https://community.cisco.com/t5/network-access-control/authtication-policy-can-t-use-eap-tls/m-p/3708264#M507696 <P>in EAP-TLS each client should have their own certificate.&nbsp; You shouldn't be trying to export a certificate from ISE and trying to get the client's to use it to authenticate EAP-TLS.&nbsp; Further more if you are trying something like this you need to export both the cert/private key and ensure the certificate has EKU client auth enabled.</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 17 Sep 2018 17:55:09 GMT paul 2018-09-17T17:55:09Z https://community.cisco.com/t5/network-access-control/authtication-policy-can-t-use-eap-tls/m-p/3708209#M507598 <P>Hello,</P> <P>&nbsp;</P> <P>We have a problem in the configuration of the Authentification Policy, im selecting EAP-TLS in order to force clients to use the certification that i exported from the ISE, but the endpoint can only authenticate using "<SPAN>PEAP (EAP-MSCHAPv2)" even if there is no rule for this protocol.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks to help us.</SPAN></P> Mon, 17 Sep 2018 16:12:08 GMT https://community.cisco.com/t5/network-access-control/authtication-policy-can-t-use-eap-tls/m-p/3708209#M507598 hamzazidane 2018-09-17T16:12:08Z https://community.cisco.com/t5/network-access-control/authtication-policy-can-t-use-eap-tls/m-p/3708236#M507599 have you tried using the default authentication ruleset and simple relying on authorization rules?<BR /><BR />Simple examples here in the BYOD guide (you don’t need the BYOD rules) just the one with cert auth minus registration state<BR /><BR />See page 25 remove the BYOD is registered and that should work<BR /><A href="https://community.cisco.com/t5/security-documents/cisco-ise-byod-deployment-guide/ta-p/3641867" target="_blank">https://community.cisco.com/t5/security-documents/cisco-ise-byod-deployment-guide/ta-p/3641867</A><BR /><BR /><BR /> Mon, 17 Sep 2018 16:58:35 GMT https://community.cisco.com/t5/network-access-control/authtication-policy-can-t-use-eap-tls/m-p/3708236#M507599 Jason Kunst 2018-09-17T16:58:35Z https://community.cisco.com/t5/network-access-control/authtication-policy-can-t-use-eap-tls/m-p/3708264#M507696 <P>in EAP-TLS each client should have their own certificate.&nbsp; You shouldn't be trying to export a certificate from ISE and trying to get the client's to use it to authenticate EAP-TLS.&nbsp; Further more if you are trying something like this you need to export both the cert/private key and ensure the certificate has EKU client auth enabled.</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 17 Sep 2018 17:55:09 GMT https://community.cisco.com/t5/network-access-control/authtication-policy-can-t-use-eap-tls/m-p/3708264#M507696 paul 2018-09-17T17:55:09Z