Wireless Access

Hi,

we're using certificates to authenticate to our corporate wifi network.  All went fine using Windows 10.  I'm getting reports that there are authentication failures when using Windows 11.  Had a look at such a host today.  And indeed : 

Aug 5 05:40:57 rad-acct-int-update -> 64:bc:58:8a:29:6a 18:64:72:cb:82:d0/wifi-be-di-003 - -
Aug 5 05:51:03 rad-acct-int-update -> 64:bc:58:8a:29:6a 18:64:72:cb:82:d0/wifi-be-di-003 - -
Aug 5 05:59:16 station-down * 64:bc:58:8a:29:6a 18:64:72:cb:82:d0 - -
Aug 5 05:59:19 rad-acct-stop -> 64:bc:58:8a:29:6a 18:64:72:cb:82:d0/wifi-be-di-003 - -
Aug 5 05:59:19 station-up * 64:bc:58:8a:29:6a 18:64:72:cb:82:d4 - - wpa2 aes
Aug 5 05:59:19 station-term-start * 64:bc:58:8a:29:6a 18:64:72:cb:82:d4 1 -
Aug 5 05:59:19 eap-term-start -> 64:bc:58:8a:29:6a 18:64:72:cb:82:d4/auth-dv-authenticated-cert - -
Aug 5 05:59:19 station-term-start * 64:bc:58:8a:29:6a 18:64:72:cb:82:d4 1 -
Aug 5 05:59:19 station-term-end * 64:bc:58:8a:29:6a 18:64:72:cb:82:d4/auth-dv-authenticated-cert 1 - failure
Aug 5 05:59:19 eap-failure <- 64:bc:58:8a:29:6a 18:64:72:cb:82:d4/auth-dv-authenticated-cert - 4

Haven't got all the bits and pieces yet but it seems the issue only happens on a site where the authentication is against a root certificate which is installed on the Aruba controller itself.  Can't find anything wrong though.  Been searching a little bit and only thing i could find is that servernames in Windows 11 are case sensitive, particularly when using them in an Windows nps config.  No nps config here though. Config of the wifi does happens through a gpo.

Anyone encountered already something similar using Windows 11?

Is that the only device with issues?  The best advice would be to avoid EAP-Termination on an Aruba Controller because the failures and  diagnostic logging are not as robust as that on an NPS server.  In addition, EAP-Termination has not been changed in years, so it has not been tested on Windows 11 rigorously, so I would consider using an external Radius Server moving forward.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Aug 05, 2022 08:54 AM
From: Peter Nobels
Subject: Windows 11 authentication failure

Hi,

we're using certificates to authenticate to our corporate wifi network.  All went fine using Windows 10.  I'm getting reports that there are authentication failures when using Windows 11.  Had a look at such a host today.  And indeed : 

Aug 5 05:40:57 rad-acct-int-update -> 64:bc:58:8a:29:6a 18:64:72:cb:82:d0/wifi-be-di-003 - -
Aug 5 05:51:03 rad-acct-int-update -> 64:bc:58:8a:29:6a 18:64:72:cb:82:d0/wifi-be-di-003 - -
Aug 5 05:59:16 station-down * 64:bc:58:8a:29:6a 18:64:72:cb:82:d0 - -
Aug 5 05:59:19 rad-acct-stop -> 64:bc:58:8a:29:6a 18:64:72:cb:82:d0/wifi-be-di-003 - -
Aug 5 05:59:19 station-up * 64:bc:58:8a:29:6a 18:64:72:cb:82:d4 - - wpa2 aes
Aug 5 05:59:19 station-term-start * 64:bc:58:8a:29:6a 18:64:72:cb:82:d4 1 -
Aug 5 05:59:19 eap-term-start -> 64:bc:58:8a:29:6a 18:64:72:cb:82:d4/auth-dv-authenticated-cert - -
Aug 5 05:59:19 station-term-start * 64:bc:58:8a:29:6a 18:64:72:cb:82:d4 1 -
Aug 5 05:59:19 station-term-end * 64:bc:58:8a:29:6a 18:64:72:cb:82:d4/auth-dv-authenticated-cert 1 - failure
Aug 5 05:59:19 eap-failure <- 64:bc:58:8a:29:6a 18:64:72:cb:82:d4/auth-dv-authenticated-cert - 4

Haven't got all the bits and pieces yet but it seems the issue only happens on a site where the authentication is against a root certificate which is installed on the Aruba controller itself.  Can't find anything wrong though.  Been searching a little bit and only thing i could find is that servernames in Windows 11 are case sensitive, particularly when using them in an Windows nps config.  No nps config here though. Config of the wifi does happens through a gpo.

Anyone encountered already something similar using Windows 11?