Security

I have deployed a new Clearpass server and 2019 active directory domain controller in my lab. I have deployed certificates to Clearpass and two test clients via group policy. My Windows 10 client works perfectly and does machine and user authentication. The Windows 11 client fails machine auth with error 215 'EAP-TLS: fatal alert by client - access denied'. 

If I log in to the machine, I can connect but only after clicking the 'Continue Connecting?' prompt and showing the certificate details. 

Both machines have the user and computer certs in the correct location and also have a copy of the root cert. The difference must be with how Windows 11 operates.

Does anyone have an idea how to correct this?

Case match?  Newer versions of Windows 11 are now case sensitive (or soon will be, I can't remember the timing)

I have deployed a new Clearpass server and 2019 active directory domain controller in my lab. I have deployed certificates to Clearpass and two test clients via group policy. My Windows 10 client works perfectly and does machine and user authentication. The Windows 11 client fails machine auth with error 215 'EAP-TLS: fatal alert by client - access denied'. 

If I log in to the machine, I can connect but only after clicking the 'Continue Connecting?' prompt and showing the certificate details. 

Both machines have the user and computer certs in the correct location and also have a copy of the root cert. The difference must be with how Windows 11 operates.

Does anyone have an idea how to correct this?

Thanks for the reply.

the only area where the case would be an issue is in the 'connect to these servers' in the group policy wireless settings and I have this in the correct case that matches the Clearpass server certificate. 

Case match?  Newer versions of Windows 11 are now case sensitive (or soon will be, I can't remember the timing)

I have deployed a new Clearpass server and 2019 active directory domain controller in my lab. I have deployed certificates to Clearpass and two test clients via group policy. My Windows 10 client works perfectly and does machine and user authentication. The Windows 11 client fails machine auth with error 215 'EAP-TLS: fatal alert by client - access denied'. 

If I log in to the machine, I can connect but only after clicking the 'Continue Connecting?' prompt and showing the certificate details. 

Both machines have the user and computer certs in the correct location and also have a copy of the root cert. The difference must be with how Windows 11 operates.

Does anyone have an idea how to correct this?

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------
------------------------------

Thanks for the reply.

the only area where the case would be an issue is in the 'connect to these servers' in the group policy wireless settings and I have this in the correct case that matches the Clearpass server certificate. 

Case match?  Newer versions of Windows 11 are now case sensitive (or soon will be, I can't remember the timing)

I have deployed a new Clearpass server and 2019 active directory domain controller in my lab. I have deployed certificates to Clearpass and two test clients via group policy. My Windows 10 client works perfectly and does machine and user authentication. The Windows 11 client fails machine auth with error 215 'EAP-TLS: fatal alert by client - access denied'. 

If I log in to the machine, I can connect but only after clicking the 'Continue Connecting?' prompt and showing the certificate details. 

Both machines have the user and computer certs in the correct location and also have a copy of the root cert. The difference must be with how Windows 11 operates.

Does anyone have an idea how to correct this?

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------
------------------------------

Hi ssmith,

Windows 11 wants the IP address, and Windows 10 wants the DNS name.

So you could add both servers.

IP;DNS

Thanks for the reply.

the only area where the case would be an issue is in the 'connect to these servers' in the group policy wireless settings and I have this in the correct case that matches the Clearpass server certificate. 

Case match?  Newer versions of Windows 11 are now case sensitive (or soon will be, I can't remember the timing)

I have deployed a new Clearpass server and 2019 active directory domain controller in my lab. I have deployed certificates to Clearpass and two test clients via group policy. My Windows 10 client works perfectly and does machine and user authentication. The Windows 11 client fails machine auth with error 215 'EAP-TLS: fatal alert by client - access denied'. 

If I log in to the machine, I can connect but only after clicking the 'Continue Connecting?' prompt and showing the certificate details. 

Both machines have the user and computer certs in the correct location and also have a copy of the root cert. The difference must be with how Windows 11 operates.

Does anyone have an idea how to correct this?

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------
------------------------------

I have deployed a new Clearpass server and 2019 active directory domain controller in my lab. I have deployed certificates to Clearpass and two test clients via group policy. My Windows 10 client works perfectly and does machine and user authentication. The Windows 11 client fails machine auth with error 215 'EAP-TLS: fatal alert by client - access denied'. 

If I log in to the machine, I can connect but only after clicking the 'Continue Connecting?' prompt and showing the certificate details. 

Both machines have the user and computer certs in the correct location and also have a copy of the root cert. The difference must be with how Windows 11 operates.

