This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeControl
- Windows 10 to Windows 11 in place upgrade failing,...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Windows 10 to Windows 11 in place upgrade failing, we suspect XIQ/NAC controlled port
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-11-2025 02:09 PM
We are doing in place Windows 10 to Windows 11 upgrades. We use a MDT server. Previous to the upgrade, the computer is authenticated and given the correct vlan, and all works good.
Authentication is done via LDAP to our domain controllers.
We use Extreme ERS edge switches (4800's and 4900's), with some 5540's running VOSS.
During the upgrade process, it appears that authentication fails (we don't know why), and the computer is given (in our setup) an internet only vlan, which has no access to the MDT server, and the upgrade fails.
Has anyone seen this, or know what we can do? I can always either disable EAP on the port, or put the mac address of the computer in our exception list on XIQ-Control. Then after the upgrade, I can reverse the change I made. Just wondering if there is a better way, or if this is "me only" problem.
Thanks.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-12-2025 01:42 AM
@XTRMUser wrote:We are doing in place Windows 10 to Windows 11 upgrades. We use a MDT server. Previous to the upgrade, the computer is authenticated and given the correct vlan, and all works good.
Authentication is done via LDAP to our domain controllers.
We use Extreme ERS edge switches (4800's and 4900's), with some 5540's running VOSS.
During the upgrade process, it appears that authentication fails (we don't know why), and the computer is given (in our setup) an internet only vlan, which has no access to the MDT server, and the upgrade fails.
Has anyone seen this, or know what we can do? I can always either disable EAP on the port, or put the mac address of the computer in our exception list on XIQ-Control. Then after the upgrade, I can reverse the change I made. Just wondering if there is a better way, or if this is "me only" problem.
Thanks.
Yes, this issue has been reported by others. A common workaround is to disable EAP on the port or add the MAC address to the exception list in XIQ-Control during the upgrade, then revert the changes afterward.
Alternatively, you could check for any updates or patches for your Extreme ERS switches and ensure your NPS server is correctly configured.
Best Regards,
James Goff
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-12-2025 09:11 AM
Windows 11 introduces a feature called Credential Guard which doesn't allow cached credentials to be saved on the computer. Microsoft recommends using EAP-TLS, which may require certificates issued by AD for machine and/or users. (depending o your NAC config) Currently we have to disable Credential Guard with a GPO until we can implement EAP-TLS or NEAP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-12-2025 05:36 AM
I suspect during 1 part of the upgrade the wired autoconfig is not responding to any eapol packets after an network interface reset and the client is reverted back to neap (mac) authentication.
I think adding a rule for mac authenticated clients that are being upgraded and put these mac addresses in a group that hits this rule should be a good workaround. But disabling eap will work also.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-12-2025 01:42 AM
@XTRMUser wrote:We are doing in place Windows 10 to Windows 11 upgrades. We use a MDT server. Previous to the upgrade, the computer is authenticated and given the correct vlan, and all works good.
Authentication is done via LDAP to our domain controllers.
We use Extreme ERS edge switches (4800's and 4900's), with some 5540's running VOSS.
During the upgrade process, it appears that authentication fails (we don't know why), and the computer is given (in our setup) an internet only vlan, which has no access to the MDT server, and the upgrade fails.
Has anyone seen this, or know what we can do? I can always either disable EAP on the port, or put the mac address of the computer in our exception list on XIQ-Control. Then after the upgrade, I can reverse the change I made. Just wondering if there is a better way, or if this is "me only" problem.
Thanks.
Yes, this issue has been reported by others. A common workaround is to disable EAP on the port or add the MAC address to the exception list in XIQ-Control during the upgrade, then revert the changes afterward.
Alternatively, you could check for any updates or patches for your Extreme ERS switches and ensure your NPS server is correctly configured.
Best Regards,
James Goff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-11-2025 10:01 PM
Hello,
It seems you're dealing with a tricky issue where authentication fails during the Windows 10 to Windows 11 upgrade, causing the computer to be assigned to an internet-only VLAN without access to the MDT server, thus failing the upgrade. Some approaches that might help include checking the authentication logs on your Extreme switches and LDAP server for error messages, verifying VLAN configuration on switch ports, and ensuring your Extreme switches and MDT server are running the latest firmware and software versions. You could also manually authenticate the computer during the upgrade to identify if the problem is specific to the process or a broader issue. If disabling EAP or adding the MAC address to the exception list on XIQ-Control is not ideal, exploring alternative authentication methods or configurations might provide a more stable solution during the upgrade process.
Best regards,
Dora
