Windows 11 Cannot Connect to Wifi

DerikA
Getting noticed

Windows 11 Cannot Connect to Wifi

I have the wireless network set up using RADIUS authentication as documented here:

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

 

We are have user auth setup and using a Windows Group Policy so people don't have to enter there credentials every time and it has been working great. Then Windows 11 shows up and the things fell apart. If I try to connect using the wireless profile pushed by Active Directory the laptop give a message saying "Can't Connect to this Network" but if I find the hidden network and manually connect I can.

 

RADIUS shows the following for logging:

<Event><Timestamp data_type="4">01/06/2022 14:36:42.879</Timestamp><Computer-Name data_type="1">DC-01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">host/LAPTOP.CompanyName.local</User-Name><NAS-IP-Address data_type="3">1.1.2.241</NAS-IP-Address><NAS-Identifier data_type="1">00-00-00-00-00-13:vap3</NAS-Identifier><NAS-Port-Type data_type="0">19</NAS-Port-Type><Service-Type data_type="0">2</Service-Type><NAS-Port data_type="0">1</NAS-Port><Calling-Station-Id data_type="1">AC-74-B1-D9-E5-2C</Calling-Station-Id><Connect-Info data_type="1">CONNECT 54.00 Mbps / 802.11ac / RSSI: 54 / Channel: 44</Connect-Info><Acct-Session-Id data_type="1">9338353FC94ADA5F</Acct-Session-Id><Acct-Multi-Session-Id data_type="1">40797C9BB742FADC</Acct-Multi-Session-Id><Vendor-Specific data_type="2">000073E70217466172676F20436F7270202D20776972656C657373</Vendor-Specific><Vendor-Specific data_type="2">000073E7030F495420526F6F6D20466172676F</Vendor-Specific><Vendor-Specific data_type="2">000073E7040B20436F727020495420</Vendor-Specific><Called-Station-Id data_type="1">00-00-00-00-00-13:CompanyName</Called-Station-Id><Vendor-Specific data_type="2">000073E7010F495420526F6F6D20466172676F</Vendor-Specific><Framed-MTU data_type="0">1400</Framed-MTU><Client-IP-Address data_type="3">1.1.2.241</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Legacy Wireless Subnets</Client-Friendly-Name><Proxy-Policy-Name data_type="1">CompanyName</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CompanyName\LAPTOP$</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">CompanyName\LAPTOP$</Fully-Qualifed-User-Name><Class data_type="1">311 1 1.1.1.6 01/01/2022 21:51:31 87093</Class><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">CompanyName</NP-Policy-Name><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">01/06/2022 14:36:42.879</Timestamp><Computer-Name data_type="1">DC-01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 1.1.1.6 01/01/2022 21:51:31 87093</Class><Session-Timeout data_type="0">30</Session-Timeout><Acct-Session-Id data_type="1">9338353FC94ADA5F</Acct-Session-Id><NP-Policy-Name data_type="1">CompanyName</NP-Policy-Name><Authentication-Type data_type="0">5</Authentication-Type><Client-IP-Address data_type="3">1.1.2.241</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Legacy Wireless Subnets</Client-Friendly-Name><Proxy-Policy-Name data_type="1">CompanyName</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CompanyName\LAPTOP$</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">CompanyName\LAPTOP$</Fully-Qualifed-User-Name><Packet-Type data_type="0">11</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">01/06/2022 14:36:42.910</Timestamp><Computer-Name data_type="1">DC-01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><NAS-IP-Address data_type="3">1.1.2.241</NAS-IP-Address><NAS-Identifier data_type="1">00-00-00-00-00-13:vap3</NAS-Identifier><NAS-Port-Type data_type="0">19</NAS-Port-Type><Service-Type data_type="0">2</Service-Type><NAS-Port data_type="0">1</NAS-Port><Calling-Station-Id data_type="1">AC-74-B1-D9-E5-2C</Calling-Station-Id><Connect-Info data_type="1">CONNECT 54.00 Mbps / 802.11ac / RSSI: 54 / Channel: 44</Connect-Info><Acct-Session-Id data_type="1">9338353FC94ADA5F</Acct-Session-Id><Acct-Multi-Session-Id data_type="1">40797C9BB742FADC</Acct-Multi-Session-Id><Vendor-Specific data_type="2">000073E70217466172676F20436F7270202D20776972656C657373</Vendor-Specific><Vendor-Specific data_type="2">000073E7030F495420526F6F6D20466172676F</Vendor-Specific><Vendor-Specific data_type="2">000073E7040B20436F727020495420</Vendor-Specific><Called-Station-Id data_type="1">00-00-00-00-00-13:CompanyName</Called-Station-Id><Vendor-Specific data_type="2">000073E7010F495420526F6F6D20466172676F</Vendor-Specific><Framed-MTU data_type="0">1400</Framed-MTU><Client-IP-Address data_type="3">1.1.2.241</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Legacy Wireless