I am facing this error while machine authenticates agaist AD for wireless users. My requirement is users with corporate laptop get privileged vlan and BYOD should get normal vlan.I am using Cisco ISE 1.1.1 and configured authentication policies to diffrenciate clients based on corp asset and BYOD. Authentication policy result is identity sequnce which uses certificate profile and AD. All corp laptops should be authenticated using certificates and then followed by AD user and pass. when I configure XP users to validate server certificate this error comes in ISE log "Authentication failed : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client" and if I disable validate sewrver certificate then this error "Authentication failed : 22049 Binary comparison of certificates failed".
Thanks in advance.
This is a limitation on the native supplicant, when you enable smart card or certificate authentication for the network connection, then it tries to use this for both machine and user authentication. It does not allow you to use certificate authentication for machine auth, and password authenticaiton for user authentication.
You can use anyconnect network access manager (which is free if you have a cisco wireless network) and not only does it allow you to set which type of authentication you want (certificate for machine and password for user) but it has a new feature out which is called eap chaining. Eap chaining is a powerful option because you can choose the order (machine first then user) when the client connects to the network. No longer do you have to stress about the machine authentication timers and wondering what is the best fit when it comes to users logging in and out of their machines in order to update the machine authentication cache in ISE. However eap chaining uses eap-fast, which is a pac-based authentication framework.
Here is the latest release note about this feature (currently in beta):
*Please rate helpful posts*