Forum Discussion
Windows 11 and NPS authentication issue
Hi everyone,
I am in the process of testing Windows 11 23H2 and I am having issue with RADIUS Authentication. Radius Authentication is working fine with Windows 10 so I know there is nothing wrong with the Radius. However I seen a lot discussions online and looks like it is related to EAP types and some claiming it's TLS1.3 related issue. Has anyone got it working and if you did can you please share your settings? My current test settings on NPS end as below.
And my GPO settings are as below
I have all the names format matching (upper case, lower case) for Server name and SSID names.
Thanks
1 Reply
- kyazaferrSteel Contributor
EAP Type Compatibility
The first thing to verify is which EAP (Extensible Authentication Protocol) type you are using. Windows 11 might default to a different set of supported EAP types compared to Windows 10, and there could be changes in how the operating system handles certain types (such as PEAP or EAP-TLS).
- EAP-TLS: If you're using EAP-TLS, ensure that both the client certificate and CA certificate are correctly installed on the client machine.
- PEAP: If you're using PEAP with MS-CHAPv2 or EAP-MSCHAPv2, ensure that the NPS configuration is compatible with the Windows 11 settings.
TLS 1.3 Compatibility
There have been discussions about TLS 1.3 causing issues with older RADIUS/NPS implementations. If Windows 11 is using TLS 1.3 by default, while Windows 10 might be using TLS 1.2, this could potentially cause the authentication to fail on older NPS servers or configurations that do not fully support TLS 1.3.
Here’s what you can try to resolve this:
- Check NPS Configuration: Ensure that your NPS server supports TLS 1.3. Windows Server 2019 and newer versions have support for TLS 1.3, but older versions of NPS may not.
- Force TLS 1.2 on NPS: If TLS 1.3 is causing issues, consider forcing your NPS server to use TLS 1.2 for the RADIUS authentication process. This can often be configured in the registry on the NPS server or via settings in the RADIUS configuration.
- Open the Registry Editor (regedit).
- To enforce TLS 1.2 on the NPS server:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
- Create a key called TLS 1.2 under Protocols if it doesn’t exist.
- Under TLS 1.2, create the following subkeys:
- Client and Server
- Set the Enabled DWORD value to 1 under both subkeys.
- Restart the NPS service or the server for changes to take effect.
3. GPO Settings
It’s also essential to verify the GPO settings you have applied, especially when using EAP for wireless or VPN authentication. From your screenshots, ensure the following settings are configured properly:
- Allow Only Strong Authentication Methods: Ensure that MS-CHAPv2 or EAP-TLS is allowed in the GPO for Network Security: LAN Manager authentication level.
- Use Compatible EAP Types: If you're using EAP-TLS or PEAP, ensure that the EAP type is supported and correctly configured on both the client side and NPS side.
Here’s how you can configure GPO settings for EAP:
- Open Group Policy Management.
- Go to Computer Configuration > Policies > Administrative Templates > Network > Network Security.
- Set Enable IEEE 802.1X Authentication to Enabled if it’s disabled.
- Check the EAP settings under Wireless Network Policies if you're testing Wi-Fi.
Also, ensure that the client machine is up-to-date with the latest patches, as there could be a known issue in early versions of Windows 11 23H2 affecting RADIUS.
4. Checking Logs and Tracing
- NPS Logs: Check the NPS logs on the NPS server to see if there are any specific error messages related to the RADIUS authentication process. The logs are typically found in:
- C:\Windows\System32\LogFiles\INETINFO
- This will give you more specific details on what part of the process is failing.
- Event Logs on the Client: Check the Event Viewer on the Windows 11 client for any authentication or networking-related logs that could give you more information on the issue.
5. Test with a Minimal Configuration
To isolate the issue, try testing with a simpler authentication method like EAP-MSCHAPv2 or PEAP-MSCHAPv2 rather than EAP-TLS or other complex configurations. This helps determine if the issue lies with specific EAP settings or the overall RADIUS process.
Summary of Actions:
- Confirm EAP types and settings on both the client (Windows 11) and NPS server.
- Force TLS 1.2 on the NPS server if TLS 1.3 compatibility is causing issues.
- Verify GPO settings related to EAP and LAN Manager authentication levels.
- Check NPS logs and client logs for specific error messages.
- Test with simpler authentication methods (e.g., PEAP) to see if the issue is with the EAP type.