This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 96%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Hi
I'm currently testing FreeRadius in order to replace Windows NPS as it's not compliant with Windows 11 security hardening (TLS 1.3 by default, Credential Guard active ...). (At the moment, we won't disable TLS 1.3 and/or credential guard through GPO as we'd like to respect Microsoft standards and settings.)
I'm struggling since weeks as you can see here and here for further details.
As a brief, Windows 11 802.1X clients have GPO applied that allow EAP-TLS using user certificate. Certificate are delivered within auto-enrolment process within our Active Directory and our on prem PKI (Windows too). GPO is applied and enforced on the client, currently no issue with that.
According to this Microsoft KB , server but also client certificate should respect some requirements (especially on EKUs) which I do respect at the same time for my freeradius certificate + my Windows 11 client certificate.
At the moment, i'm still in a loop where Windows 11 client and FreeRadius server send each others Access-Request / Access-Challenge, but it never ends...
I had a look to CAPI2 logs and WLAN-AutoConfig but nothing gone wrong (except timeout due to the Access loop...). Also, using eapol_test cli from Linux with user certificate + private key from our PKI, works perfectly. Using same CLI and/or same user certificate from Windows => it loops again and again and again.
According to this post, it seems that Windows doesn't handle correctly information from server certificate.
Is there any debug ideas and/or fix you guys may advise ?
thanks a lot !
Gael
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 12%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBA%3C/text%3E%3C/svg%3E)
We are having a similar issue with both EAP-TLS (user certificate) and TEAP. Best we can tell, the profiles are not being created correctly. Here are the ServerValidation excerpts from identical configurations on both Windows 10 and Windows 11:
Windows 10:
<ServerValidation><TrustedRootCAHash>d6 1e 6 f2 19 26 ec 7b 48 6f 68 a1 d4 16 9c 6d a9 89 b2 47 46 3a 5 c1 f8 1f f7 7f 7b 4e 41 4</TrustedRootCAHash><DisablePrompt>false</DisablePrompt><DownloadTrustedServerRoot>false</DownloadTrustedServerRoot></ServerValidation>
Windows 11:
<ServerValidation><TrustedRootCAHash>fd 2b d3 57 2d 9a 2d c6 82 46 52 fd 9c 75 9c e9 61 34 8d 66</TrustedRootCAHash><DisablePrompt>false</DisablePrompt><DownloadTrustedServerRoot>false</DownloadTrustedServerRoot></ServerValidation>
Windows 10 creates a SHA256 hash of the selected CA, where Windows 11 creates a SHA1 hash. Best we can tell, based on this document, the SHA256 TrustedRootCAHash is required for TEAP (see image).
We have tried substituting the SHA1 value in the Windows 11 profile for the SHA256 value, but have the same result in Windows 11. Windows 11 fails to validate and trust the server certificate and will not complete the TLS handshake and proceed to the identity exchange phase.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 10%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Interesting, would be interesting to see the network profile configuration on GPO. Saw serverfault posts as well, If it works on other OSs. It should be either the EAP-TLS 1.3 on windows is broken or network profile is not configured properly.
Interesting you got the user certificate problem sorted out, for me the user certificates are not getting dynamically issued to new users, How did you get around solving that?