Subnets</Client-Friendly-Name><User-Name data_type="1">host/LAPTOP.CompanyName.local</User-Name><Proxy-Policy-Name data_type="1">CompanyName</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CompanyName\LAPTOP$</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">CompanyName\LAPTOP$</Fully-Qualifed-User-Name><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">CompanyName</NP-Policy-Name><Class data_type="1">311 1 1.1.1.6 01/01/2022 21:51:31 87094</Class><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">01/06/2022 14:36:42.910</Timestamp><Computer-Name data_type="1">DC-01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 1.1.1.6 01/01/2022 21:51:31 87094</Class><Acct-Session-Id data_type="1">9338353FC94ADA5F</Acct-Session-Id><Session-Timeout data_type="0">30</Session-Timeout><NP-Policy-Name data_type="1">CompanyName</NP-Policy-Name><Client-IP-Address data_type="3">1.1.2.241</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Legacy Wireless Subnets</Client-Friendly-Name><Proxy-Policy-Name data_type="1">CompanyName</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CompanyName\LAPTOP$</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">CompanyName\LAPTOP$</Fully-Qualifed-User-Name><Authentication-Type data_type="0">5</Authentication-Type><Packet-Type data_type="0">11</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">01/06/2022 14:36:42.942</Timestamp><Computer-Name data_type="1">DC-01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><NAS-IP-Address data_type="3">1.1.2.241</NAS-IP-Address><NAS-Identifier data_type="1">00-00-00-00-00-13:vap3</NAS-Identifier><NAS-Port-Type data_type="0">19</NAS-Port-Type><Service-Type data_type="0">2</Service-Type><NAS-Port data_type="0">1</NAS-Port><Calling-Station-Id data_type="1">AC-74-B1-D9-E5-2C</Calling-Station-Id><Connect-Info data_type="1">CONNECT 54.00 Mbps / 802.11ac / RSSI: 54 / Channel: 44</Connect-Info><Acct-Session-Id data_type="1">9338353FC94ADA5F</Acct-Session-Id><Acct-Multi-Session-Id data_type="1">40797C9BB742FADC</Acct-Multi-Session-Id><Vendor-Specific data_type="2">000073E70217466172676F20436F7270202D20776972656C657373</Vendor-Specific><Vendor-Specific data_type="2">000073E7030F495420526F6F6D20466172676F</Vendor-Specific><Vendor-Specific data_type="2">000073E7040B20436F727020495420</Vendor-Specific><Called-Station-Id data_type="1">00-00-00-00-00-13:CompanyName</Called-Station-Id><Vendor-Specific data_type="2">000073E7010F495420526F6F6D20466172676F</Vendor-Specific><Framed-MTU data_type="0">1400</Framed-MTU><Client-IP-Address data_type="3">1.1.2.241</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Legacy Wireless Subnets</Client-Friendly-Name><User-Name data_type="1">host/LAPTOP.CompanyName.local</User-Name><Proxy-Policy-Name data_type="1">CompanyName</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CompanyName\LAPTOP$</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">CompanyName\LAPTOP$</Fully-Qualifed-User-Name><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">CompanyName</NP-Policy-Name><Class data_type="1">311 1 1.1.1.6 01/01/2022 21:51:31 87095</Class><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">01/06/2022 14:36:42.942</Timestamp><Computer-Name data_type="1">DC-01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 1.1.1.6 01/01/2022 21:51:31 87095</Class><Session-Timeout data_type="0">30</Session-Timeout><Acct-Session-Id data_type="1">9338353FC94ADA5F</Acct-Session-Id><NP-Policy-Name data_type="1">CompanyName</NP-Policy-Name><Authentication-Type data_type="0">5</Authentication-Type><Client-IP-Address data_type="3">1.1.2.241</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Legacy Wireless Subnets</Client-Friendly-Name><Proxy-Policy-Name data_type="1">CompanyName</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CompanyName\LAPTOP$</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">CompanyName\LAPTOP$</Fully-Qualifed-User-Name><Packet-Type data_type="0">11</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">01/06/2022 14:36:42.989</Timestamp><Computer-Name data_type="1">DC-01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><NAS-IP-Address data_type="3">1.1.2.241</NAS-IP-Address><NAS-Identifier data_type="1">00-00-00-00-00-13:vap3</NAS-Identifier><NAS-Port-Type data_type="0">19</NAS-Port-Type><Service-Type data_type="0">2</Service-Type><NAS-Port data_type="0">1</NAS-Port><Calling-Station-Id data_type="1">AC-74-B1-D9-E5-2C</Calling-Station-Id><Connect-Info data_type="1">CONNECT 54.00 Mbps / 802.11ac / RSSI: 54 / Channel: 44</Connect-Info><Acct-Session-Id data_type="1">9338353FC94ADA5F</Acct-Session-Id><Acct-Multi-Session-Id data_type="1">40797C9BB742FADC</Acct-Multi-Session-Id><Vendor-Specific data_type="2">000073E70217466172676F20436F7270202D20776972656C657373</Vendor-Specific><Vendor-Specific data_type="2">000073E7030F495420526F6F6D20466172676F</Vendor-Specific><Vendor-Specific data_type="2">000073E7040B20436F727020495420</Vendor-Specific><Called-Station-Id data_type="1">00-00-00-00-00-13:CompanyName</Called-Station-Id><Vendor-Specific data_type="2">000073E7010F495420526F6F6D20466172676F</Vendor-Specific><Framed-MTU data_type="0">1400</Framed-MTU><Client-IP-Address data_type="3">1.1.2.241</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Legacy Wireless Subnets</Client-Friendly-Name><User-Name data_type="1">host/LAPTOP.CompanyName.local</User-Name><Proxy-Policy-Name data_type="1">CompanyName</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CompanyName\LAPTOP$</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">CompanyName\LAPTOP$</Fully-Qualifed-User-Name><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">CompanyName</NP-Policy-Name><Class data_type="1">311 1 1.1.1.6 01/01/2022 21:51:31 87096</Class><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">01/06/2022 14:36:42.989</Timestamp><Computer-Name data_type="1">DC-01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 1.1.1.6 01/01/2022 21:51:31 87096</Class><Session-Timeout data_type="0">30</Session-Timeout><Acct-Session-Id data_type="1">9338353FC94ADA5F</Acct-Session-Id><NP-Policy-Name data_type="1">CompanyName</NP-Policy-Name><Authentication-Type data_type="0">5</Authentication-Type><Client-IP-Address data_type="3">1.1.2.241</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Legacy Wireless Subnets</Client-Friendly-Name><Fully-Qualifed-User-Name data_type="1">CompanyName\LAPTOP$</Fully-Qualifed-User-Name><Proxy-Policy-Name data_type="1">CompanyName</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CompanyName\LAPTOP$</SAM-Account-Name><Packet-Type data_type="0">11</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">01/06/2022 14:36:43.020</Timestamp><Computer-Name data_type="1">DC-01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><NAS-IP-Address data_type="3">1.1.2.241</NAS-IP-Address><NAS-Identifier data_type="1">00-00-00-00-00-13:vap3</NAS-Identifier><NAS-Port-Type data_type="0">19</NAS-Port-Type><Service-Type data_type="0">2</Service-Type><NAS-Port data_type="0">1</NAS-Port><Calling-Station-Id data_type="1">AC-74-B1-D9-E5-2C</Calling-Station-Id><Connect-Info data_type="1">CONNECT 54.00 Mbps / 802.11ac / RSSI: 54 / Channel: 44</Connect-Info><Acct-Session-Id data_type="1">9338353FC94ADA5F</Acct-Session-Id><Acct-Multi-Session-Id data_type="1">40797C9BB742FADC</Acct-Multi-Session-Id><Vendor-Specific data_type="2">000073E70217466172676F20436F7270202D20776972656C657373</Vendor-Specific><Vendor-Specific data_type="2">000073E7030F495420526F6F6D20466172676F</Vendor-Specific><Vendor-Specific data_type="2">000073E7040B20436F727020495420</Vendor-Specific><Called-Station-Id data_type="1">00-00-00-00-00-13:CompanyName</Called-Station-Id><Vendor-Specific data_type="2">000073E7010F495420526F6F6D20466172676F</Vendor-Specific><Framed-MTU data_type="0">1400</Framed-MTU><Client-IP-Address data_type="3">1.1.2.241</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Legacy Wireless Subnets</Client-Friendly-Name><User-Name data_type="1">host/LAPTOP.CompanyName.local</User-Name><Proxy-Policy-Name data_type="1">CompanyName</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CompanyName\LAPTOP$</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">CompanyName\LAPTOP$</Fully-Qualifed-User-Name><NP-Policy-Name data_type="1">CompanyName</NP-Policy-Name><Class data_type="1">311 1 1.1.1.6 01/01/2022 21:51:31 87097</Class><Authentication-Type data_type="0">11</Authentication-Type><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">01/06/2022 14:36:43.020</Timestamp><Computer-Name data_type="1">DC-01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 1.1.1.6 01/01/2022 21:51:31 87097</Class><Authentication-Type data_type="0">11</Authentication-Type><Acct-Session-Id data_type="1">9338353FC94ADA5F</Acct-Session-Id><NP-Policy-Name data_type="1">CompanyName</NP-Policy-Name><Fully-Qualifed-User-Name data_type="1">CompanyName\LAPTOP$</Fully-Qualifed-User-Name><Client-IP-Address data_type="3">1.1.2.241</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Legacy Wireless Subnets</Client-Friendly-Name><SAM-Account-Name data_type="1">CompanyName\LAPTOP$</SAM-Account-Name><Proxy-Policy-Name data_type="1">CompanyName</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">265</Reason-Code></Event>

