Windows 10 Credential Guard breaks WiFi
Recently, I ran into an issue with computers running windows 10 that would not connect to our WPA2-Enterprise encrypted wifi network. When it failed to connect, there was no indication of why, only the message "Can't connect to this network." The computers were able to connect to unencrypted networks and networks using a Pre-shared key for WPA encryption without issue.
Checking the event logs on the RADIUS server to see why the comptuer failed to connect, there was no log entry for a connection attempt from the affected system. The WLAN-Auto-Config log on the client listed a couple of errors, including Event ID 11006 and 12013, but other than showing that the failure reason was "Explicit EAP failure received", they didn't give much to go on:
For a Credential Guard enabled computer to authenticate to a WPA2-Enterprise wireless network, the network must use certificate based authentication. In my case, we already had the PKI in place, so it was a simple matter of configuring the RADIUS server to accept certificate based authentication and changing the Wireless Settings in our GPO to use a certificate for authentication instead of the Secured Password option. After making these changes and connecting these clients to ethernet to get a group policy update, they were able to successfully authenticate with and connect to the WPA2-Enterprise encrypted network. If you don't already have a Public Key Infrastructure (PKI) set up, this will require installing configuring the Certificate Authority role on a Windows server, and issuing certificates to users and/or computers. (Ideally, configuring computers to auto enroll with the CA for computer certificates.)
When I was searching online for what could possibly cause my issue, searching for the error message and event details I had turned up nothing useful. Any posts I found from others with similar errors turned out to be unrelated. In the end, I did find a single page by Nigel Kemp documenting his experience with this issue, but only after I had already identified the likely culprit and searched specifically for "Credential Guard breaks Wifi". Still, I was thankful to have the confirmation that I was on the right track. I hope that by including the specific errors and events in this blog post, it will help others find the solution to this problem a little easier.
Checking the event logs on the RADIUS server to see why the comptuer failed to connect, there was no log entry for a connection attempt from the affected system. The WLAN-Auto-Config log on the client listed a couple of errors, including Event ID 11006 and 12013, but other than showing that the failure reason was "Explicit EAP failure received", they didn't give much to go on:
Log Name: Microsoft-Windows-WLAN-AutoConfig/Operational
Source: Microsoft-Windows-WLAN-AutoConfig
Date: 8/15/2016 1:11:20 PM
Event ID: 11006
Task Category: MsmSecurity
Level: Error
Keywords: (1024),(512)
User: SYSTEM
Computer: computer.domain.com
Description:
Wireless security failed.
Network Adapter: Intel(R) Dual Band Wireless-AC 7265
Interface GUID: {32a54564-27eb-479a-82f3-10a9b736f9d8}
Local MAC Address: AA:BB:CC:DD:EE:FF
Network SSID: CHC1
BSS Type: Infrastructure
Peer MAC Address: 00:11:22:33:44:55
Reason: Explicit Eap failure received
Error: 0x80070285
Log Name: Microsoft-Windows-WLAN-AutoConfig/OperationalAfter spending significant time toubleshooting the issue, I found that the issue was caused by the new "Credential Guard" feature in windows 10. In the technet article documenting this new feature, there is a single line which explains why this was happening:
Source: Microsoft-Windows-WLAN-AutoConfig
Date: 8/15/2016 1:11:20 PM
Event ID: 12013
Task Category: OneXAuthentication
Level: Error
Keywords: (1024),(512)
User: SYSTEM
Computer: computer.domain.com
Description:
Wireless 802.1x authentication failed.
Network Adapter: Intel(R) Dual Band Wireless-AC 7265
Interface GUID: {32a54564-27eb-479a-82f3-10a9b736f9d8}
Local MAC Address: AA:BB:CC:DD:EE:FF
Network SSID: CHC1
BSS Type: Infrastructure
Peer MAC Address: 00:11:22:33:44:55
Identity: host/computer.domain.com
User:
Domain:
Reason: Explicit Eap failure received
Error: 0x80070285
EAP Reason: 0x285
EAP Root cause String: There was an internal authentication error.
EAP Error: 0x285
Credential Guard also does not allow unconstrained Kerberos delegation, NTLMv1, MS-CHAPv2, Digest, CredSSP, and Kerberos DES encryption.As it turns out, our radius server and the GPO which pushed our wireless settings out to clients were configured to use MS PEAP for authentication. At first glance, that doesn't seem to conflict with the statement above, but the P in PEAP stands for protected. It basically creates an encrypted tunnel first, over which standard EAP authentication takes place. The EAP communication travelling through that encrypted connection can be configured to use either "Secured Password (EAP-MSCHAP v2)" or "Smart Card or other Certificate". You can guess which mine was using.
For a Credential Guard enabled computer to authenticate to a WPA2-Enterprise wireless network, the network must use certificate based authentication. In my case, we already had the PKI in place, so it was a simple matter of configuring the RADIUS server to accept certificate based authentication and changing the Wireless Settings in our GPO to use a certificate for authentication instead of the Secured Password option. After making these changes and connecting these clients to ethernet to get a group policy update, they were able to successfully authenticate with and connect to the WPA2-Enterprise encrypted network. If you don't already have a Public Key Infrastructure (PKI) set up, this will require installing configuring the Certificate Authority role on a Windows server, and issuing certificates to users and/or computers. (Ideally, configuring computers to auto enroll with the CA for computer certificates.)
When I was searching online for what could possibly cause my issue, searching for the error message and event details I had turned up nothing useful. Any posts I found from others with similar errors turned out to be unrelated. In the end, I did find a single page by Nigel Kemp documenting his experience with this issue, but only after I had already identified the likely culprit and searched specifically for "Credential Guard breaks Wifi". Still, I was thankful to have the confirmation that I was on the right track. I hope that by including the specific errors and events in this blog post, it will help others find the solution to this problem a little easier.
Hi Steve,
ReplyDeleteThanks for the informative article.
Is this constraint still relevant today (Credential Guard not allowing MS-CHAPv2)? Using Windows Server 2016 for our RAIDIUS-server.
Sondre
I've switched my environment to use certificate based authentication, so I don't know for certain if this issue has been addressed in recent feature updates. Based on the current documentation, I see a couple of things that suggest Credential Guard may handle MS-CHAPv2 differently now.
DeleteMS-CHAPv2 is listed on https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements under "Applications will prompt and expose credentials to risk if they require." I would interpret that to mean that MS-CHAPv2 may no longer be totally blocked, but credential guard can't protect the credentials when using that method of authentication. The documentation does specifically address the use of MS-CHAPv2 based authentication for WiFi and VPN networks on another page ( https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements ), which says that they *recommend* moving from MS-CHAPv2 to certificate based authentication, but it doesn't say that MS-CHAPv2 won't work, just that it's subject to attack.