Windows client intermittent connection to PEAP WIFI backed off to ISE 1.2 wildcard cert
I am setting up a topology whwere for the first time I am deplying ISE with a wildcard certificate. This is on ISE 1.2 patch 6, WLC's running 7.6 and Windows 7 clients in AD. The ISE policy is just to match on machine auth.
The setting up of the wildcard cert went ok as guided by the CCO ISE 1.2 deployment/cfg guide.
When it came to testing the client auth as always I start off with the PEAP settings of Validate server certificate off, just to confirm the WLC and ISE are playing ball. They were, the auth passed.
I then tick the Validate server certificate, make sure the CA (Windows AD) is in the Trusted Root Certification Authorities. Retest and the client passes.
If I then disconnect the wifi and reconnect, either manually or by doing a reboot, the next authenticaiton fails, but nothing has changed. ISE reports that my Windows client rejected the server certificate. Which is odd as it just accepted it.
If I untick the validate the client passes, if i tick it again it will authenticate fine, once. The next connection it will fail again with the client rejecting ISE.
I have had a similar issue consistently with 1.2 on both pathc 5 and 6 (not sure about earlier one). Basically what I am seeing is the client rejecting the Server cert when validate is unticked. Most of the time the client connects just fine a few seconds later but some clients need a reboot to fix it. As a rule I put this down to client issue but not 100% sure some times.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :