Security

 View Only

  • 1.  Clearpass: Windows 11 24H2 auth fail Error Code: 216

    Posted Dec 03, 2024 04:53 AM

    Hi,

    we have CPPM 6.11.9 and we  are experiencing 802.1X authentication issues with new PCs running Windows 11 update 24H2.
    For newly installed PCs with this OS version, authentication fails. PCs that had previous versions and have been updated to the same version, however, authenticate without problems.

    Tried the same user on different devices, it does not authenticate only on new installations with 24H2. We compare group policy and registry settings between a PC that authenticates and one that does not and we can't find any differences. The clearpass service has not been modified.

    Anyone else have the same problem?
    Has anyone solved it?




    ------------------------------
    carabina5
    ------------------------------


  • 2.  RE: Clearpass: Windows 11 24H2 auth fail Error Code: 216

    Posted Dec 03, 2024 08:12 AM

    Why are you using MS-CHAPv2?  That uses broken MD4 encryption.  You should migrate to certificate based EAP methods instead.  Is credential guard enabled on those Windows 11 machines?




  • 3.  RE: Clearpass: Windows 11 24H2 auth fail Error Code: 216

    Posted Dec 03, 2024 08:20 AM

    Credential guard is disable.
    We should migrate to EAP-TLS, but we need some change before to do, it is not a snap...

    At the moment we would like to mitigate this behaviour that happen only for new SO installation directly in 24-h2. There is somthing changed in SO config that we cannot find.

    PC in the same SO patch, that are upgraded (not fresh install) are working.

    Thanks



    ------------------------------
    carabina5
    ------------------------------

    Original Message


  • 4.  RE: Clearpass: Windows 11 24H2 auth fail Error Code: 216

    Posted Dec 03, 2024 10:03 AM
    Edited by chulcher Dec 03, 2024 10:07 AM

    Open a case with TAC to troubleshoot, that error message you are receiving isn't normal operation.

    Also check EAP - What's changed in Windows 11, you might be running afoul of the new certificate validation check.

    Microsoft remove preview
    EAP - What's changed in Windows 11
    This article presents information about the changes in Windows 11 for Extensible Authentication Protocol (EAP) settings.
    View this on Microsoft >

     

    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 5.  RE: Clearpass: Windows 11 24H2 auth fail Error Code: 216

    Posted Dec 03, 2024 10:11 AM

    Already done, answer is 

    "From the case description, I understand that you are facing issues with the Aruba ClearPass after updating your windows 11 machines with 24H2.

    Clearpass is only the receiving end of the authentication process, since you confirmed that the services have not been modified, it's safe to assume that the update caused the issue on the windows 11 machine.

    I found some articles that could help you troubleshoot this issue from the windows end:

    Please reach out to Microsoft support team for more in depth support."

    I check the link is about the previous win11 patches, and it is already done.

    This answer was made without any check, just readind the description of the opened case...

    I'm thinking about to pass to eap-tls, but it is a change in the config and I need to verify the implication for the customer.

    Thanks



    ------------------------------
    carabina5
    ------------------------------

    Original Message


  • 6.  RE: Clearpass: Windows 11 24H2 auth fail Error Code: 216

    Posted Dec 04, 2024 07:08 AM
    Verify that the Guard credential is enabled in Windows
    to be able to work with MSCHAP V2 it must be disabled, and also check these registries also in Windows they can not exist 
     
    Here is a document where there are 3 types that should be checked if it is coming by GP, or Inutune integration.



    Configure Credential Guard | Microsoft Learn




Related Content