802.1x Authentication broken on some devices after in place update to 20H2

Blaettler, Samuel 6 Reputation points
2021-07-20T05:44:50.223+00:00

We use 802.1x for wired LAN authentication (Aruba Clearpass) In the past we never had issues during in place upgrade related to 802.1x, but this seems to have changed now.

Looks like the upgrade to 20H2 breaks the 802.1x authentication on some clients. They are no longer able to authenticate via LAN. Several reboots did not resolve the issue. But disconnecting LAN to force WLAN to kick in (if available) seems to help: Device is then able to connect to the corporate network. After a gpupdate and reconnecting the LAN to the device, 802.1x authentication also is working again for LAN!

Anybody else having similar issues and able to help?

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,386 questions
{count} vote

5 answers

Sort by: Most helpful
  1. Blaettler, Samuel 6 Reputation points
    2021-07-20T08:33:01.84+00:00

    Thanks @Candy Luo for your feedback on this.

    We're using Clearpass to authenticate. Here are the events from Microsoft\Windows\Wired-AutoConfig:

    Issue starts with Event ID 14003 Source LanGPA not being able to apply the NAC client GPO:

    A previously existing Wired Group Policy couldn't be applied to your computer.

    Wired Group Policy Name: -
    Reason Code: 2147943606

    "netsh lan show interfaces" then shows as Status "Authentication failed." No wired connection possible anymore!

    I found a workaround. Importing the Auth-profile XML via netsh lan add profile filename=<PathToProfile> interface=* seems to resolve the issue.

    So I assume that the problem is client related and not server related. And it happpens only on 10% of all our clients being upgraded to 20H2. What is happening on the client that breaks the NAC configuration on some clients?


  2. jaybird283 591 Reputation points
    2021-07-23T17:19:52.497+00:00

    @Blaettler, Samuel Would you mind posting any update you have here? I am following this issue because I am kicking off a large LTSB to 20H2 upgrade tonight and we have NAC enabled here too. I ran into one machine (the only machine i tried) with this issue yesterday and am a little worried about our larger push.

    0 comments No comments

  3. Blaettler, Samuel 6 Reputation points
    2021-08-10T08:22:06.823+00:00

    Hi @jaybird283

    Was on holiday the last two weeks, now we have prepared a pilot with aprox. 40 devices where we test the script that (hopefully) fixes the issue with NAC. Hope I can report more details at the end of the week.


  4. Blaettler, Samuel 6 Reputation points
    2021-08-16T07:08:42.967+00:00

    Last week, we did a pilot inplace upgrade from 1909 to 20h2 with 41 devices. aprox. 10% of the devices had issues with NAC authentication that could automatically be remediated by a small powershell script inspired by the brilliant post here: https://www.asquaredozen.com/2018/07/29/configuring-802-1x-authentication-for-windows-deployment-part-1-building-an-802-1x-computer-authentication-script/

    0 comments No comments

  5. Anonymous
    2022-01-06T03:53:13.303+00:00

    Hi @Candy Luo ,

    May I know whether this issue is fixed in 21H1 and 21H2 already ?

    Thanks a lot.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.