---

@zachhoiberg wrote:
Radio types supported     : 802.11b 802.11g 802.11n

---

Please check the controller to determine which radio (2.4 Ghz or 5.0 Ghz) the laptop has joined.  

---

@zachhoiberg wrote:
Just doesn't work with laptops from HP, Notebook HP 240 G7.

---

Wait, that just not make any sense!  Works for anything-n-everything except one particular model of laptop with an ancient wireless NIC?  

Try creating a SSID with OPEN authentication and see if the laptops (plural) works or not.  IF it works, then crank up to PSK.  IF that works, then keep cranking until it breaks. 

If OPEN SSID does not work, then something horribly is happening at the SOE level.

Open works, PSK works, PSK with local MAB works. DOT1X results in the following:

Aug 15 13:41:04.094: %DOT1X-5-FAIL: Chassis 1 R0/0: wncd: Authentication failed for client (e8b1.fcdc.827d) with reason (Cred Fail) on Interface capwap_90000098 AuditSessionID 8201C10A003A898CF96DAD1F Username: user@domain.local
Aug 15 13:41:04.094: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (e8b1.fcdc.827d) on Interface capwap_90000098 AuditSessionID 8201C10A003A898CF96DAD1F. Failure reason: Authc fail. Authc failure reason: Cred Fail.

Certificate based authentication, both with a cert requested from the same CA via the AD enrollment policy.

When connected via PSK with MAB,

"Capabilities

(Hot dang!  This is probably the best response(s) I've seen from anyone!)

If open, PSK and MAB works but it fails on Dot1X then we start troubleshooting the authentication server.  

Let's start with the most basic:  Is there an expired certificate involved?

It's definitely not a certificate issue, nor an issue with the authentication server.

When we disable Central Authentication on that WLAN and keep all other settings the same, the specific devices that are having issues connect just fine. Same certificate, same Radius servers, same NPS policies. I've collected some packet captures and radioactive traces and I'm now working with TAC on this bizarre issue.

On these specific devices, no packets are sent by the WLC to the authentication server, and within a tenth of a second, it marks the device as failing authentication.

We've actually had two different model laptops, both with extremely similar NIC drivers, fail and succeed on Central Auth, while both work when the APs themselves are the ones doing the DOT1X requests.
Non workng:

Driver                    : Intel(R) Wi-Fi 6 AX201 160MHz

    Vendor                    : Intel Corporation

    Provider                  : Intel

    Date                      : 11/23/2022

    Version                   : 22.190.0.4

    INF file                  : oem12.inf

    Type                      : Native Wi-Fi Driver

    Radio types supported     : 802.11b 802.11g 802.11n 802.11a 802.11ac 802.11ax

    FIPS 140-2 mode supported : Yes

   802.11w Management Frame Protection supported : Yes

    Hosted network supported  : No

    Authentication and cipher supported in infrastructure mode:

                                Open            None

                                Open            WEP-40bit

                                Open            WEP-104bit

                                Open            WEP

                                WPA-Enterprise  TKIP

                                WPA-Enterprise  CCMP

                                WPA-Personal    TKIP

                                WPA-Personal    CCMP

                                WPA2-Enterprise TKIP

                                WPA2-Enterprise CCMP

                                WPA2-Personal   TKIP

                                WPA2-Personal   CCMP

                                Open            Vendor defined

                                WPA3-Personal   CCMP

                                Vendor defined  Vendor defined

                                WPA3-Enterprise GCMP-256

                                OWE             CCMP

    IHV service present       : Yes

    IHV adapter OUI           : [00 00 00], type: [00]

    IHV extensibility DLL path: C:\WINDOWS\system32\IntelIHVRouter10.dll

    IHV UI extensibility ClSID: {00000000-0000-0000-0000-000000000000}

    IHV diagnostics CLSID     : {00000000-0000-0000-0000-000000000000}

    Wireless Display Supported: Yes (Graphics Driver: Yes, Wi-Fi Driver: Yes)


Working:
Driver : Intel(R) Wi-Fi 6 AX201 160MHz
Vendor : Intel Corporation
Provider : Intel
Date : 11/23/2022
Version : 22.190.0.4
INF file : oem84.inf
Type : Native Wi-Fi Driver
Radio types supported : 802.11b 802.11g 802.11n 802.11a 802.11ac 802.11ax
FIPS 140-2 mode supported : Yes
802.11w Management Frame Protection supported : Yes
Hosted network supported : No
Authentication and cipher supported in infrastructure mode:
Open None
Open WEP-40bit
Open WEP-104bit
Open WEP
WPA-Enterprise TKIP
WPA-Enterprise CCMP
WPA-Personal TKIP
WPA-Personal CCMP
WPA2-Enterprise TKIP
WPA2-Enterprise CCMP
WPA2-Personal TKIP
WPA2-Personal CCMP
Open Vendor defined
WPA3-Personal CCMP
Vendor defined Vendor defined
WPA3-Enterprise 192 Bits GCMP-256
OWE CCMP
Number of supported bands : 2
2.4 GHz [ 0 MHz - 0 MHz]
5 GHz [ 0 MHz - 0 MHz]
IHV service present : Yes
IHV adapter OUI : [00 00 00], type: [00]
IHV extensibility DLL path: C:\Windows\system32\IntelIHVRouter10.dll
IHV UI extensibility ClSID: {00000000-0000-0000-0000-000000000000}
IHV diagnostics CLSID : {00000000-0000-0000-0000-000000000000}
Wireless Display Supported: Yes (Graphics Driver: Yes, Wi-Fi Driver: Yes)



The only difference I see between the two "netsh wlan show drivers" outputs is the WPA-3 Enterprise bits for GCMP, the driver INF file, and then supported bands.

We are only using WPA/WPA-2, however.

Well you just should NOT be using that driver (22.190.0.4) - Intel has withdrawn it because it's unsupportable!
https://quickview.cloudapps.cisco.com/quickview/bug/CSCwe50033
And even Microsoft has updated their platforms to the new drivers - for example:
https://support.microsoft.com/en-us/surface/surface-laptop-4-update-history-607537fa-c595-4797-9a2e-ee77015472f6
August 2023 updates - August 1 release
The following update is available for Surface Laptop 4 devices with Intel Processor running Windows 10 October 2020 Update, Version 20H2 or greater. This update improves wireless stability.
Windows Update Name Device Manager
Intel - Net - 22.230.0.8 Intel(R) Wi-Fi 6 AX201 160MHz - Network adapters

Latest driver: https://www.intel.com/content/www/us/en/download/19351/windows-10-and-windows-11-wi-fi-drivers-for-intel-wireless-adapters.html

---

@zachhoiberg wrote:
Version                   : 22.190.0.4

---

Have a look at CSCwe50033, particularly, the information about the Intel wireless NIC versions that fixed the issue (of the bug).  

In addition to what @Rich R said, I would recommend updating the wireless NIC firmware.  I would also like to add/recommend the following Intel-based setting changes: 

• 802.11n/ac/ax Wireless Mode: 3. 802.11ac
• Preferred Band: 3. Prefer 5Ghz band
• Roaming Aggressiveness: 4. Medium-High
• Throughput Booster: Disabled
• U-APSD support: Disabled

Hello Friends,

Just shared that I have resolved the issue.

I changed the EAP certificate to self signed certs and local user should be created without password encrypted.

Thanks.