Windows 11 TEAP bug

Question

The TEAP specification states that:

2.2.3.2.13 EapTeapConnectionPropertiesV1
TrustedRootCAHashes: The thumbprint of a root certification authority that is trusted to issue server certificates, represented as a hexadecimal string of the certificate's [SHA256] hash. Zero or more elements can be present.

• In Windows 10 it was implemented correctly using SHA256
• In Windows 11 it was implemented using incorrectly SHA1

This causes issues if you try to mass-deploy GPO settings for Wired 802.1X in a mixed W10/W11 environment.

Our workaround was to apply a different GPO to each computer based on operating system.

Will there be a fix for this from Microsoft? Our fear is that if the behaviour is fixed in W11 then all W11 won't be able to connect until we apply a new GPO. This will cause major disruption.

You can reproduce the issue by creating a TEAP configuration on a wired connection then exporting using the netsh lan export profile command.

Note: We haven't completed testing using wireless connections so I can't say if the issue also applies there.

Answer 1

Hi there,

It should be added to the Development Roadmap in 2022.

If your windows clients are domain joined, you have to push a group policy that enables TEAP, by exporting a group policy and changing some XML content related to the Windows Supplicant TEAP configuration.

Windows 10 AlwaysON VPN with EAP-TEAP https://learn.microsoft.com/en-us/answers/questions/120377/windows-10-alwayson-vpn-with-eap-teap.html

Advanced troubleshooting 802.1X authentication https://learn.microsoft.com/en-us/windows/client-management/advanced-troubleshooting-802-authentication

----------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer–