802.1X authentication failure with workstations on Windows 11

rhamersley
Getting noticed

802.1X authentication failure with workstations on Windows 11

Currently we are noticing some users that upgraded to Windows 11 are now unable to connect to our switches using 802.1X authentication.   

 

Is there any documentation that is out there to fix this issue.   I had to change  my switch ports from 802.1X authentication policy to "Open".   Not the most secure when doing that.  

 

Also the Windows 11 users are unable to connect to the 802.1X authentication to our corporate WIFI.    

 

We have 175 users on windows 10 all work and connect using 802.1X authentication and the only 5 Windows 11 users in our environment cannot connect using 802.1X authentication.   

 

RADIUS server authentication using Active Directory credentials works fine.

 

Windows 11 is doing something to affect the 802.1X authentication.   That is what we need to find out or is there any documentation fixing this issue.

 

 

16 Replies 16
RaphaelL
Kind of a big deal
Kind of a big deal

What are the logs showing on the switch and the radius server?

 

Have you taken a packet capture ?

CptnCrnch
Kind of a big deal
Kind of a big deal

What kind of authentication are you using. It sounds like username / password?! Which RADIUS server are you using?

rhamersley
Getting noticed

We are using 802.1x authentication configuration with a RADIUS server and currently working for all our Windows 10 users.   We have no issues at all.   But once we upgraded 5 users to windows 11 they cannot connect anymore using 802.1x authentication.   I have to move the Meraki switch port back to "Open" and disable our corporate WIFI using the 802.1x Authentication.

 

Radius server network policy config:

rhamersley_0-1702656083159.png

 

The big question here what changes need to be made in Windows 11 to allow this 802.1x authentication to complete    

 

OR

 

Is there something on Meraki side that needs to be changed to allow for Windows 11 workstations.

 

Crocker
A model citizen

Are the users themselves authenticating via 802.1X, or is the computer authenticating via 802.1X using something like a machine certificate?

 

We use computer auth via machine certificate, and had some trouble with Windows 11 in-place upgrades. It had to do with part of the upgrade process (a task sequence via MECM, I believe) performing a NIC driver upgrade as part of the task sequence. This NIC driver update wiped out the 802.1X machine authentication settings that we applied to the "ethernet" connection via Group Policy. Once the settings were wiped, the machine would get kicked off the network, thus group policy couldn't enforce the 802.1X configuration. Bit of a catch22. 

 

Our MECM admin ended up adding a step to the task sequence to force the settings back into place after the NIC driver was upgraded.

 

A more general, common culprit is that the "Wired Autoconfig" service can get disabled, it's worth checking if that's what's going on.

 

EDIT: After re-reading your initial post, I wonder if  these are in-place upgrades or are these wipe-> fresh images? If these are being wiped and given a fresh image, are you re-applying the 802.1X configuration in Windows?

RaphaelL
Kind of a big deal
Kind of a big deal

Like Crocker mentionned , this mostly look like a client side issue.

rhamersley
Getting noticed

Yes we are using machine assigned certificates for our authentication with 802.1X.   Do you have any type of screen shots from your settings for your network adapter settings in Windows 11?

Crocker
A model citizen

This is the document our Active Directory/Group Policy folks followed to set the adapter settings:

 

Windows 10 802.1x Wired Authentication - IST Knowledge Base - Confluence (atlassian.net)

Note - Where it says to select User Authentication, use Machine Authentication

 

Edit: Better link

rhamersley
Getting noticed

Crocker - I am looking for Windows 11 802.1X Wired authentication....Have you tested the correct configuration for Windows 11?    

 

In my environment Windows 10 works perfectly for wired connection, but its only our Windows 11 users are not able to successfully authenticate using 802.1x.

NH
Comes here often

@rhamersley 

 

This is one of the solutions so far, we had the same issue, and it is tied to a Microsoft Windows update for Windows 11 22H2. You might notice that there is already a LsaCfgFlags with Default at the beginning. 

 

Open Registry Editor with Run as Administrator option

  1. Go to path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  2. Create a new DWORD LsaCfgFlags and set it to 0
  3. Restart the device.
rhamersley
Getting noticed

NH....This worked perfectly to authenticating to 802.1X to our wireless network.   But our Windows 11 wired connected users are still unable to authenticate to 802.1X.    Did you run into this issue also?

NH
Comes here often

No issues with the wired; it was only with the wireless. You might have a Group Policy or configurations that are causing the authentication failures. Check the reasons for the failures in the event logs of the affected machines (Windows 11).

DeanN
Comes here often

any update to this issue? I have the identical issue with the same setup and currently applying the same solution "Open Port"

NH
Comes here often

Hey @DeanN 

We couldn't find any other solution except this Registry changes on the end user's PC.

 

Open Registry Editor with Run as Administrator option

  1. Go to path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  2. Create a new DWORD LsaCfgFlags and set it to 0
  3. Restart the device.

Hope this helps.

 

DeanN
Comes here often

If you trust the port that the windows 11 pc connects too? I haven't tried it just checking if anyone did.

DeanN
Comes here often

The issue that I found was that Device guard was enabled on windows 11. Disabled device guard via GPO and the issue was resolved. PC had to be rebooted after the port was changed back to 802.1x.

meiokilo011
New here

the solution found in our organization was to insert the certificate of the RADIUS servers via GPO for wired clients, and in the connection profile, mark both servers as trusted

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels