Security

 View Only
Back to discussions
Expand all | Collapse all

EAP-TLS failure after upgrade to Windows 11

This thread has been viewed 86 times
  Thread closed by the administrator, not accepting new replies.

  • 1.  EAP-TLS failure after upgrade to Windows 11

    Posted Nov 06, 2024 08:02 AM
    No replies, thread closed.

    Hi All,

    After upgrade to Windows 11 from 10 for both LAN and WLAN dot1x authentication is failing with this error:


    In ClearPass all TLS versions are enabled as by default.
    What do check else in ClearPass and client side?

    Thanks


  • 2.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Nov 06, 2024 08:13 AM
    No replies, thread closed.

    Hi

    I have never seen this error message, but apperantly the client and ClearPass server can't negotiate the signature algorithm.

    Do you have FIPS mode enabled in ClearPass or do you have hardened Windows clients? FIPS mode will disable several different algorithms.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 3.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Nov 06, 2024 08:19 AM
    No replies, thread closed.

    Hi,
    FIPS is disabled.


    Original Message


  • 4.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Nov 06, 2024 08:30 AM
    No replies, thread closed.

    Hello harutyun.hakobyan,

    Did you get to see the show log of the screenshot you sent us to see if there are any more details? 
    You can look at your Windows PC logs as well, to see if there are any details of the device negotiation. 
    And what you could also do is a PCAP capture, to see the TLS negotiations. 
    Normally TLS is enabled in ClearPass. But you can try to disable TLS 1.2 momentarily and test. Not always, but there are some devices that do not support TLS 1.2, and this may be the case. 
    To disable TLS 1.2 in the service parameters part, inside the Radius service, you can do it.



    ------------------------------
    Daniel Ruiz
    -----------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support.
    Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
    ------------------------------

    Original Message


  • 5.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Nov 06, 2024 09:03 AM
    No replies, thread closed.

    Do you have your client certificates stored in the TPM of your client? In that case, you may have hit a known bug in some TPMs. Disable RSA-PSA in that case to work around that:



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 6.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Nov 07, 2024 03:57 AM
    No replies, thread closed.

    Temporary disabled TLS 1.2 on ClearPass, didn't help.

    "RSA-PSS Signature Suit in EAP-TLS" was initially disabled, but it also didn't help.

    This is log on ClearPass:

    And this is on Windows 11:


    Original Message


  • 7.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Nov 07, 2024 04:09 AM
    No replies, thread closed.

    Have you verified with more than one Windows 11 client, just to eliminate an issue with a specific client?

    If you have tested more clients, have they been deployed in the same way? Can you try to get a Windows 11 client deployed from USB device and without GPO or Intune policies, and just configure the 802.1x settings manually. This will ofcourse also include installing a certificate manually or just include the client in the certificate enrollment policy. 

    This test will show if there are any issues with settings applied by company policies in GPO or Intune.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 8.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Nov 07, 2024 05:42 AM
    No replies, thread closed.

    Update: after disabling TLSv1.3 support in Cluster-Wide Parameters, Windows 11 clients succeeded dot1x authentication for both LAN and WLAN:


    What does it mean here Admin and Network options?


    Original Message


  • 9.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Nov 07, 2024 06:54 AM
    No replies, thread closed.

    Hi

    If Network is selected TLS 1.3 is only disabled during network authentication, but is still in use for the admin web GUI. If Admin is selected TLS 1.3 is disabled for the admin web GUI but is still in use for network authentications.

    When All is selected TLS 1.0 is disabled for both functions, and with None TLS 1.3 is enabled.

    The behavior of your Windows 11 clients is strange, as both Windows 10 and 11 supports TLS 1.3.

    Do you know if there are any special configurations done on the Windows 11 clients.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 10.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Nov 07, 2024 07:42 AM
    Edited by harutyun.hakobyan Nov 07, 2024 07:43 AM
    No replies, thread closed.

    Windows clients configuration is via MS Intune and Windows 11 was upgraded from 10, which was working fine.
    Could not find any difference in interface dot1x configurations between 10 and 11, therefore it was strange.

    And previous setting for "Disable TLSv1.3 support" was Admin.


    Original Message


  • 11.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Nov 13, 2024 08:32 AM
    No replies, thread closed.

    Update: Windows 11 forces the use of TLS 1.3 for EAP-TLS authentications, so it should be enabled in ClearPass side.


    Original Message


  • 12.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Dec 02, 2025 09:49 AM
    No replies, thread closed.

    Dear @harutyun.hakobyan

    What is your Current Windows 11 Build and from which build EAP-TLS issue appears.
    I mean with Windows 11 in General or Windows 11 22H2 or above.

    we are experiencing a same issue with, where the Customer has Aruba Wireless Solution along with Forescout as NAC.
    Windows 11 Build 22H2 or earlier is working fine with EAP-TLS, Once they upgraded to 24H2 or above. EAP-TLS is not working.


    Dear @jonas.hammarback, @Herman Robers,

    Could you please share your thoughts on this issue.

    Regards,

    -------------------------------------------

    Original Message


  • 13.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Dec 03, 2025 07:48 AM
    No replies, thread closed.

    Hi @Nawab Muhammad

    This thread is over a year old. If you have current issues it could be better to create a new post instead in the forum.

    Please check this Microsoft post regarding EAP changes in Windows 11 and differences between the versions:
    https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/windows-11-changes

    Also check this other Microsoft page with guidlines for configuring EAP settings:
    https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/configure-eap-profiles?tabs=netsh-wifi%2Cpowershell-vpn%2Csettings-wifi%2Cgroup-policy-wifi



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 14.  RE: EAP-TLS failure after upgrade to Windows 11

    Posted Dec 08, 2025 07:11 AM
    No replies, thread closed.

    Hi @jonas.hammarback,

    thanks for the advice, i have started a new post for our issue.


    -------------------------------------------

    Original Message


Related Content