802.1X connection problem between Windows 11 and ISE

mickael-France-64 · ‎02-28-2024

Hello everyone,

I hope I can find some help here.

Explanations:

We have a fleet of Windows 10 laptops. For wifi authentication we use radius authentication via an ISE server. The laptops are authenticated using the PC name. The PC name is in a specific group in the AD.

We have just upgraded a new PC to Windows 11 but the authentication no longer works.
On the ISE logs we can see the PC arriving, but it arrives with Username instead of the machine name. As a result, it doesn't match our ISE security rules and authentication doesn't work.

It's the same thing with cable, we use NAC on our 9300 switches and Windows 11 doesn't connect.

Do you know where this could be coming from?

Thank very much

Rob Ingram · ‎02-28-2024

@mickael-France-64 I assume you mean the username of the authenticated user? If so, it sounds like the Windows 11 laptops supplicant is mis-configured and is using "user authentication" instead of "computer authentication". The windows clients authentication mode need to be modified, example: https://integratingit.wordpress.com/2019/07/13/configuring-windows-gpo-for-802-1x-authentication/

Or change ISE to authenticate the users.

mickael-France-64 · ‎02-28-2024

Thank you for your reply.

We do indeed use the machine name for authentication on the ISE.

I've just looked at the settings you gave me, which are deployed by GPO. And we do have 'Computer authentication'.

I think it's OK on this side.

Thank you for your help

Rob Ingram · ‎02-28-2024

@mickael-France-64 what username is sent then? Please provide the ISE Live log information.

mickael-France-64 · ‎02-28-2024

We use the name of the machine as Username
As you can see from the screenshots, in Windows 10 we get the machine name and in Windows 11 we just get 'Username'.

Thank you

Rob Ingram · ‎02-28-2024

@mickael-France-64 go to Administration > System > Settings > Security Settings and select "Disclose invalid usernames" - that will display the username instead of "USERNAME"

Anyway it looks like its failing because of certificates. Do the new computers have the Root CA certificates of the ISE EAP certificate? Check the local machine certificate store.

Arne Bier · ‎02-28-2024

The screenshot mentions that ISE is offering EAP-TLS in the initial negotiations, which the supplicant rejects and asks for PEAP instead. So the supplicant is not using EAP-TLS (cert auth).

Windows 11 + PEAP == disaster (Credential Guard) - I think there is a registry setting to disable Credential Guard but it's not advisable. Microsoft (and the rest of the IT world) is trying their best to kill off Username/password authentication.

JPavonM · ‎05-24-2024

Hi chaps,

I'm working on the same scenario, with Win11 22H2 and 23H2, wireless profile set to WPA3-Ent 128bit, and security using EAP-TLS where I manually specify the certificate to present from the client side (setting the root and intermmediate to the corporate ones), and the client to validate RADIUS server cert (at this moment the one been presented is issued from Sectigo with root CA USERTrust, the one I'm checking), finally I'm setting the authentication piece to be username and NOT machine.

Weel under taht sceanrio Win10 works all the time, but none of the Win11 laptops are authenticated and I see that "USERNAME" in the ISE logs. I've managed to fix this with @Rob Ingram recommendation to enable Administration > System > Settings > Security Settings > "Disclose invalid usernames".

However, I've managed to make Win11 to be authenticated sometimes in 1-2 laptops, but then when trying to log into the network back again, I receive an Access-Reject. (Without modifying anything from the pervious day!!!!)

I have a support case open with MS about this so I will update this thread with the Win11 defects or ISE workarounds.

CharlesNjora9180 · ‎07-31-2024

Hi

Were you able to get any workarounds ?

Thanks

mickael-France-64 · ‎08-01-2024

Hello,

We didn't find a solution with Windows 11.
We had to work around the problem. We used certificate authentication.
Since then, everything has worked correctly.

Mickael

JPavonM · ‎08-02-2024

For Win11 to use PEAP with either machine name or user name, you must disable Credentials Guard:

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=intune#disable-credential-guard

JAVYLU · ‎08-07-2024

Hi everyone:

The problem I have is because the check is NOT applied when entering the computer with Windows 11 into the AD (Image attached) The bad thing is that a model of a certain brand of equipment does work and in other models of equipment of the same brand Windows 11 does not work with the ISE.

I think it has to do with some blocking of the computer's mainboard.

Has anyone already solved this problem?

JPavonM · ‎08-08-2024

There are some differences in Windows supplicant between versions, even between Windows 11 minor versions.

Try the simple way to disable "validate server certificate" and update all Windows devices to the same version, and drivers to the latest version from any vendor.