cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
334
Views
0
Helpful
1
Replies

Windows 11 authentication after restart - TEAP

Micinel
Level 1
Level 1

Hello,

I have a problem with Windows 11 against RADIUS ISE.

We are using GPO for devices in enterprise.  Client authentication is configured by EAP-TLS. I guess configuration is not problem.

Windows 11 is authenticated normally on wifi and wired as well. The problem sets when the PC is restarted. After restart - before login into AD, PC is not authenticated. When user use his credentials, device is authenticated normally.

 

I need to achieve the state that when the PC is turned on, it is automatically authenticated on ISE before logging in to AD. It is due to remote access, if the user is doing something from home and logs in via RDP to the PC and need restart.

 

Many thanks.

Have a good day.

Michal

1 Accepted Solution

Accepted Solutions

Ben Walters
Level 3
Level 3

You can achieve this through machine authentication, if you are using win 11 TEAP it does support EAP chaining, which allows both user and machine auth. 

To do this you will need to change the authentication mode from "user" to "user or computer" when configuring the network profile and then select a method for authentication, either MS-CHAP or EAP-TLS.

One thing to note with Win 11 and TEAP, if you have credential guard enabled you will not be able to authenticate machines without having device certificates and using EAP-TLS.

 

More info can be found here: https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/configure-eap-profiles?tabs=netsh-wifi%2Cpowershell-vpn%2Csettings-wifi%2Cgroup-policy-wifi 

 

Hopefully this was helpful information.

View solution in original post

1 Reply 1

Ben Walters
Level 3
Level 3

You can achieve this through machine authentication, if you are using win 11 TEAP it does support EAP chaining, which allows both user and machine auth. 

To do this you will need to change the authentication mode from "user" to "user or computer" when configuring the network profile and then select a method for authentication, either MS-CHAP or EAP-TLS.

One thing to note with Win 11 and TEAP, if you have credential guard enabled you will not be able to authenticate machines without having device certificates and using EAP-TLS.

 

More info can be found here: https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/configure-eap-profiles?tabs=netsh-wifi%2Cpowershell-vpn%2Csettings-wifi%2Cgroup-policy-wifi 

 

Hopefully this was helpful information.