topic 802.1X connection problem between Windows 11 and ISE in Network Access Control

802.1X connection problem between Windows 11 and ISE

mickael-France-64 — Wed, 28 Feb 2024 16:33:39 GMT

Hello everyone,

I hope I can find some help here.

Explanations:

We have a fleet of Windows 10 laptops. For wifi authentication we use radius authentication via an ISE server. The laptops are authenticated using the PC name. The PC name is in a specific group in the AD.

We have just upgraded a new PC to Windows 11 but the authentication no longer works.
On the ISE logs we can see the PC arriving, but it arrives with Username instead of the machine name. As a result, it doesn't match our ISE security rules and authentication doesn't work.

It's the same thing with cable, we use NAC on our 9300 switches and Windows 11 doesn't connect.

Do you know where this could be coming from?

Thank very much

Re: 802.1X connection problem between Windows 11 and ISE

Rob Ingram — Wed, 28 Feb 2024 16:36:29 GMT

@mickael-France-64 I assume you mean the username of the authenticated user? If so, it sounds like the Windows 11 laptops supplicant is mis-configured and is using "user authentication" instead of "computer authentication". The windows clients authentication mode need to be modified, example: https://integratingit.wordpress.com/2019/07/13/configuring-windows-gpo-for-802-1x-authentication/

Or change ISE to authenticate the users.

Re: 802.1X connection problem between Windows 11 and ISE

mickael-France-64 — Wed, 28 Feb 2024 16:50:51 GMT

Thank you for your reply.

We do indeed use the machine name for authentication on the ISE.

I've just looked at the settings you gave me, which are deployed by GPO. And we do have 'Computer authentication'.

I think it's OK on this side.

Thank you for your help

Re: 802.1X connection problem between Windows 11 and ISE

Rob Ingram — Wed, 28 Feb 2024 17:46:00 GMT

@mickael-France-64 what username is sent then? Please provide the ISE Live log information.

Re: 802.1X connection problem between Windows 11 and ISE

mickael-France-64 — Wed, 28 Feb 2024 18:42:21 GMT

We use the name of the machine as Username
As you can see from the screenshots, in Windows 10 we get the machine name and in Windows 11 we just get 'Username'.

Thank you

Re: 802.1X connection problem between Windows 11 and ISE

Rob Ingram — Wed, 28 Feb 2024 19:42:49 GMT

@mickael-France-64 go to Administration > System > Settings > Security Settings and select "Disclose invalid usernames" - that will display the username instead of "USERNAME"

Anyway it looks like its failing because of certificates. Do the new computers have the Root CA certificates of the ISE EAP certificate? Check the local machine certificate store.

Re: 802.1X connection problem between Windows 11 and ISE

Arne Bier — Wed, 28 Feb 2024 22:03:08 GMT

The screenshot mentions that ISE is offering EAP-TLS in the initial negotiations, which the supplicant rejects and asks for PEAP instead. So the supplicant is not using EAP-TLS (cert auth).

Windows 11 + PEAP == disaster (Credential Guard) - I think there is a registry setting to disable Credential Guard but it's not advisable. Microsoft (and the rest of the IT world) is trying their best to kill off Username/password authentication.

Re: 802.1X connection problem between Windows 11 and ISE

JPavonM — Fri, 24 May 2024 14:42:41 GMT

Hi chaps,

I'm working on the same scenario, with Win11 22H2 and 23H2, wireless profile set to WPA3-Ent 128bit, and security using EAP-TLS where I manually specify the certificate to present from the client side (setting the root and intermmediate to the corporate ones), and the client to validate RADIUS server cert (at this moment the one been presented is issued from Sectigo with root CA USERTrust, the one I'm checking), finally I'm setting the authentication piece to be username and NOT machine.

Weel under taht sceanrio Win10 works all the time, but none of the Win11 laptops are authenticated and I see that "USERNAME" in the ISE logs. I've managed to fix this with @Rob Ingram recommendation to enable Administration > System > Settings > Security Settings > "Disclose invalid usernames".

However, I've managed to make Win11 to be authenticated sometimes in 1-2 laptops, but then when trying to log into the network back again, I receive an Access-Reject. (Without modifying anything from the pervious day!!!!)

I have a support case open with MS about this so I will update this thread with the Win11 defects or ISE workarounds.

Re: 802.1X connection problem between Windows 11 and ISE

CharlesNjora9180 — Wed, 31 Jul 2024 14:29:15 GMT

Were you able to get any workarounds ?

Thanks

Re: 802.1X connection problem between Windows 11 and ISE

mickael-France-64 — Thu, 01 Aug 2024 07:31:10 GMT

Hello,

We didn't find a solution with Windows 11.
We had to work around the problem. We used certificate authentication.
Since then, everything has worked correctly.

Mickael

Re: 802.1X connection problem between Windows 11 and ISE

JPavonM — Fri, 02 Aug 2024 22:40:23 GMT

For Win11 to use PEAP with either machine name or user name, you must disable Credentials Guard:

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=intune#disable-credential-guard

Re: 802.1X connection problem between Windows 11 and ISE

JAVYLU — Wed, 07 Aug 2024 23:31:57 GMT

Hi everyone:

The problem I have is because the check is NOT applied when entering the computer with Windows 11 into the AD (Image attached) The bad thing is that a model of a certain brand of equipment does work and in other models of equipment of the same brand Windows 11 does not work with the ISE.

I think it has to do with some blocking of the computer's mainboard.

Has anyone already solved this problem?

Re: 802.1X connection problem between Windows 11 and ISE

JPavonM — Thu, 08 Aug 2024 07:04:20 GMT

There are some differences in Windows supplicant between versions, even between Windows 11 minor versions.

Try the simple way to disable "validate server certificate" and update all Windows devices to the same version, and drivers to the latest version from any vendor.