After lots of testing with laptops authentication with ISE over wireless using EAP-TLS, we have a few laptops that despite having the same client configuration attempt to use PEAP. This ultimately fails and I'm unsure why they're trying to use PEAP, since I've also disabled PEAP as an applicable protocol within ISE.
Any ideas? They're all Windows 7 (x64) using the native supplicant with the Cisco NAC agent for posturing. They're all set to use 'smart card or certificate', not to validate the server certificate and use computer authentication.
One client was attempting to authentication using PEAP but failing due to "12511 Unexpectedly received TLS alert message; treating as a rejection by the client". We're using internally generated certificates here but we of course trust our corporate CA. On top of that, in the supplicant we disable 'validate server certificate'. However, once I followed this article (
I have been able to resolve this, pity I can't mark my own response as the answer.
SSIDs are case sensitive. The SSID was defined as "AAA-CORP", but the group policy we have defined "AAA-Corp". It meant it wasn't auto connecting and when people were manually connecting, it obviously found it and tried to connect but failed as it used the default authentication settings within Windows.
If you’re configuring your 802.1x settings via Group Policy you’ll see sometimes EAP-PEAP request from clients in your radius server log during booting even if you’ll set EAP-TLS. This error happened in our case with 1/3 of the boots with some models. The error is caused by a timing problem during startup. Sometimes the 802.1x is faster and sometimes the Group Policy is, and if the 802.1x is faster than the default configuration is taken, which is PEAP. Which lead to a EAP-NAK by the radius server.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...