 

Meraki shows:

 

Connection start time Client device AP SSID Failure stage Failure reason

Thu Jan 6, 2022, 14:37:02ac:74:b1:d9:e5:2cIT Room FargoMAGNUMAuthentication
Client failed 802.1X authentication to the RADIUS server.type='802.1X auth fail' num_eap='7' first_time='0.012763271' associated='false' radio='1' vap='3'
Thu Jan 6, 2022, 14:35:03ac:74:b1:d9:e5:2cIT Room FargoMAGNUMAuthentication
Client failed 802.1X authentication to the RADIUS server.type='802.1X auth fail' num_eap='7' first_time='0.014429834' associated='false' radio='1' vap='3'
Thu Jan 6, 2022, 14:31:06ac:74:b1:d9:e5:2cIT Room FargoMAGNUMAuthentication
Client failed 802.1X authentication to the RADIUS server.type='802.1X auth fail' num_eap='7' first_time='0.014113104' associated='false' radio='1' vap='3'
Thu Jan 6, 2022, 14:28:45ac:74:b1:d9:e5:2cIT Room FargoMAGNUMAuthentication
Client failed 802.1X authentication to the RADIUS server.type='802.1X auth fail' num_eap='7' first_time='0.015952355' associated='false' radio='1' vap='3'
Thu Jan 6, 2022, 14:27:05ac:74:b1:d9:e5:2cIT Room FargoMAGNUMAuthentication
Client failed 802.1X authentication to the RADIUS server.type='802.1X auth fail' num_eap='7' first_time='0.016288354' associated='false' radio='1' vap='3'
Thu Jan 6, 2022, 14:25:55ac:74:b1:d9:e5:2cIT Room FargoMAGNUMAuthentication
Client failed 802.1X authentication to the RADIUS server.type='802.1X auth fail' num_eap='7' first_time='0.017201979' associated='false' radio='1' vap='3'

 

I am not finding any useful information in system logs on the laptop but I am no expert at digging through windows logs so I may be missing something.


Thank you in advance for any suggestions on how to resolve this.

3 REPLIES 3
Rastiy
New here

We had a similar issue after upgrading to Win 11, PC try to connect to WiFI showing "Can't Connect to this Network"

the WiFi uses Radius to authenticate.

 

Below is the solution that worked for us.

 

 

  1. Open Registry Editor with Run as Administrator option
  2. Go to path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. Create a new DWORD LsaCfgFlags and set it to 0
  4. Restart the device.

 

Hope that helps.

ToddQuinn
Conversationalist

This fixed our problem. After some additional digging, in our case, we found that the "LsaCfgFlags" DWORD was already in the registry, but misspelled! Microsoft created it as "LsaCfgFlagsDefault" which is worthless. It was intended to be the keyword mentioned in the solution which sets the status of the enhanced security feature "Credential Guard". You can read about what it does here... https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-devi...

 

With the "LsaCfgFlags" value not set (because it was created incorrectly by Microsoft), the "Credential Guard" feature is enabled and interferes with sending at least Computer credentials to the native Windows Dot1X supplicant and apparently aborts the authentication attempt before it completes. When Microsoft states that the default is "Off", they are assuming the LsaCfgFlags value is there and set to "zero" - which it is not with an out-of-the box install.

 

WB
Getting noticed

I noted on that last line that reason code 265 was given which links to "The certificate chain was issued by an authority that is not trusted."

 

There has been commentary around Credential Guard (enabled by default in W11 Education & Enterprise) blocking machine auth methods, but I'm note sure if this blocks manual connections.

 

I had a look around and found this post on the MS community, different NPS code but notably a comment saying:

 

"The computers would not authenticate automatically, but when following the dialog boxes we could get them to authenticate by manually telling the computer to try...."

 

"Our Windows 10 computers worked without flaws. After reading this thread I decided to check my Group Policy and the only difference is that I was not specifying the servers they could authenticate to, so I was not having the problem with the case mismatch. I found the fix to be checking the box next to my domain CA in the Trusted Root Certification Authorites section below the box where you can specify which servers to connect to."

Another external thread I found also talked about case mismatch:

 

"We had a GPO that pushed out the Cert to the clients and our NPS server was lowercase in that GPO and the server end is capitalized. It was never an issue with the Windows 10 machines but I guess Windows 11 has some additional security that capitalization matters. Was an easy fix but not an obvious one."

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels