Can't connect with EAP-TLS using Windows 10

Question

I'm trying to connect to a WPA2-Enterprise wireless network using certificates (EAP-TLS) from Windows 10 but I can't and I don't know how to troubleshoot this.

I tried to create the connection both from Manage known networks > Add, and by manually creating a new wireless connection, same result.

Certificates are correctly installed, and I think they are correct since I can connect to the same network with the same certificates from an Android smartphone. They are self-signed certificates.

Windows only says "Can't connect to this network". The event viewer (more specifically, EapMethods-RasTls) reports the error "Authentication failed for EAP method type 13. The error was 0x54F." for which I can't find specific and useful info.

I can connect to other networks with the same adapter.

From the access point logs, it seems that the Windows 10 client simply disconnects half the way through the authentication process, after the RADIUS server sends the access challenge.

I also tried to force TLS 1.2 by editing the registry, no success either.

I tried to monitor traffic with Wireshark. If I don't explicitly tell Windows to use my self-signed certificate, it chooses the wrong one and the authorization correctly fails, I can see it in the access point's logs and in Wireshark. If however I set my self-signed certificate in the connection profile, the authorization process simply stops and the client disconnects without any error. So I guess there's something Windows doesn't like about these certificates... but don't know what. They work for Android clients.

Not sure how to troubleshoot this further, any help would be much appreciated.

Answer 1

Hi Luca,

Please check if the EAP-TLS certification is enabled.

to enable following the process :

Create an access point in the Connection settings. For WLAN security, choose 802.11. EAP-TLS etc should

show up in plugins etc under this option. You'll need to switch tabs by pressing the right and left arrows to get to

the EAP-TLS-specific settings. Remember to enable EAP-TLS with the left option key after you configure it.

By default only two plugins are available.

Here is the link for more information : https://support.microsoft.com/en-us/topic/windows-10-devices-can-t-connect-to-an-802-1x-environment-179ef277-e6ef-8ea3-cb0e-11a6b80fa955

-----------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept as answer--

Answer 2

Hello Luca,

Error 0x54F possibly has the symbolic name ERROR_INTERNAL_ERROR. From the information available, I can't tell if this error occurs on the client or on the NPS/RADIUS server.

I had some success helping someone else via a trace of the NPS server (this is the thread: https://learn.microsoft.com/en-us/answers/questions/953762/always-on-vpn-user-tunnel-error-812.html). Details of how to create a trace are included in the thread - we could try the same approach if you are willing to share the trace data.

I could also try to work out a potentially useful set of Event Tracing for Windows (ETW) providers to trace on the client, in case the problem occurs there, but it currently seems more likely that the error occurs on the NPS server.

Gary

Answer 3

I was using FreeRADIUS, and missed an important bit of the readme: when using Windows clients, the .p12 user certificate (among those generated by freeradius) must be used. Indeed, that one works. Still, better diagnostic would have been useful...

Thank you all for your help.