Meraki

Community

Access Manager > EAP-TLS Client Configuration. Step 6 is impossible?

Solved
Jhippleheuser
Here to help
3 weeks ago
3 weeks ago

Access Manager > EAP-TLS Client Configuration. Step 6 is impossible?

Edit: I might be dumb but I think this is an issue with the laptop being intune-joined

 

 

I feel like I'm going crazy trying to enable cert-based auth for my test network because I keep going into my advanced wifi settings and trying to do what's shown below and I can't get more than one Trusted Root CA enabled at a time. If I select two, and click OK one of them just de-selects and I think that's the reason why I'm running into a TLS handshake problem when I attempt to connect.

 

Anyone else having this problem?

 

image.png

0 Kudos
1 Accepted Solution
In response to Jhippleheuser
Jhippleheuser
Here to help
Friday
Friday

One last update in case this helps anyone in the future. I've found the reason why my Lenovo T480 laptops were failing. For any laptops that use either the Wireless-AC 8265 or 8260 NICs there is a bug with how windows handles key delivery to the NIC using the latest drivers. I wasn't able to test with older drivers because I couldn't find them but the next easiest solution was to go into the registry and modify the key at 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003

 

Open the key and remove the following signatures:

 

    RSAE-PSS/SHA256

    RSAE-PSS/SHA384

    RSAE-PSS/SHA512

 

After deleting those signatures and rebooting the computer it worked flawlessly

View solution in original post

9 Replies 9
PhilipDAth
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

You should definitely be able to select more than one certificate.

 

If this is a manual setup, I would untick "Verify the server's identity", and then get that working.

Once you have that base working, come back and add certificate validation.

 

Also note that I can only use "Simple certificate selection" without additional config maybe 50% of the time.  If you only have one certificate in your user store - then no problems.  Otherwise, you might need to add certificate selection criteria to make it choose the correct certificate.

0 Kudos
In response to PhilipDAth
Jhippleheuser
Here to help
3 weeks ago
3 weeks ago

So I've noticed that on my personal laptop I'm able to select multiple trusted CAs but on any of my intune-joined laptops I can select multiple but when I go back in to verify the settings only one will stay selected.

 

I went and disabled verifying the servers identity and I'm still getting a TLS handshake failure. In my cert manager under local computer > personal > certificates I have several certificates for client auth. How do I go about selecting which certificate I want my laptop to present?

0 Kudos
In response to Jhippleheuser
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Configure the certificate selection criteria here:

PhilipDAth_0-1766780166531.png

 

Often, matching the certificate issuer is sufficient.

 

Also, check the session log in Access Manager to see if it is giving any hints.

PhilipDAth_1-1766780192527.png

 

Have you uploaded your certificate issuer certificate (aka, your root CA) into Access Manager?

PhilipDAth_2-1766780249682.png

 

0 Kudos
In response to PhilipDAth
Jhippleheuser
Here to help
Monday
Monday

The problem I'm running into is in that screenshot under "Trusted Root Certification Authorities" I'm only able to select one, and not multiple. If I select my custom root CA, and the IdenTrust root CA one of them will be de-selected when I go back into the settings

0 Kudos
In response to Jhippleheuser
PhilipDAth
Kind of a big deal
Kind of a big deal
Monday
Monday

That is not normal.  Can you try on a diffferent Windows machine?

0 Kudos
In response to PhilipDAth
Jhippleheuser
Here to help
Tuesday
Tuesday

I just set up a brand new Windows 11 machine and I'm seeing the same result. It's completely fresh OOB with no intune joining and all updates are complete

0 Kudos
In response to PhilipDAth
Jhippleheuser
Here to help
Thursday
Thursday

So turns out my test laptop just will not for some reason authenticate. Grabbed a brand new laptop, joined it via intune, it has the exact same Root, Intermediate, and it's own leaf certificates and it authenticated right away.

 

When I check the logs the computer that is authenticating correctly shows it's username as what's in the subject common name field but the computer that's failing is showing it's username as what's in the SAN: DNS field and I'm currently trying to figure out why that's happening but you were right, it was a computer issue and nothing to do with the configs as far as I can tell.

In response to Jhippleheuser
Jhippleheuser
Here to help
Friday
Friday

One last update in case this helps anyone in the future. I've found the reason why my Lenovo T480 laptops were failing. For any laptops that use either the Wireless-AC 8265 or 8260 NICs there is a bug with how windows handles key delivery to the NIC using the latest drivers. I wasn't able to test with older drivers because I couldn't find them but the next easiest solution was to go into the registry and modify the key at 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003

 

Open the key and remove the following signatures:

 

    RSAE-PSS/SHA256

    RSAE-PSS/SHA384

    RSAE-PSS/SHA512

 

After deleting those signatures and rebooting the computer it worked flawlessly

In response to Jhippleheuser
PhilipDAth
Kind of a big deal
Kind of a big deal
Friday
Friday

Wow!  Great find. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2026 Cisco Systems, Inc.