Does anyone have an idea how to correct this?

A few more details:

For both user and computer the same error is in the logs: ERROR RadiusServer.Radius - TLS Alert read:fatal:access denied

The ClearPass cert contains the common name in the SAN:

The GPO Settings look like this, where crucial.CRUCIAL-DC.CA is the cert authority. There are two instances in the list. If I click both it makes no difference and when I close the details and open them again only one is ticked. The case and spelling of the CPPM server is correct and this address is registered in DNS

I have deployed a new Clearpass server and 2019 active directory domain controller in my lab. I have deployed certificates to Clearpass and two test clients via group policy. My Windows 10 client works perfectly and does machine and user authentication. The Windows 11 client fails machine auth with error 215 'EAP-TLS: fatal alert by client - access denied'. 

If I log in to the machine, I can connect but only after clicking the 'Continue Connecting?' prompt and showing the certificate details. 

Both machines have the user and computer certs in the correct location and also have a copy of the root cert. The difference must be with how Windows 11 operates.

Does anyone have an idea how to correct this?

A few more details:

For both user and computer the same error is in the logs: ERROR RadiusServer.Radius - TLS Alert read:fatal:access denied

The ClearPass cert contains the common name in the SAN:

The GPO Settings look like this, where crucial.CRUCIAL-DC.CA is the cert authority. There are two instances in the list. If I click both it makes no difference and when I close the details and open them again only one is ticked. The case and spelling of the CPPM server is correct and this address is registered in DNS

I have deployed a new Clearpass server and 2019 active directory domain controller in my lab. I have deployed certificates to Clearpass and two test clients via group policy. My Windows 10 client works perfectly and does machine and user authentication. The Windows 11 client fails machine auth with error 215 'EAP-TLS: fatal alert by client - access denied'. 

If I log in to the machine, I can connect but only after clicking the 'Continue Connecting?' prompt and showing the certificate details. 

Both machines have the user and computer certs in the correct location and also have a copy of the root cert. The difference must be with how Windows 11 operates.

Does anyone have an idea how to correct this?

OK, changing to lowercase does not work, but removing the tick does! I find it really strange that enabling the tick works for Windows 10 but not Windows 11.

Anyway, many thanks for this 

A few more details:

For both user and computer the same error is in the logs: ERROR RadiusServer.Radius - TLS Alert read:fatal:access denied

The ClearPass cert contains the common name in the SAN:

The GPO Settings look like this, where crucial.CRUCIAL-DC.CA is the cert authority. There are two instances in the list. If I click both it makes no difference and when I close the details and open them again only one is ticked. The case and spelling of the CPPM server is correct and this address is registered in DNS

I have deployed a new Clearpass server and 2019 active directory domain controller in my lab. I have deployed certificates to Clearpass and two test clients via group policy. My Windows 10 client works perfectly and does machine and user authentication. The Windows 11 client fails machine auth with error 215 'EAP-TLS: fatal alert by client - access denied'. 

If I log in to the machine, I can connect but only after clicking the 'Continue Connecting?' prompt and showing the certificate details. 

Both machines have the user and computer certs in the correct location and also have a copy of the root cert. The difference must be with how Windows 11 operates.

Does anyone have an idea how to correct this?

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------
------------------------------

OK, changing to lowercase does not work, but removing the tick does! I find it really strange that enabling the tick works for Windows 10 but not Windows 11.

Anyway, many thanks for this 

A few more details:

For both user and computer the same error is in the logs: ERROR RadiusServer.Radius - TLS Alert read:fatal:access denied

The ClearPass cert contains the common name in the SAN:

The GPO Settings look like this, where crucial.CRUCIAL-DC.CA is the cert authority. There are two instances in the list. If I click both it makes no difference and when I close the details and open them again only one is ticked. The case and spelling of the CPPM server is correct and this address is registered in DNS

I have deployed a new Clearpass server and 2019 active directory domain controller in my lab. I have deployed certificates to Clearpass and two test clients via group policy. My Windows 10 client works perfectly and does machine and user authentication. The Windows 11 client fails machine auth with error 215 'EAP-TLS: fatal alert by client - access denied'. 

If I log in to the machine, I can connect but only after clicking the 'Continue Connecting?' prompt and showing the certificate details. 

Both machines have the user and computer certs in the correct location and also have a copy of the root cert. The difference must be with how Windows 11 operates.

Does anyone have an idea how to correct this?

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------
------------------------------

A few more details:

For both user and computer the same error is in the logs: ERROR RadiusServer.Radius - TLS Alert read:fatal:access denied

The ClearPass cert contains the common name in the SAN:

The GPO Settings look like this, where crucial.CRUCIAL-DC.CA is the cert authority. There are two instances in the list. If I click both it makes no difference and when I close the details and open them again only one is ticked. The case and spelling of the CPPM server is correct and this address is registered in DNS

I have deployed a new Clearpass server and 2019 active directory domain controller in my lab. I have deployed certificates to Clearpass and two test clients via group policy. My Windows 10 client works perfectly and does machine and user authentication. The Windows 11 client fails machine auth with error 215 'EAP-TLS: fatal alert by client - access denied'. 

If I log in to the machine, I can connect but only after clicking the 'Continue Connecting?' prompt and showing the certificate details. 

Both machines have the user and computer certs in the correct location and also have a copy of the root cert. The difference must be with how Windows 11 operates.

Does anyone have an idea how to correct this?

A few more details:

For both user and computer the same error is in the logs: ERROR RadiusServer.Radius - TLS Alert read:fatal:access denied

The ClearPass cert contains the common name in the SAN:

The GPO Settings look like this, where crucial.CRUCIAL-DC.CA is the cert authority. There are two instances in the list. If I click both it makes no difference and when I close the details and open them again only one is ticked. The case and spelling of the CPPM server is correct and this address is registered in DNS

I have deployed a new Clearpass server and 2019 active directory domain controller in my lab. I have deployed certificates to Clearpass and two test clients via group policy. My Windows 10 client works perfectly and does machine and user authentication. The Windows 11 client fails machine auth with error 215 'EAP-TLS: fatal alert by client - access denied'. 

If I log in to the machine, I can connect but only after clicking the 'Continue Connecting?' prompt and showing the certificate details. 

Both machines have the user and computer certs in the correct location and also have a copy of the root cert. The difference must be with how Windows 11 operates.

Does anyone have an idea how to correct this?

Seeing two instances there leads me to believe that you have two copies of the CA cert in the certificate store and maybe they are different CA certs with different signatures. Could you delete both CA certs and push only the correct CA using GPO (or manually) and try with the tick enabled again?

A few more details:

For both user and computer the same error is in the logs: ERROR RadiusServer.Radius - TLS Alert read:fatal:access denied

The ClearPass cert contains the common name in the SAN:

The GPO Settings look like this, where crucial.CRUCIAL-DC.CA is the cert authority. There are two instances in the list. If I click both it makes no difference and when I close the details and open them again only one is ticked. The case and spelling of the CPPM server is correct and this address is registered in DNS

I have deployed a new Clearpass server and 2019 active directory domain controller in my lab. I have deployed certificates to Clearpass and two test clients via group policy. My Windows 10 client works perfectly and does machine and user authentication. The Windows 11 client fails machine auth with error 215 'EAP-TLS: fatal alert by client - access denied'. 

If I log in to the machine, I can connect but only after clicking the 'Continue Connecting?' prompt and showing the certificate details. 

Both machines have the user and computer certs in the correct location and also have a copy of the root cert. The difference must be with how Windows 11 operates.

Does anyone have an idea how to correct this?

Every time I have deployed a CA there have been two instances of the root cert in the list in the group policy setting. As far as I know, the root certificate is deployed automatically to all devices that are domain members. The devices only have one copy of the root cert

Looking at the two certificates in the group policy settings - they are identical

Seeing two instances there leads me to believe that you have two copies of the CA cert in the certificate store and maybe they are different CA certs with different signatures. Could you delete both CA certs and push only the correct CA using GPO (or manually) and try with the tick enabled again?

A few more details:

For both user and computer the same error is in the logs: ERROR RadiusServer.Radius - TLS Alert read:fatal:access denied

The ClearPass cert contains the common name in the SAN:

The GPO Settings look like this, where crucial.CRUCIAL-DC.CA is the cert authority. There are two instances in the list. If I click both it makes no difference and when I close the details and open them again only one is ticked. The case and spelling of the CPPM server is correct and this address is registered in DNS

I have deployed a new Clearpass server and 2019 active directory domain controller in my lab. I have deployed certificates to Clearpass and two test clients via group policy. My Windows 10 client works perfectly and does machine and user authentication. The Windows 11 client fails machine auth with error 215 'EAP-TLS: fatal alert by client - access denied'. 

If I log in to the machine, I can connect but only after clicking the 'Continue Connecting?' prompt and showing the certificate details. 

Both machines have the user and computer certs in the correct location and also have a copy of the root cert. The difference must be with how Windows 11 operates.

