Many thanks for the comprehensive response, @TheExpertGuy. It certainly does feel like an issue around the EAP-TLS on the Intel cards. We deployed a number of USB dongles with Realtek chipsets and their issues went away, which reinforces it being an Intel-related or inter-operability issue. Unfortunately this isn't an viable solution with 1000+ users.

We've tried almost all of the available options above. My reason for posting here was to try and get some focus and traction from Intel regarding an issue which appears to sit with their hardware/driver software. Very similar issues with the Intel chipsets appear in other Dell, Lenovo, Cisco & Meraki forums with no definitive answers unfortunately. 

...the most effective mitigation has been to standardize on a known-stable Intel driver branch rather than the latest release. i suggest testing a rollback to an earlier Intel PROSet/Wireless driver version that predates the introduction of WPA3 and advanced roaming optimizations, as these changes have been observed to impact EAP-TLS authentication in some environments. In parallel, disabling the following advanced adapter features on affected systems has resolved or significantly reduced authentication failures:

1. Fast Roaming (802.11r)

2. MAC Randomization / Private Addressing

3. PMF (Protected Management Frames) where optional

4. WPA3 transition mode, if enabled

On the RADIUS side, ensuring certificate chains are delivered in full (including intermediates) and confirming TLS 1.2 is explicitly allowed rather than negotiated has also helped stabilize Intel client authentication.

Thanks @CaNeBuRy23 

We have disabled those options on the WLC/APs and I'm advised that the other roaming settings are set within the driver itself and cannot be changed:

"These features are permanently enabled at the driver level for all Intel® AX and BE series wireless adapters. The Intel driver automatically exchanges the necessary frames with your Access Points (APs) to build an optimized map of the network for improved roaming performance.

Because these capabilities are considered essential for modern Wi-Fi efficiency, they cannot be disabled through the Windows user interface. The 802.11r, 802.11k, and 802.11v fast roaming features are automatically handled by the Windows operating system and the Intel wireless driver, provided that your network infrastructure (APs/routers) also supports and has these features enabled. At this time, there is no specific toggle or on/off switch available in the adapter’s configuration settings to disable/enable these modes."

As far as I'm aware the certificate chain and TLS are fine, plus, the Realtek adapters don't appear to have the issue. 

I could try and get hold of the earlier drivers to test, however, this isn't ideal and we do have update processes and auditing systems in-place to ensure that they are kept up-to-date. The correct answer surely is to resolve whatever is causing the issue within the driver software!

Hi @Robbyde 

We're on 

This has been an issue for use for 18 months+ now I believe.

As we've exhausted all suggestions the current thinking is to push out WPA2-PSK authentication as we believe this is almost certainly an issue in the Intel driver with EAP-TLS and something we cannot fix ourselves. Another option (for our remote offices) is to disable one of the pair of APs so that roaming doesn't occur, which appears to be part of the issue.

It seems ludicrous that we can't reap the benefits of features like FT, PMF, PMK and pre-auth etc. over this issue and backward steps are necessary...

We've also had a case open with Cisco for over a month without much success, please keep us updated with how you get on!

apologies, version is Cisco IOS Software, C9800-CL Software (C9800-CL-K9_IOSXE), Version 17.12.4

Hi, 
Thanks for the write up, we're seeing the same issues across our systems. For us the only reports are coming from the BE201 card, not any earlier AX NICs. 

Same issue on locations with WPA3 features and not. 

No change with the latest Intel driver 24.10.0 

We're currently on Version 17.15.4b 

We manage about 2500 clients with the Intel BE201, so far the issue does not seem so widespread but it could be due to most of the clients are mainly on LAN as well as the dropouts are generally very short for most people. 

@Robbyde, have you made any further progress on this? 

We had our network team disable 6GHz and PMF/FT and we still see the issue, which appears to be when the client roams. The EAP timeouts and handshake errors no longer appear in the WLC/AP logs, however the client still drops during a roaming event. 

In the netsh wlan show wlanreport output we see the same events at the time of the drop:

It would be helpful to get traction from an Intel representative on this matter, is there any way to do this other than via this forum?

Thanks for the input, @harfri We are using AIR-AP3802I-E-K9 APs version 17.12.4.158. Which APs do you have and  do you know if the version you have is an upgrade on ours? Apologies, we don't have access to the network ourselves unfortunately. 

Thanks.

Mainly: 

Aironet 2802I-E 

Catalyst 9120AXI-E

CW9176I-CFG

Our Cisco version is newer, but not much better it appears. 

Hi team, 

From our testing today it seemed like disabling Opportunistic Key Caching (OKC) proved to have the biggest improvement.  

However, even though systematically going through settings this "ghost" appears to work again with it re-enabled, so we're unsure if it actually made any difference. 

Feel free to test this setting on your end too and see if you notice an improvement. 

On another note, HP systems does not appear to have this issue at all, even with the same generation, NIC and driver versions. 

Sorry for the late reply, looks to be the exact same settings as our Lenovos. 



We have got some 

We have an ongoing L2 case with Lenovo, we got sent a Intel WRT2 logging tool, hopefully it catches something we haven't. 

Thanks @harfri  those NIC settings look to be default which we've tried and others. I'd be interested to hear more about that tool and how you get on. 

We had no drops in the remote office yesterday and then today a few within the first hour, which all appear to happen when/after the client roamed. I'm still waiting for Cisco to respond to the log traces but won't hold my breath. 

Intel released a new driver on 10/2 (24.20.0) which mentions an option to disable roaming based on AP load rather than signal strength - I don't think it's directly related to this but we're going to test it. 

New driver, no difference, unfortunately. Client roams from 1 AP to another and drops out with the same sequence of events in the wlan report file. 

Hi,

Here another one affected by this issue. Have anyone get any official information?

Thanks.

Kind regards.