topic Re: Windows 11 EAP-TEAP "Action Needed" to Sign in in Network Access Control

Windows 11 EAP-TEAP "Action Needed" to Sign in

tcebak — Tue, 24 Jun 2025 17:21:40 GMT

I know this might be a windows issue but I figured I'd ask in case anyone has had this experience.

Main Issue:

Using EAP-TEAP GPO (Windows Server 2022) for Windows 11 devices, clients are able to use the machine cert to auth with no issues. Once the user logs into windows, the user gets a notification that "Network Action needed'. That action basically requires you to navigate to settings > Network & Internet > Ethernet > Click the Sign on button. Once you do that, windows prompt for a pin (because it's using your external smart card user cert). Once the pin is good, the device is able to do all the stuff and things and is happily connected to the network using the machine/user cert. The big deal is that action of 'action needed' and requiring users to auth to the network instead of it just prompting for a pin. This happens with both wired and wireless. Pics will be attached of the prompt and where the sign in button is located.

However, when we did this with a windows 10 machine, the user logs into windows, and after a minute they just get a pin prompt, then they are able to connect to the network (using EAP-TEAP machine&user cert)

I can't figure out how to make this stupid action prompt go away and just connect without having the user to do the whole settings, ethernet, click sign in. I just want a pin prompt and connect.

Main GPO Setting details:

Computer configuration > Policies > Windows Settings > Security Settings > Wired Network

Using IEEE 802.1x auth for network access

Netowrk Auth Method: 'EAP TEAP'

Auth mode: 'User or Computer auth'

Inner Method: Primary Auth

EAP-TLS (smartcard or other certificate)

Use my smart card

use simple cert selection

certificate must contain Smart Card Logon

Validate ISE Server cert with our dc ca cert

Inner Method: Secondary Auth

EAP-TLS (smartcard or other certificate)

Use a cert on this compute

use simple cert selection

Cert must be issues by our dc02 cert (EKU all purpose and client auth)

Validate ISE Server cert with our dc ca cert

Advanced Settings:

Enforce advanced 802.1x settings

transmit per IEEE 802.1x

Enable Single Sign On for this network

Perform immediately before User logon

***There is also a wireless GPO and pretty much is the same as wired just has the BSSID and always connect to this network

Machine cert is issued from Active Directory We are using a physical smart card that has 4 certs, 1 is for user smart card login. does require a pin Login to windows/workstation requires to have a smart card, using that same cert i want to user for 802.1x eap-teap.

Workstation is a Windows 11 version 23H2
Domian is a windows server 2022, that's where the GPO was configured.

I've seen things about credential guard, making sure the CA certs are selected, I've tried with and without the trusted server FQDN (with case matching). I saw something about win10 vs 10 eap-teap profile .xml sha hash, but to me that's with trusted the radius server and that's not an issue. Everything works, cert auto select works, just i have to sign in to the network each time through that prompt and going into settings, ethernet sign in. and for some reason any command with netsh does not run. could be some policy issue but i do see our computers complete eap-teap in ISE of course after i do the whole prompt sign in process.

Thanks for your time, I'll try to keep update things i have done as well as any possible suggestions i receive.

Re: Windows 11 EAP-TEAP "Action Needed" to Sign in

Anton Abik — Wed, 02 Jul 2025 13:19:29 GMT

Same problem. Have you solved this? Thanks

Re: Windows 11 EAP-TEAP "Action Needed" to Sign in

Dustin Anderson — Wed, 02 Jul 2025 13:28:48 GMT

We have been struggling with Windows 11 also, from my testing, it doesn't seem to trust my ISE cert, even thought the system has the root and sub certs as trusted. We have even set it in the security setting to trust the root cert where is use to by default being domain joined. Right now in testing all I have been able to do is add the ISE server name to the list of servers to connect to to loose the prompt.

Re: Windows 11 EAP-TEAP "Action Needed" to Sign in

Greg Gibbs — Thu, 03 Jul 2025 02:29:40 GMT

I have seen the same behaviour. If the supplicant configuration for 'Connect to these servers...' is not defined (or is misconfigured), the Win11 supplicant will throw this error.

Re: Windows 11 EAP-TEAP "Action Needed" to Sign in

tcebak — Tue, 29 Jul 2025 18:01:56 GMT

Sorry for the super late reply, Somehow i used my 'other' account to open this and didn't see any notifications. However, per you comment, i did see several people have the same issue. however it has no effect for me. I've copied the server FQDN how it is exactly displayed in the certificate, which is all capital letters. I even tried it with all lower case for fun and didn't notice any difference in behavior which i though i would actually get a reject but i didn't

Re: Windows 11 EAP-TEAP "Action Needed" to Sign in

tcebak — Tue, 29 Jul 2025 19:01:25 GMT

I know this is a bit late, but one thing i've noticed is, if the user certificate is a AD created user cert. It has zero issues.

