02-28-2024 08:33 AM
Hello everyone,
I hope I can find some help here.
Explanations:
We have a fleet of Windows 10 laptops. For wifi authentication we use radius authentication via an ISE server. The laptops are authenticated using the PC name. The PC name is in a specific group in the AD.
We have just upgraded a new PC to Windows 11 but the authentication no longer works.
On the ISE logs we can see the PC arriving, but it arrives with Username instead of the machine name. As a result, it doesn't match our ISE security rules and authentication doesn't work.
It's the same thing with cable, we use NAC on our 9300 switches and Windows 11 doesn't connect.
Do you know where this could be coming from?
Thank very much
02-28-2024 08:36 AM
@mickael-France-64 I assume you mean the username of the authenticated user? If so, it sounds like the Windows 11 laptops supplicant is mis-configured and is using "user authentication" instead of "computer authentication". The windows clients authentication mode need to be modified, example: https://integratingit.wordpress.com/2019/07/13/configuring-windows-gpo-for-802-1x-authentication/
Or change ISE to authenticate the users.
02-28-2024 08:50 AM
02-28-2024 09:46 AM
@mickael-France-64 what username is sent then? Please provide the ISE Live log information.
02-28-2024 10:42 AM
02-28-2024 11:42 AM
@mickael-France-64 go to Administration > System > Settings > Security Settings and select "Disclose invalid usernames" - that will display the username instead of "USERNAME"
Anyway it looks like its failing because of certificates. Do the new computers have the Root CA certificates of the ISE EAP certificate? Check the local machine certificate store.
02-28-2024 02:03 PM
The screenshot mentions that ISE is offering EAP-TLS in the initial negotiations, which the supplicant rejects and asks for PEAP instead. So the supplicant is not using EAP-TLS (cert auth).
Windows 11 + PEAP == disaster (Credential Guard) - I think there is a registry setting to disable Credential Guard but it's not advisable. Microsoft (and the rest of the IT world) is trying their best to kill off Username/password authentication.
05-24-2024 07:42 AM
Hi chaps,
I'm working on the same scenario, with Win11 22H2 and 23H2, wireless profile set to WPA3-Ent 128bit, and security using EAP-TLS where I manually specify the certificate to present from the client side (setting the root and intermmediate to the corporate ones), and the client to validate RADIUS server cert (at this moment the one been presented is issued from Sectigo with root CA USERTrust, the one I'm checking), finally I'm setting the authentication piece to be username and NOT machine.
Weel under taht sceanrio Win10 works all the time, but none of the Win11 laptops are authenticated and I see that "USERNAME" in the ISE logs. I've managed to fix this with @Rob Ingram recommendation to enable Administration > System > Settings > Security Settings > "Disclose invalid usernames".
However, I've managed to make Win11 to be authenticated sometimes in 1-2 laptops, but then when trying to log into the network back again, I receive an Access-Reject. (Without modifying anything from the pervious day!!!!)
I have a support case open with MS about this so I will update this thread with the Win11 defects or ISE workarounds.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide