![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 90%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
20,212 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 81%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Hello,
Thank you for posting question on Microsoft Windows forum!
Based on your query of successful authentication for Windows 11 devices, but failure for Windows 10 devices on NPS server setting up for authenticating Cisco WLC. You can check the following points for the potential failure reasons.
1.Windows 11 often defaults to TLS 1.3 for EAP-TLS, while Windows 10 might use TLS 1.2 or earlier TLS versions:
- Check NPS Server TLS Support: Ensure your NPS server (and the underlying Windows Server OS) is updated and supports TLS 1.3. Windows Server 2019 and newer generally support it.
- Force TLS 1.2 on NPS (if necessary): If upgrading isn't an option or you're still facing issues, you can configure the NPS server to prioritize or force TLS 1.2.
- Check Windows 10 TLS settings: While less likely to be the problem if Windows 11 works, ensure Windows 10 has not had its TLS settings explicitly downgraded or misconfigured.
2.Windows 10 and 11 might have slight variations in how they initiate or handle specific EAP (Extensible Authentication Protocol) types (e.g., PEAP, EAP-TLS, EAP-MSCHAPv2):
- Review NPS Network Policies: On the NPS server, carefully examine the Network Policies that apply to the wireless authentication.
- Conditions: Are there any conditions that might inadvertently exclude Windows 10 devices? (e.g., specific OS version checks, machine groups).
- Constraints (Authentication Methods): Ensure that the EAP types selected (e.g., "Microsoft: Protected EAP (PEAP)" with "Secured Password (EAP-MSCHAP v2)") are fully compatible with how Windows 10 attempts to authenticate. Sometimes Windows 10 might have issues with specific combinations or order of EAP methods.
- Client Configuration: Double-check the wireless profile on a problematic Windows 10 device. Ensure the EAP type, server certificate validation settings, and inner authentication methods (like MS-CHAPv2) match what's configured on the NPS policy.
3.Certificate Issues if using EAP-TLS or PEAP (which relies on server certificates):
- Verify Certificate Validity: Ensure the server certificate on the NPS server is valid (not expired), trusted by the Windows 10 devices (the issuing Certificate Authority should be in their Trusted Root Certification Authorities store), and correctly configured in the NPS network policy.
- Certificate Subject Name/FQDN: There have been reports of Windows 11 being more strict with case sensitivity or FQDN vs. IP address matching when validating the NPS server certificate. While this usually affects Windows 11, it's worth verifying that the NPS server's Subject Name or Subject Alternative Name (SAN) on its certificate precisely matches how the clients are configured to look for it.
- Client Certificates (if using EAP-TLS): If EAP-TLS is used, ensure the Windows 10 devices have valid client certificates issued by a trusted CA, and that these certificates are correctly being presented during the authentication process.
4.Using GPOs to deploy wireless profiles or security settings which might be a GPO targeting Windows 11 differently than Windows 10:
- Review GPOs: Examine any GPOs that apply to your Windows 10 and Windows 11 devices, especially those related to Wireless Network (802.1X) policies, EAP settings, and LAN Manager authentication levels. Ensure no conflicting or missing settings are affecting Windows 10.
- WMI Filters: If WMI filters are used with your GPOs, ensure they are correctly identifying and applying the policies to Windows 10 devices.
5.Driver Issues on Windows 10:
- Update Drivers: Ensure all network adapter drivers on the Windows 10 devices are updated to the latest versions.
6.Network Connectivity and Firewall:
- Firewall: Ensure no local firewall on the Windows 10 devices or any intermediate firewalls are blocking RADIUS traffic (UDP ports 1812/1813 or 1645/1646) between the WLC and the NPS server, or between the client and WLC.
- Reachability: Confirm that Windows 10 devices can reach the WLC, and the WLC can reach the NPS server.
Hope the above information is helpful!