This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 23%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
802.1X authentication fails in Windows 11 24H2, while the same configuration works correctly in Windows 10. This issue persists despite applying all necessary registry settings, manually loading EAP-GTC modules, and ensuring that authentication certificates meet security requirements.
Configure 802.1X authentication using PEAP(MSCHAPv2) or EAP-GTC on a wired connection. Ensure that the authentication process succeeds on Windows 10. Perform the same configuration on Windows 11 24H2 (build 26100 or later). Observe that authentication fails with repeating Request → Identity → Failure packets in Wireshark. Windows prompts with a "Sign in required" notification, but clicking "Sign in" does not open the authentication UI.
Our 3rd party Eap module loads in dllhost.exe, but the function EapPeerBeginSession() is never called in Windows 11. Event Viewer (EapHost Logs): No EapPeerBeginSession() logs, only GtcEapPeerGetIdentity() logs. Process Explorer: eaphost.exe, dllhost.exe loads EapGtc module, but the authentication UI (pfInvokeUI = TRUE) does not trigger.
DebugView++ Logs: dllhost.exe starts and stops immediately. Possible changes in EAPHost behavior prevent third-party EAP-GTC modules from properly triggering the authentication UI.
Is there no way to allow 802.1X authentication using 3rd party EAP modules in Windows 11 like in Windows 10? When I checked with Process Explorer, I found that the dllhost.exe process with the following COM classes is repeatedly launched/terminates.
COM Class:
ThirdPartyEapDispatcherPeerConfig
c:\windows\system32\eapp3hst.dll
Microsoft ThridPartyEapDispatcher
Microsoft Corporation
When I click the "Sign in" button when I get the "Sign in" notification, it just brings up the network settings window. It should pop up either the Windows login UI or the login UI of the 3rd party EAP module, like how Windows 10 behaves.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 12%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBA%3C/text%3E%3C/svg%3E)
I can confirm this issue and have narrowed it down to, what I believe, a root cause. (This is regarding the native supplicant, not a 3rd party).
When identically configuring Windows 10 and Windows 11 for TEAP, the exported profile's TrustedRootCAHash is SHA1 in Windows 11 and SHA256 in Windows 10. According to this, a SHA256 hash in the TrustedRootCAHash is required based on the statement "In XML, this is the SHA-1 thumbprint (hash) of the certificate (or SHA-256 for TEAP)."
We are seeing now similar behavior when using a User certificate for EAP-TLS.
Unfortunately, I have tried to import the network profile from Windows 10 into Windows 11, with no change. We have also tried a third-party provider. Our suspicion is an issue with CAPI2, but there are no corresponding events in the Event Viewer.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 6%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Hi Brian,
We have a fleet of Windows 11 laptops arriving preinstalled with 24H2 and none of them can connect to our WPA3 EAP-TLS SSID, based on the radius logs, the clients never send ClientHello.
However the same network profile works fine on Windows 11 23H2 and belower version devices.
Did you find any workaround for this ? Has Microsoft acknowledged this issue ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 32%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDJ%3C/text%3E%3C/svg%3E)
We are experiencing this same issue on 24H2 even with VBS / credential guard disabled. I haven't been able to get any of PEAP/TLS/TTLS/TEAP working for wired ethernet. Works fine on Win10 and Win11 pre-24H2, just not 24H2.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 90%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
I had do delete GPO/registry settings for EccCurves, now it works fine.
Please provide the procedure. I am interested to see if we can achieve the same result.
Delete all under this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002
or i gpedit:
configure ECC Curve Order under Computer Configuration > Administrative Templates > Network > SSL Configuration Settings
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 36%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Hi Runsten,
Please forgive my ignorance, by "Configure" do you mean Enable? Setting is currently not configured on my machine.
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 54%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
It was some time ago, but if I recall correct, I had to delete the registry key AND set the GPO to Inactivate.
