Bug 57772 - Improve documentation on EAP-TLS Freeradius configuration
Summary: Improve documentation on EAP-TLS Freeradius configuration
Status: NEW
Alias: None
Product: UCS
Classification: Unclassified
Component: Radius
Version: UCS 5.2
Hardware: Other Linux
: P5 normal
Target Milestone: ---
Assignee: UCS maintainers
QA Contact: UCS maintainers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-11-26 13:42 CET by Marius Meschter
Modified: 2025-06-30 10:30 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marius Meschter univentionstaff 2024-11-26 13:42:25 CET 
Starting from Windows 11 22H2, Credential Guard is enabled by default, which breaks 802.1x SSO when using EAP-PEAP MSCHAPv2 authentication. This results in users having to enter their username/password twice to authenticate with the network. While this can be done during login, the duplicate authentication requirement remains.
Microsoft recommends switching to certificate-based authentication (EAP-TLS) as a solution. Although our FreeRADIUS configuration theoretically supports EAP-TLS, we currently lack any documentation for both EAP-TLS setup and client certificate generation/management.

Credential Guard default enablement: https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/#default-enablement
Microsoft's recommendations: https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues#wi-fi-and-vpn-considerations