I'm not entirely sure if this post will be relevant for this forum, since I dont think its an issue with ISE perse, but would like to get some opinions on the problem nonetheless.
I have an ISE deployment running 1.2 and have set up an SSID for guest users to authenticate using 802.1x (MSCHAPv2), as per this guide. The Authentication policy matches the WLAN ID and allows all the MSCHAPv2 protocols (PEAP, LEAP etc.) and uses the Guest Users identity source (new to 1.2). Authorization policy is pretty simple, again matches the WLAN and checks that authentication is successfull before permiting access. I have dedicated one PSN for this SSID which as a Verizon certificate to use for EAP, which is trusted by 99% of devices out there.
For the most part this solution works perfectly fine, but I am having some intermittant issues with Windows 7 supplicants using this SSID. The problem seems to be that the supplicant is trying to perform TLS authentication even when I manually configure the supplicant for PEAP w/ MSCHAPv2 (see below error).
12503 Failed to negotiate EAP because EAP-TLS not enabled in Allowed Protocols
Ensure that the EAP-TLS protocol is enabled by ISE in the Allowed Protocols.
The client's supplicant sent an EAP-Response/NAK packet rejecting the previously-proposed EAP-based protocol, and requesting to use EAP-TLS instead. However, EAP-TLS is not allowed in the Allowed Protocols.
Has anyone encountered this before? Why would I need to allow TLS when the supplicant should be using MSCHAPv2?
Again apologies for being semi-offtpic. Its probably more a Windows problem than a Cisco problem.
Helps meet PCI* compliance.
Threat protection built into ISR and ISRv branch routers and CSR
Complements ISR Integrated Security
Lightweight IPS solution with low TCO (Total Cost of Ownership) and automated signature updates
Supports VRF (16.6)
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...