none
Windows 8.1 and EAP-TLS Issue (not working after upgrade) RRS feed

  • Question

  • Hello,

    we are facing an issue with windows 8.1 using 802.1x EAP-TLS authentication, before upgrading to 8.1 (running 8) it was working fine with no issues, now after some clients upgraded to 8.1 they are not able to authenticate and always shows "timeout" in the RADIUS Server, those clients were 100% working fine with window 8 and all the other windows versions are working fine.
    we have re installed the client and root certificate again, when trying to access it asks to choose the client certificate and we are choosing the correct one which proves that it is installed and available (this is in machines having multiple client certificates like mine)
    Any similar issue reported or identified ???? please help
    Sunday, October 27, 2013 4:53 AM

Answers

All replies

  • Hi,

    We would take some time to do more research on this issue, and give you an update as soon as possible.

    Before going forward, please try to exit the domain and re-join to check the results.


    Regards,

    Kate Li

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.



    Tuesday, October 29, 2013 3:07 AM
    Owner
  • Hi,

    The machines are not joined to the domain, it is affecting multiple sites, EAP-TLS only, if they are using EAp-PEAP it works fine so there is something with the client certificate from the windows system.

    Tuesday, October 29, 2013 4:41 AM
  • EAP is no longer recommend for 8.1:

    http://social.technet.microsoft.com/Forums/windows/en-US/290c63b4-ce04-4483-a047-e1000c7d7699/wpa-security-types-are-missing-after-upgrading-to-windows-81?forum=w8itpronetworking#bff66720-0c1d-4efa-9261-7934399edc8f

    In this topic there is a workaround (export the profile from a Win8.x PC and import it in 8.1). Maybe this works for you, too.


    "A programmer is just a tool which converts caffeine into code"


    Tuesday, October 29, 2013 5:46 AM
    Answerer
  • Hi Andre,

    that link you provided is talking about using WPA-TKIP for encryption which i'm not using, i'm using WPA2-AES which should be fine, and EAP is still supported only the lower encryption is removed.


    Tuesday, October 29, 2013 6:00 AM
  • hi,

    please refer to the following link

    Deploy Client Computer Certificates

    http://technet.microsoft.com/en-us/library/cc731242.aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, October 29, 2013 10:15 AM
  • Client Certificate is installed correctly, again the device was working fine before upgrading it stopped connecting after the upgrade, we are using Aurba Clearpass for auto provisioning of the device and deploying of Client certificate.

    Hi Kate,

    Any update on this issue and the research ?? 

    Thanks

    Tuesday, November 5, 2013 8:22 AM
  • Well download this radius test tools and see if your radius fails to
    respond

    http://www.novell.com/coolsolutions/tools/14377.html


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, November 5, 2013 10:44 AM
  • There appears to be a bug with EAP-TLS.   Until Microsoft fixes it, try EAP-PEAP instead.   Apparently it works.
    Tuesday, November 12, 2013 2:23 AM
  • Are you sure about the bug thing ?? any official response from Microsoft ?

    Thanks

    Thursday, November 14, 2013 7:22 AM
  • I am sorry for that not all of the bug was published right now.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, November 26, 2013 8:44 AM
  • I had a similar problem with freeradius and PEAP or TTLS. After checking "network uses preauthentication" it worked. I didn't need to do this in Win7 or Win8 but in Win8.1.
    Wednesday, November 27, 2013 8:10 PM
  • Did you use SHA-1 or SHA-2 user certificate?
    Tuesday, March 4, 2014 11:47 PM
  • http://adamsync.wordpress.com/2012/05/08/eap-ttls-on-windows-2012-build-8250/

    Amit Rawat | MCITP - Exchange 2007/2010| CCNA |MCSE- 2003| Lync 2010|http://blog.amitrawat.net

    Tuesday, August 26, 2014 11:39 AM
  • This problem (or a related one) bugs me too - everything worked fine on 7 but 8.1 (and 10 Preview) cannot connect without any reasonable error message.

    The only clue is in EventLog/Windows/EapMethods-RasTls:

    "Authentication failed for EAP method type 13. The error was 0x54F."

    Method 13 is TLS-EAP which is correct, but error 0x54F is not documented (or at least I could not find any documentation anywhere for error 0x54F).

    What did change to EAP-TLS on the way to 8.1? Additional OIDs needed on the certs? anything? Is there any documentation? How do I get reasonable logs out of Windows? Both the Radius (FreeRadius) and AP (Lancoms) only show Windows just stops in the middle of the Handshake and times out.

    Preauthentication unfortunately didn't solve my problem :/(


    • Edited by FunkyNet Thursday, November 27, 2014 10:18 AM
    Thursday, November 27, 2014 10:18 AM
  • Hi, we experienced this error "Authentication failed for EAP method type 13. The error was 0x54F." for 802.1x authentication on the wired network.

    After a lot of troubleshooting the issue was actually caused by USMT as we are migrating from Win7 to Win10.

    USMT migrates computer certificates, but does not migrate the private keys for the certificates. So when the Win10 machine attempts 802.1x authentication using the migrated certificates this fails.

    The fix for this is to either not migrate certificates or delete computer certificates at the end of the build so the machines receive new certificates when group policy update runs.

    Monday, May 23, 2016 11:19 PM
  • I know this is very old, but just responding to the 0x54F error.  In decimal this is 1359L, which is documented in winerror.h.  This of course is not a helpful error aside from excluding the other errors, but in case anyone looks for this in the future here it is:

    WinError.h:7029:#define ERROR_INTERNAL_ERROR             1359L
    Tuesday, February 12, 2019 3:00 PM