Problem
Starting with Windows 11 22H2, Microsoft has enabled Credential Guard by default (learn more). While this change enhances security, it impacts 802.1x authentication for protocols relying on username/password combinations, such as EAP-PEAP with MSCHAPv2. This means if you use FreeRADIUS with this configuration, single sign-on (SSO) for network login may break.
Why does this happen?
Credential Guard isolates secrets, which interferes with the SSO process used by MSCHAPv2. Microsoft acknowledges this behavior (see their notes).
Solutions
- Disable Credential Guard (Not Recommended): This option reverts to the previous, less secure state. It’s generally not advisable.
- Manual Password Entry: Disabling SSO requires users to manually enter their network credentials. This will lead to the user having to enter their credentials twice. Once for normal Windows login and once for network authentication.
The recommended long-term solution from Microsoft is switching to EAP-TLS. This approach uses client certificates for authentication, providing compatibility with Credential Guard. While our FreeRADIUS configuration supports EAP-TLS it is currently not officially supported. We are currently working on improving documentation and adding support. The progress can be tracked here.