Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Windows Supplicant w/ Guests using 802.1x

Hi all

I'm not entirely sure if this post will be relevant for this forum, since I dont think its an issue with ISE perse, but would like to get some opinions on the problem nonetheless.

I have an ISE deployment running 1.2 and have set up an SSID for guest users to authenticate using 802.1x (MSCHAPv2), as per this guide. The Authentication policy matches the WLAN ID and allows all the MSCHAPv2 protocols (PEAP, LEAP etc.) and uses the Guest Users identity source (new to 1.2). Authorization policy is pretty simple, again matches the WLAN and checks that authentication is successfull before permiting access. I have dedicated one PSN for this SSID which as a Verizon certificate to use for EAP, which is trusted by 99% of devices out there.

For the most part this solution works perfectly fine, but I am having some intermittant issues with Windows 7 supplicants using this SSID. The problem seems to be that the supplicant is trying to perform TLS authentication even when I manually configure the supplicant for PEAP w/ MSCHAPv2 (see below error).

Failure Reason12503 Failed to negotiate EAP because EAP-TLS not enabled in Allowed Protocols
ResolutionEnsure that the EAP-TLS protocol is enabled by ISE in the Allowed Protocols.
Root causeThe client's supplicant sent an EAP-Response/NAK packet rejecting the previously-proposed EAP-based protocol, and requesting to use EAP-TLS instead. However, EAP-TLS is not allowed in the Allowed Protocols. 

 Has anyone encountered this before? Why would I need to allow TLS when the supplicant should be using MSCHAPv2? 

Again apologies for being semi-offtpic. Its probably more a Windows problem than a Cisco problem.

CreatePlease to create content