Share via

Windows 11 TEAP Authentication Not Working

Brian Allen 0 Reputation points
2025-03-24T19:46:01.32+00:00

We are observing an issue with Windows 11 supplicant (not 3rd party) where the EAP session times out after receiving the SERVER HELLO packet of the TLS handshake. The same configuration on a Windows 10 machine succeeds without issue.

Configuration

  • TEAP with EAP chaining, using both user and computer certificates.
  • User and computer certificates have EKU for Client Authentication, under the same root chain.
  • Server certificate has EKU for Server Authentication, under the same root chain.
  • Certificate chain is in the trusted root stores of both client and server.
  • Server validation for inner and outer methods use trusted root CA only. No servers specified.
  • Configured on both Windows 10 and 11.

Observations

  • PCAP shows EAP session timeout after SERVER HELLO in TLS handshake. User's image
  • Server only shows initial EAP response with 'anonymous' user. No other errors presented in RADIUS logs.
  • Server debugs show the following:
Crypto,2025-01-21 15:26:38,341,ERROR,0x7f202a93a700,NIL-CONTEXT,Crypto::Result=39, Crypto.SSLConnection.getPeerCertificate - Peer sent no certificate,SSLConnection.cpp:534
SecureConnectionNotification,2025-01-21 15:26:38,341,WARN ,0x7f202a93a700,cntx=0016425448,sesn=vm-ise-01/522632762/290775,CPMSessionID=CC31510A0000955970770368,CallingStationID=00-80-9F-A4-BD-CA,SecureConnectionNotification::getPeerCertificateAttributes Error getting peer certificate from SSL Connection,SecureConnectionNotification.cpp:305

Crypto,2025-01-21 15:26:38,341,ERROR,0x7f202a93a700,NIL-CONTEXT,Crypto::Result=1, Crypto.SSLConnection.pvServerInfoCB - Alert raised: code=0x228=552, direction=write, message=SSL alert: code=0x228=552 ; source=local ; type=fatal ; message="handshake failure.ssl/statem/statem_srvr.c:2296 error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher [error=337092801 lib=20 func=378 reason=193]",SSLConnection.cpp:4688

Crypto,2025-01-21 15:26:38,341,ERROR,0x7f202a93a700,NIL-CONTEXT,Crypto::Result=101, Crypto.SSLConnection.processData - handshake failed, acceptStatus=-1, openSSL error=1, message="SSL alert: code=0x228=552 ; source=local ; type=fatal ; message="handshake failure.ssl/statem/statem_srvr.c:2296 error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher [error=337092801 lib=20 func=378 reason=193]"", error=1417a0c1, reason=193,SSLConnection.cpp:806

Crypto,2025-01-21 15:26:38,341,WARN ,0x7f202a93a700,NIL-CONTEXT,Crypto::Result=101, Crypto.SSLConnection.processData - an alert was raised - alert-code=0x228=552, source=local,SSLConnection.cpp:817
  • The network configuration profile on Windows 10 uses the SHA256 value for the TrustedRootCAHash tag. Windows 11 uses SHA1. All other tag values are identical between OS versions.
  • CAPI2 logs show no errors related to the server's certificate.
  • EAPHost logs show the timeout due to lack of network response.
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
11,415 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Zunhui Han 4,295 Reputation points Microsoft External Staff
    2025-03-25T09:36:34.53+00:00

    Hello,

    Thank you for posting in Q&A forum.

    From the log information you provided, it seems that the problem is that the client and server cannot agree on mutually supported cipher suites during the TLS handshake. I suggest you first try to compare whether the SSL/TLS configurations of Windows 10 and Windows 11 are the same.

    I hope the information above is helpful.

    Best regards

    Zunhui

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.