2

So I’ve been trying to resolve 802.1x Wired authentication issues for quite some time now with limited success. The environment is based on Server 2012, Enterasys NAC using EAP-TLS1.2, with a relatively simple PKI infrastructure. We are running Windows 10 and Windows 7, Windows 7 authenticates fine every time. For some reason Windows 10 computers don’t always authenticate properly.

Since we have a strict 802.1x policy, we do not allow LDAP or HTTP traffic to leave ports that are unauthenticated, which to me seems reasonable. The problem is the clients are either not caching the CRL/OCSP results, or the lsass process is ignoring the local cache and going straight to the CDP servers.

This should all work fine, but it is intermittently authenticates. I looked at packet captures and as soon as the switch sends the final part of it’s cert there is a lookup to the pki server. I have looked through the System, security, eaphost, ndis, capi2, eapmethods-rastls, lsa, network profile, nlasvc, wired-autoconfig, and application logs. None of the errors mention anything of use.

Additionally, the traffic from a computer that will authenticate and a computer that doesn’t authenticate looks exactly the same except for the OCSP lookup on the PC that fails. They are all running the same Windows 10 Pro image and is affecting a variety of different types of hardware / different manufactures. Also this occurs even if I install from an 1803 Pro iso from Microsoft. As soon as I join the domain and switch over to an 802.1x enforced network, it fails authentication due to the CRL check.

Also worth noting that 802.1x EAP-TLS1.2 works fine on WiFi since it doesn't do revocation checking.

Any help would be appreciated!

yagmoth555
  • 16,300
  • 4
  • 26
  • 48
  • We are seeing almost this exact issue. Only fix we have found is to disable Server Certificate validation. – NitroXP Mar 26 '19 at 16:38

0 Answers0