only happens on Windows 10 machines and I can see in the Access Tracker that on that first attempt with the validation turned on the attempt does not show the certificate on the Input tab under Computed Attributes. Any ideas on why this could be happening?