Trouble with WPA2 with EAP and TLS 1.3

Question

We have a working WPA2 wireless network with NPS/RADIUS solution with NPS 2022 Servers and Windows 11 clients. Cisco Wireless Controllers and APs with NPS Policy Authentication set as Microsoft: Smart Card or other certificate and devices are connecting fine with TLS 1.0, 1.1, and 1.2 independently. I have started testing TLS 1.3 and have been unable to get a Win11 client to connect.

NPS 2022 Server Event Log has Audit Failure with the client and server cannot communicate, because they do not possess a common algorithm.

NPS 2022 Servers have been set using IISCrypto best practices and from Win11 client I have enabled only TLS 1.3 along with best practices. Ciphers, hash, and cipher suites for TLS 1.3 show enabled in IISCrypto as well as manually checking the registry entries.

A Wireshark packet capture from the NPS 2022 Server shows the client request as Transport Layer Security with Version 1.2 (even though 1.3 is the only enabled version on the client) but then further down packet under Extension shows supported version 1.3.

Not sure if there may be something on the Win11 client that could prevent TLS1.3 or prevent the 1.3 cipher suites from being sent or possible some issue with certificate being used in the auth. The Wireshark capture doesn't quite seem to really tell why the TLS handshake is not completing. Open for suggestion on any other tools or troubleshooting tips. I have not had any luck searching the web to find information related to the issue I am seeing and what may be be causing the authentication to fail with TLS 1.3.

Many Thanks.

Answer 1

Hello,

Please check the following configuration:

Confirm that TLS 1.3 support for Windows 11 and NPS 2022 has been correctly enabled and all necessary updates have been installed.

Check the password suite configuration on both the server and client to ensure that the TLS 1.3 suites are enabled and have the correct priority.

Verify that the certificate configuration meets the requirements of TLS 1.3, including key type and signature algorithm.

Check the configuration of the Cisco wireless controller to ensure that it allows EAP connections over TLS 1.3.

Use more detailed logging, such as detailed logs from NPS or the Event Viewer on Windows clients, to look for more specific error messages.

Use tools such as the Test-Tls function in PowerShell to test TLS 1.3 connections and rule out other factors outside of the wireless environment.

I hope the information above is helpful.

Best regards

Zunhui

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

Thanks so much for the reply

I have verified on the Windows 11 device and NPS 2022 are up to date and TLS 1.3 is enabled.

What is the password suite configuration that you referenced? Maybe cipher suites? I have verfied the Cipher Suites are enabled and in the correct priority on both the Win 11 side and NPS 2022 side. Used Get -TlsCipherSuite script in PowerShell.

Cisco WLC does not really have any settings specific to TLS version. It is just forwarding and receiving the RADIUS requests from the client and NPS. We have WPA2 EAP-TLS working with 1.0, 1.1, and 1.2 so it is only related to 1.3.

I have tried to find more useful debugs, logging, capture tools to help on both Win 11 side and NPS 2022 side but haven't come up with anything other than Wireshark, NetMon, and EventViewer. EventViewer on NPS 2022 logs "An TLS 1.2 connection request was received from a remote application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed." This is strange as the captures will show 1.3 in the EAP extensions supported version and shows the correct 2 cipher suites for 1.3. This is where I am having the most trouble determining if this issue is rooted on client or server side.

I am not familiar with Test-Tls or its use in PowerShell. I have also tried searching for other tools to try to help rule out device or server side. Found something about wpa_supplicant but that is also something I am not familiar with how to put together.

Thanks again.