06-30-2014 03:39 PM - edited 03-10-2019 09:50 PM
ISE Version: 1.2.0.899 (Running in VMware)
WLC: 5508 ver 7.6.100.0
I have a WLAN created that uses dot1x authentication. The WLAN points to ISE for RADIUS AAA. I cannot get any windows computer to connect to it (7,8 or 8.1 tested), but android, ios and osx are all able to connect. I have a 3rd party cert (GoDaddy) installed in my local store in ISE, which is valid and not expired. I do not understand why windows machines are failing.
I am migrating to this new ISE server and my old ISE server has the same configuration (as far as I can tell) for this WLAN and it works for all devices, including windows. The difference is that it is on a different domain (the reason for the migration is we changed domains).
Here is the ISE error:
Event: 5400 Authentication failed
Failure Reason: 12511 Unexpectedly received TLS alert message; treating as a rejection by the client
Resolution: Ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!
Root cause: While trying to negotiate a TLS handshake with the client, ISE received an unexpected TLS alert message. This might be due to the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.
Here is the WLC error:
AAA Authentication Failure for UserName:Domain\User User Type: WLAN USER
Here is the windows event viewer error:
Source: Microsoft-Windows-Security-Auditing
Event ID: 5632
Description:
A request was made to authenticate to a wireless network.
Subject:
Security ID: NULL
Account Name: User
Account Domain: Domain
Network Information:
Name (SSID): IT-Test
Additional Information:
Reason Code: Explicit Eap failure received (0x50005)
Error Code: 0x80420014
EAP Reason Code: 0x80420100
EAP Root Cause String: Network authentication failed\nThe user certificate required for the network can't be found on this computer.
EAP Error Code: 0x80420014
On the ISE server that is working you are presented with a window that asks you to connect or terminate based on the certificate not being validated. I don't know why that isn't happening with this new ISE server, it just fails without prompting the user to connect or terminate. Both certs are from GoDaddy.
A difference between the certs is the old has a cert that was generated through ISE and the new server has an imported wildcard cert.
Anyway, I hope that is enough information to understand the issue. I appreciate the time anyone takes in assisting me with this issue. I did setup a copy of the WLAN so that I can test as needed and not have to wait for a maintenance window.
Solved! Go to Solution.