Windows client intermittent connection to PEAP WIFI backed off to ISE 1.2 wildcard cert

Nicholas Poole · ‎03-21-2014

I am setting up a topology whwere for the first time I am deplying ISE with a wildcard certificate. This is on ISE 1.2 patch 6, WLC's running 7.6 and Windows 7 clients in AD. The ISE policy is just to match on machine auth.

The setting up of the wildcard cert went ok as guided by the CCO ISE 1.2 deployment/cfg guide.

When it came to testing the client auth as always I start off with the PEAP settings of Validate server certificate off, just to confirm the WLC and ISE are playing ball. They were, the auth passed.

I then tick the Validate server certificate, make sure the CA (Windows AD) is in the Trusted Root Certification Authorities. Retest and the client passes.

If I then disconnect the wifi and reconnect, either manually or by doing a reboot, the next authenticaiton fails, but nothing has changed. ISE reports that my Windows client rejected the server certificate. Which is odd as it just accepted it.

If I untick the validate the client passes, if i tick it again it will authenticate fine, once. The next connection it will fail again with the client rejecting ISE.

Anyone got any ideas?

Stephen McBride · ‎03-23-2014

I have had a similar issue consistently with 1.2 on both pathc 5 and 6 (not sure about earlier one). Basically what I am seeing is the client rejecting the Server cert when validate is unticked. Most of the time the client connects just fine a few seconds later but some clients need a reboot to fix it. As a rule I put this down to client issue but not 100% sure some times.