Something about the smart card and/or needing the pin (even though it was just used to log into the machine) is causing issues. Which I'm fine with getting a pin prompt, instead of this action needed / Sign in prompt. it just seems like it's forcing the user to actually start the .1x process by doing the whole settings>ethernet>sign in method. And when i do that process, it selects the correct cert and prompts for the pin. Just can't get it to do that instead of forcing the user to start that action. (feel like i'm taking crazy pills)

I'm starting to think it's just something that is set in stone with windows 11, since windows 10 does not have this issue.

Thanks everyone!

Re: Windows 11 EAP-TEAP "Action Needed" to Sign in

Ben Walters — Wed, 30 Jul 2025 18:43:38 GMT

Based on a lot of testing there doesn't seem to be any sort of built in SSO for smartcards on Win 11, it would always require users to input their smartcard credentials even if they use it to log on to windows.

We only tested with wireless connections but there weren't as many hoops to jump through just a popup on initial logon that said additional actions are required to connect but it would immediately bring up the smartcard prompt when clicking that popup.

We ended up cutting user certs from our CA that issues our machine certs though since we have users that work on multiple machines. Having the network auth tied to smartcards was never going to work for us anyway. With the non smartcard user certs we have users connecting automatically without additional dialogs using TEAP with EAP chaining to do machine and user auth.

Re: Windows 11 EAP-TEAP "Action Needed" to Sign in

Leader1980 — Thu, 05 Mar 2026 19:48:49 GMT

I had the same issue. It was resolved by selecting all the CAs in the certificate chain of RADIUS server, including the root CA

Re: Windows 11 EAP-TEAP "Action Needed" to Sign in

Louis Gonzales — Fri, 06 Mar 2026 21:08:59 GMT

I'm late to this discussion but we are also look at moving from PEAP to EAP-TEAP as we move from Win 10 to Win 11. I had to play around with the order of the primary EAP and secondary EAP to get the results we were looking for in the radius live logs. Have to tried switch the order of the primary EAP and secondary EAP methods to see if that has an effect on the network login prompt. Switch the order of the primary and secondary EAP authentication methods and making sure we had the Root CA plus the Root certificate of the CA that signed our ISE EAP certificate made the network login prompt go away.

Re: Windows 11 EAP-TEAP "Action Needed" to Sign in

Simon Parlsjo — Wed, 01 Apr 2026 12:42:38 GMT

Hi,
Not sure if we can bring this thread back to life but I made some interesting findings, perhaps obvious to someone but I think it might still be worth sharing.

We have been doing IBNS2.0 sequential dot1x in closed mode. I.e. we do not perform MAB and dot1x at the same time. From time to time I've seen issues with the Action Required but not some frequent.

This week however I've been working on a concurrent closed mode design where we do MAB and dot1x at the same time. During testing I set the periodic reauth on the switch to a rather extreme 30 seconds (normally we do 1h reauth sent down from the ISE). Testing with a windows device running TEAP I noticed that during each reauth I got the action required notification.
However if I made sure to setup a class for MAB_FAILED and used that with the authentication-failure event that terminates MAB and continue with dot1x instead I stopped getting the action required.

I did a capture and it seems that if I didn't terminate MAB the switch would send a EAPOL failure to the client and that seems to be the trigger for windows.

Here is a snippet from my policy-maps, one with a dedicated handler for MAB failed and one that is more generic.

With handling for MAB aka class MAB_FAILED:


event authentication-failure match-first
10 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
20 class ISEDOWN do-until-failure
10 clear-authenticated-data-hosts-on-port
20 activate service-template ISEDOWN_ACCESS
30 activate service-template ISEDOWN_VOICE
40 authorize
50 pause reauthentication
30 class AAA_DOWN_AUTH_HOST do-until-failure
10 pause reauthentication
20 authorize
40 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
50 class DOT1X_TIMEOUT do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
55 class MAB_FAILED do-until-failure
10 terminate mab
20 authenticate using dot1x priority 10
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60

Without handling for MAB:

 
event authentication-failure match-first
10 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
20 class ISEDOWN do-until-failure
10 clear-authenticated-data-hosts-on-port
20 activate service-template ISEDOWN_ACCESS
30 activate service-template ISEDOWN_VOICE
40 authorize
50 pause reauthentication
30 class AAA_DOWN_AUTH_HOST do-until-failure
10 pause reauthentication
20 authorize
40 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
50 class DOT1X_TIMEOUT do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60