Does anyone have an idea how to correct this?

Original Message:
Sent: Sep 22, 2023 04:14 AM
From: ssmith764
Subject: EAP-TLS Auth issues with Windows 11

Every time I have deployed a CA there have been two instances of the root cert in the list in the group policy setting. As far as I know, the root certificate is deployed automatically to all devices that are domain members. The devices only have one copy of the root cert

Looking at the two certificates in the group policy settings - they are identical

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA

Original Message:
Sent: Sep 21, 2023 04:35 PM
From: mattAruba
Subject: EAP-TLS Auth issues with Windows 11

Seeing two instances there leads me to believe that you have two copies of the CA cert in the certificate store and maybe they are different CA certs with different signatures. Could you delete both CA certs and push only the correct CA using GPO (or manually) and try with the tick enabled again?

Original Message:
Sent: Sep 18, 2023 05:12 AM
From: ssmith764
Subject: EAP-TLS Auth issues with Windows 11

A few more details:

For both user and computer the same error is in the logs: ERROR RadiusServer.Radius - TLS Alert read:fatal:access denied

The ClearPass cert contains the common name in the SAN:

The GPO Settings look like this, where crucial.CRUCIAL-DC.CA is the cert authority. There are two instances in the list. If I click both it makes no difference and when I close the details and open them again only one is ticked. The case and spelling of the CPPM server is correct and this address is registered in DNS

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA

Original Message:
Sent: Sep 14, 2023 01:57 PM
From: ssmith764
Subject: EAP-TLS Auth issues with Windows 11

I have deployed a new Clearpass server and 2019 active directory domain controller in my lab. I have deployed certificates to Clearpass and two test clients via group policy. My Windows 10 client works perfectly and does machine and user authentication. The Windows 11 client fails machine auth with error 215 'EAP-TLS: fatal alert by client - access denied'. 

If I log in to the machine, I can connect but only after clicking the 'Continue Connecting?' prompt and showing the certificate details. 

Both machines have the user and computer certs in the correct location and also have a copy of the root cert. The difference must be with how Windows 11 operates.

Does anyone have an idea how to correct this?

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------
------------------------------

You should be able to make it work with the * as well, except that you would need to 'escape' the dots:

radius*\.domain\.com

(source)

But if you have those SANs, I would just put in radius.domain.com as a single name. The others, radius01 and radius02 are 'redundant'

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 05, 2026 11:50 AM
From: efelipe
Subject: EAP-TLS Auth issues with Windows 11

Original Message:
Sent: Sep 22, 2023 04:14 AM
From: ssmith764
Subject: EAP-TLS Auth issues with Windows 11

Every time I have deployed a CA there have been two instances of the root cert in the list in the group policy setting. As far as I know, the root certificate is deployed automatically to all devices that are domain members. The devices only have one copy of the root cert

Looking at the two certificates in the group policy settings - they are identical

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA

Original Message:
Sent: Sep 21, 2023 04:35 PM
From: mattAruba
Subject: EAP-TLS Auth issues with Windows 11

Seeing two instances there leads me to believe that you have two copies of the CA cert in the certificate store and maybe they are different CA certs with different signatures. Could you delete both CA certs and push only the correct CA using GPO (or manually) and try with the tick enabled again?

Original Message:
Sent: Sep 18, 2023 05:12 AM
From: ssmith764
Subject: EAP-TLS Auth issues with Windows 11

A few more details:

For both user and computer the same error is in the logs: ERROR RadiusServer.Radius - TLS Alert read:fatal:access denied

The ClearPass cert contains the common name in the SAN:

The GPO Settings look like this, where crucial.CRUCIAL-DC.CA is the cert authority. There are two instances in the list. If I click both it makes no difference and when I close the details and open them again only one is ticked. The case and spelling of the CPPM server is correct and this address is registered in DNS

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA

Original Message:
Sent: Sep 14, 2023 01:57 PM
From: ssmith764
Subject: EAP-TLS Auth issues with Windows 11

I have deployed a new Clearpass server and 2019 active directory domain controller in my lab. I have deployed certificates to Clearpass and two test clients via group policy. My Windows 10 client works perfectly and does machine and user authentication. The Windows 11 client fails machine auth with error 215 'EAP-TLS: fatal alert by client - access denied'. 

If I log in to the machine, I can connect but only after clicking the 'Continue Connecting?' prompt and showing the certificate details. 

Both machines have the user and computer certs in the correct location and also have a copy of the root cert. The difference must be with how Windows 11 operates.

Does anyone have an idea how to correct this?

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------
------------------------------