Meraki

Community

802.1X authentication failure with workstations on Windows 11

rhamersley
Getting noticed
‎Dec 14 2023 1:23 PM
‎Dec 14 2023 1:23 PM

802.1X authentication failure with workstations on Windows 11

Currently we are noticing some users that upgraded to Windows 11 are now unable to connect to our switches using 802.1X authentication.   

 

Is there any documentation that is out there to fix this issue.   I had to change  my switch ports from 802.1X authentication policy to "Open".   Not the most secure when doing that.  

 

Also the Windows 11 users are unable to connect to the 802.1X authentication to our corporate WIFI.    

 

We have 175 users on windows 10 all work and connect using 802.1X authentication and the only 5 Windows 11 users in our environment cannot connect using 802.1X authentication.   

 

RADIUS server authentication using Active Directory credentials works fine.

 

Windows 11 is doing something to affect the 802.1X authentication.   That is what we need to find out or is there any documentation fixing this issue.

 

 

Labels:
0 Kudos
16 Replies 16
RaphaelL
Kind of a big deal
Kind of a big deal
‎Dec 14 2023 2:13 PM
‎Dec 14 2023 2:13 PM

What are the logs showing on the switch and the radius server?

 

Have you taken a packet capture ?

0 Kudos
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Dec 15 2023 6:53 AM
‎Dec 15 2023 6:53 AM

What kind of authentication are you using. It sounds like username / password?! Which RADIUS server are you using?

0 Kudos
In response to CptnCrnch
rhamersley
Getting noticed
‎Dec 15 2023 8:02 AM
‎Dec 15 2023 8:02 AM

We are using 802.1x authentication configuration with a RADIUS server and currently working for all our Windows 10 users.   We have no issues at all.   But once we upgraded 5 users to windows 11 they cannot connect anymore using 802.1x authentication.   I have to move the Meraki switch port back to "Open" and disable our corporate WIFI using the 802.1x Authentication.

 

Radius server network policy config:

rhamersley_0-1702656083159.png

 

The big question here what changes need to be made in Windows 11 to allow this 802.1x authentication to complete    

 

OR

 

Is there something on Meraki side that needs to be changed to allow for Windows 11 workstations.

 

0 Kudos
In response to rhamersley
Crocker
A model citizen
‎Dec 15 2023 2:55 PM
‎Dec 15 2023 2:55 PM

Are the users themselves authenticating via 802.1X, or is the computer authenticating via 802.1X using something like a machine certificate?

 

We use computer auth via machine certificate, and had some trouble with Windows 11 in-place upgrades. It had to do with part of the upgrade process (a task sequence via MECM, I believe) performing a NIC driver upgrade as part of the task sequence. This NIC driver update wiped out the 802.1X machine authentication settings that we applied to the "ethernet" connection via Group Policy. Once the settings were wiped, the machine would get kicked off the network, thus group policy couldn't enforce the 802.1X configuration. Bit of a catch22. 

 

Our MECM admin ended up adding a step to the task sequence to force the settings back into place after the NIC driver was upgraded.

 

A more general, common culprit is that the "Wired Autoconfig" service can get disabled, it's worth checking if that's what's going on.

 

EDIT: After re-reading your initial post, I wonder if  these are in-place upgrades or are these wipe-> fresh images? If these are being wiped and given a fresh image, are you re-applying the 802.1X configuration in Windows?

In response to Crocker
RaphaelL
Kind of a big deal
Kind of a big deal
‎Dec 15 2023 3:52 PM
‎Dec 15 2023 3:52 PM

Like Crocker mentionned , this mostly look like a client side issue.

0 Kudos
In response to Crocker
rhamersley
Getting noticed
‎Dec 18 2023 8:49 AM
‎Dec 18 2023 8:49 AM

Yes we are using machine assigned certificates for our authentication with 802.1X.   Do you have any type of screen shots from your settings for your network adapter settings in Windows 11?

0 Kudos
In response to rhamersley
Crocker
A model citizen
‎Dec 19 2023 8:23 AM
‎Dec 19 2023 8:23 AM

This is the document our Active Directory/Group Policy folks followed to set the adapter settings:

 

Windows 10 802.1x Wired Authentication - IST Knowledge Base - Confluence (atlassian.net)

Note - Where it says to select User Authentication, use Machine Authentication

 

Edit: Better link

0 Kudos
In response to Crocker
rhamersley
Getting noticed
‎Dec 19 2023 1:06 PM
‎Dec 19 2023 1:06 PM

Crocker - I am looking for Windows 11 802.1X Wired authentication....Have you tested the correct configuration for Windows 11?    

 

In my environment Windows 10 works perfectly for wired connection, but its only our Windows 11 users are not able to successfully authenticate using 802.1x.

0 Kudos
NH
Comes here often
‎Dec 18 2023 9:03 AM
‎Dec 18 2023 9:03 AM

@rhamersley 

 

This is one of the solutions so far, we had the same issue, and it is tied to a Microsoft Windows update for Windows 11 22H2. You might notice that there is already a LsaCfgFlags with Default at the beginning. 

 

Open Registry Editor with Run as Administrator option

  1. Go to path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  2. Create a new DWORD LsaCfgFlags and set it to 0
  3. Restart the device.
0 Kudos
In response to NH
rhamersley
Getting noticed
‎Dec 19 2023 10:21 AM
‎Dec 19 2023 10:21 AM

NH....This worked perfectly to authenticating to 802.1X to our wireless network.   But our Windows 11 wired connected users are still unable to authenticate to 802.1X.    Did you run into this issue also?

0 Kudos
In response to rhamersley
NH
Comes here often
‎Dec 20 2023 9:33 AM
‎Dec 20 2023 9:33 AM

No issues with the wired; it was only with the wireless. You might have a Group Policy or configurations that are causing the authentication failures. Check the reasons for the failures in the event logs of the affected machines (Windows 11).

0 Kudos
DeanN
Comes here often
‎Mar 1 2024 1:40 AM
‎Mar 1 2024 1:40 AM

any update to this issue? I have the identical issue with the same setup and currently applying the same solution "Open Port"

0 Kudos
NH
Comes here often
‎Mar 1 2024 5:42 AM
‎Mar 1 2024 5:42 AM

Hey @DeanN 

We couldn't find any other solution except this Registry changes on the end user's PC.

 

Open Registry Editor with Run as Administrator option

  1. Go to path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  2. Create a new DWORD LsaCfgFlags and set it to 0
  3. Restart the device.

Hope this helps.

 

0 Kudos
In response to NH
DeanN
Comes here often
‎Mar 1 2024 6:35 AM
‎Mar 1 2024 6:35 AM

If you trust the port that the windows 11 pc connects too? I haven't tried it just checking if anyone did.

0 Kudos
In response to DeanN
DeanN
Comes here often
‎Jun 10 2024 8:16 AM
‎Jun 10 2024 8:16 AM

The issue that I found was that Device guard was enabled on windows 11. Disabled device guard via GPO and the issue was resolved. PC had to be rebooted after the port was changed back to 802.1x.

0 Kudos
meiokilo011
New here
‎Jun 10 2024 6:08 AM
‎Jun 10 2024 6:08 AM

the solution found in our organization was to insert the certificate of the RADIUS servers via GPO for wired clients, and in the connection profile, mark both servers as trusted

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.