08-12-2022 12:56 AM
hello to all,
does anyone have tested a windows 11 machine with ISE?
I'm testing windows 11 and it does not authenticate automatically.
I have to login to the session and then windows 11 prompt me with the message "action required" and then takes me to the network do manually sign in to the network.
On windows 10 it works perfectly.
Solved! Go to Solution.
10-17-2022 06:32 PM
I worked for a company that did eap-tls wired and wireless authentication. We had the described issue for Windows 11 wired authentication , worked perfectly in Windows 10 and I THINK with wireless. In our specific instance in Windows 10 we did not mark a "Trusted Root Certificate Authorities:" server in the machine's dot1x settings. When testing Windows 11, we found that simply selecting the CA that you specifically want to trust resolved the issue. Additionally, if you select the box "Connect to these servers", I have heard reports that in Windows 11 that becomes case sensitive. So it that doesn't exactly match, with case, you will get the same popup. A google search of this "Always On VPN Error 853 on Windows 11" will take you to a nice writeup describing the issue.
To be clear our working config was verify the server's identity by validating the certificate. NOT selecting Connect to these servers. Select the trusted root cert authority for your ISE cert.
08-12-2022 03:21 AM
- For starters ,what is your ISE version , for ISE 3.1 checkout : https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/compatibility_doc/b_ise_sdt_31.html#microsoftwindows . for the rest you will need to provide more details as to which authentication solutions are being used. If , for instance , there is a supplicant , then is it compatible with Windows 11 ? After explaining all of this , a screenshot may also be helpful.
08-12-2022 08:35 AM
08-15-2022 12:46 PM
Yes, Windows 11 works with ISE.
You have not provided any information about how you expect Windows to connect to your network:
You have not provided any ISE LiveLog error messages to potentially understand what ISE is seeing - if anything - and possibly why it is being rejected.
You have not provided any Screenshots of the actual Windows error.
09-22-2022 10:38 AM
Hello, I also have this issue.
We are working with ISE 3.1, the wifi authentification is done via local certificates delivered with Intune CSP. Our windows 11 computer aren't connecting automatically, and also whenever we try to connect to our primary SSID we get the following message (sorry for french) :
Our windows 10 computer are working fine. I've checked the ise live logs, it seems that the Windows 11 computer fall into our "Windows 10 workstation" Endpoint profile
I have tried playing with Regedit to try and disable this function (https://windowsreport.com/wifi-action-needed-windows-10/) but it doesn't seem to work on Windows 11. Are there any ise config requirements know for windows 11 ? Thanks a lot
09-22-2022 10:39 AM
In the live logs I also have the following error message : 5440 Endpoint abandoned EAP session and started new
09-22-2022 06:37 PM
Check your wireless NIC Card drivers. Make sure your windows install has the latest hotfixes too.
09-23-2022 04:55 AM
09-23-2022 05:01 AM
The other way I've this manifest is bad RF. What does your RF environment look like? Have you done an active survey of your environment? Interference sources, etc.
09-23-2022 05:19 AM
Yes we have had ESI tech do an exit survey after we installed our new 9k cisco ap's, and we followed their recommandation (a lot of them were indeed regarding our RF profiles.)
Our RF profile looks like this currently (for 2.4 and 5ghz) :
We don't have any channel overlap, our tx power is fine, and our RSSI is -75.
Are there specific RF config requirements for Windows 11 we need to do ? Thanks a lot
09-23-2022 06:13 AM
No, nothing specific. Does that message say the certificate isn't trusted? Sorry I don't speak French; but if so that is your issue.
09-23-2022 06:32 AM
No problem, the message says the following :
"Continue connecting? If you expect to find ia-secur in this location, go ahead and connect. Otherwise, it may be a different network with the same name." There is also a pop-up windows message that says "Action required" instead of automatically connecting to our wifi.
09-23-2022 06:38 AM
Got it, so looks like two profiles for the same SSID are being pushed to the device or the settings in the inTune do not match what security requirements are in place for the SSID (PEAP vs EAP-TLS, computer/user auth, etc.). If you "forget" the network and re-join do you see the same error?
09-23-2022 07:33 AM
We do not have the option to "forget the network", since it is being pushed with certificats via intune csp.
09-23-2022 07:53 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: