Wireless Access

Good afternoon, community

We are testing certificate based authentication with MS Intune managed W11 clients, and have found that although they successfully authenticate with ClearPass they fail subsequent authentications due to the warning dialog box that pops up on the computer and requires human interaction before it will complete the EAP authentication process. Is there anyone out there who has experience dealing with this type of deployment? I'm fairly positive this is a client issue and thus there isn't much that can be done on ClearPass to fix the client not completing EAP. 

------------------------------
[Matt]
[Director of Infrastructure Services]
------------------------------

You need to provision the supplicant with the proper trust settings so that the correct CA is already specified and the user isn't prompted.

------------------------------
Carson Hulcher, ACEX#110
------------------------------

Original Message:
Sent: 9/16/2025 10:00:00 AM
From: chulcher
Subject: RE: Certificate based authentication with intune managed Windows11 computers

You need to provision the supplicant with the proper trust settings so that the correct CA is already specified and the user isn't prompted.

------------------------------
Carson Hulcher, ACEX#110
------------------------------

Do you have the same RADIUS Server certificate on all of your ClearPass servers, if you have more than one?

Also, the client should be configured to verify the RADIUS server certificate against the Root CA that issued the ClearPass RADIUS/EAP certficate, not the ClearPass EAP certificate itself.

In my experience, if you see this, there is something not set correctly. For a proper configured WPA-Enterprise client, you should never see a prompt for certificates or trust; or maybe the question if the Windows PC should be discoverable, but nothing related to authentication. I agree that it may be hard to find the issue if everything 'looks ok'; but in similar situations in the past, there always was something not set correctly.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 17, 2025 09:25 AM
From: Matt Dillion
Subject: Certificate based authentication with intune managed Windows11 computers

Carson,

That's what I'm thinking as well, unfortunately, based on the configuration settings in Intune the supplicant should be trusting the certificate automatically, We've verified the root CA is installed on the client in the right location and that the Intune profile is referencing the Clearpass RADIUS certificate. Needless to say, this issue is a difficult one to figure out since everything looks correct. 

--

Sincerely,

Matt Dillion
Assistant Director of Infrastructure Services
Christopher Newport University
1 Avenue for the Arts
Newport News, VA  23606
O:  (757) 594-8628
C:  (757) 897-8802
E:  matthew.dillion@cnu.edu

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Please do not forward or include additional people when replying. If you believe that someone not included as a recipient needs to be aware of the information, please send the name of that person to the sender. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

Original Message:
Sent: 9/16/2025 10:00:00 AM
From: chulcher
Subject: RE: Certificate based authentication with intune managed Windows11 computers

You need to provision the supplicant with the proper trust settings so that the correct CA is already specified and the user isn't prompted.

------------------------------
Carson Hulcher, ACEX#110
------------------------------

Herman,

I agree, this situation definitely appears to be a certificate trust issue. I'll get with our systems team and take a another look at their setup in Intune. Hopefully, we can find the misconfiguration! Thanks for the feedback!

------------------------------
[Matt]
[Director of Infrastructure Services]
------------------------------

Original Message:
Sent: Sep 18, 2025 06:07 AM
From: Herman Robers
Subject: Certificate based authentication with intune managed Windows11 computers

Do you have the same RADIUS Server certificate on all of your ClearPass servers, if you have more than one?

Also, the client should be configured to verify the RADIUS server certificate against the Root CA that issued the ClearPass RADIUS/EAP certficate, not the ClearPass EAP certificate itself.

In my experience, if you see this, there is something not set correctly. For a proper configured WPA-Enterprise client, you should never see a prompt for certificates or trust; or maybe the question if the Windows PC should be discoverable, but nothing related to authentication. I agree that it may be hard to find the issue if everything 'looks ok'; but in similar situations in the past, there always was something not set correctly.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------


Original Message:
Sent: Sep 17, 2025 09:25 AM
From: Matt Dillion
Subject: Certificate based authentication with intune managed Windows11 computers

Carson,

That's what I'm thinking as well, unfortunately, based on the configuration settings in Intune the supplicant should be trusting the certificate automatically, We've verified the root CA is installed on the client in the right location and that the Intune profile is referencing the Clearpass RADIUS certificate. Needless to say, this issue is a difficult one to figure out since everything looks correct. 

--

Sincerely,

Matt Dillion
Assistant Director of Infrastructure Services
Christopher Newport University
1 Avenue for the Arts
Newport News, VA  23606
O:  (757) 594-8628
C:  (757) 897-8802
E:  matthew.dillion@cnu.edu

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Please do not forward or include additional people when replying. If you believe that someone not included as a recipient needs to be aware of the information, please send the name of that person to the sender. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

Original Message:
Sent: 9/16/2025 10:00:00 AM
From: chulcher
Subject: RE: Certificate based authentication with intune managed Windows11 computers

You need to provision the supplicant with the proper trust settings so that the correct CA is already specified and the user isn't prompted.

------------------------------
Carson Hulcher, ACEX#110