https://community.cisco.com/t5/network-access-control/eap-tls-sha-2-certificate-thin-client-not-working/m-p/4497237#M570823 <P>Authentication Details<BR />Source Timestamp 2021-11-03 14:41:48.303<BR />Received Timestamp 2021-11-03 14:41:48.303<BR />Policy Server&nbsp;<BR />Event 5434 Endpoint conducted several failed authentications of the same scenario<BR />Failure Reason 11510 Supplicant declined EAP method selected by Authentication Policy but did not propose another one; EAP negotiation failed<BR />Resolution Ensure that the supplicant is correctly configured. Verify that supplicant has at least one EAP method cofigured.<BR />Root cause In previous EAP message ISE started an EAP method selected by Authentication Policy. Supplicant declined this EAP method by sending EAP NAK message but did not propose another EAP method that it is ready to conduct. Owing to this, EAP-negotiation failed.<BR />Username USERNAME<BR />Endpoint Id F4:39:09:<BR />IPv4 Address 10.1<BR />Audit Session Id 0A407D100000093885F13954<BR />Authentication Method dot1x<BR />Service Type Framed<BR />Network Device ASQ-<BR />Device Type All Device Types#Switch<BR />Location All Locations#1 Angel Square<BR />NAS IPv4 Address 10.163.<BR />NAS Port Id GigabitEthernet8/5<BR />NAS Port Type Ethernet</P> Wed, 03 Nov 2021 15:10:29 GMT anilkumar.cisco 2021-11-03T15:10:29Z https://community.cisco.com/t5/network-access-control/eap-tls-sha-2-certificate-thin-client-not-working/m-p/4497230#M570822 <P>Hello Team,</P><P>my authentication and authorization policy are correct, as SHA1 certificate is working fine.</P><P>&nbsp;</P><P>But when importing SHA2 client site certificate, I am getting Below error.</P><P>&nbsp;</P><P>Event 5434 Endpoint conducted several failed authentications of the same scenario<BR />Failure Reason 11510 Supplicant declined EAP method selected by Authentication Policy but did not propose another one; EAP negotiation failed</P><P>&nbsp;</P><P>In new SHA2 root certificate, I am seeing use only for Infrastructure but old SHA1 root ceritificate in Cisco ISE showing , it is for both Infra and endpoints..</P><P>&nbsp;</P><P>Pls advise.</P> Wed, 03 Nov 2021 15:00:41 GMT https://community.cisco.com/t5/network-access-control/eap-tls-sha-2-certificate-thin-client-not-working/m-p/4497230#M570822 anilkumar.cisco 2021-11-03T15:00:41Z https://community.cisco.com/t5/network-access-control/eap-tls-sha-2-certificate-thin-client-not-working/m-p/4497237#M570823 <P>Authentication Details<BR />Source Timestamp 2021-11-03 14:41:48.303<BR />Received Timestamp 2021-11-03 14:41:48.303<BR />Policy Server&nbsp;<BR />Event 5434 Endpoint conducted several failed authentications of the same scenario<BR />Failure Reason 11510 Supplicant declined EAP method selected by Authentication Policy but did not propose another one; EAP negotiation failed<BR />Resolution Ensure that the supplicant is correctly configured. Verify that supplicant has at least one EAP method cofigured.<BR />Root cause In previous EAP message ISE started an EAP method selected by Authentication Policy. Supplicant declined this EAP method by sending EAP NAK message but did not propose another EAP method that it is ready to conduct. Owing to this, EAP-negotiation failed.<BR />Username USERNAME<BR />Endpoint Id F4:39:09:<BR />IPv4 Address 10.1<BR />Audit Session Id 0A407D100000093885F13954<BR />Authentication Method dot1x<BR />Service Type Framed<BR />Network Device ASQ-<BR />Device Type All Device Types#Switch<BR />Location All Locations#1 Angel Square<BR />NAS IPv4 Address 10.163.<BR />NAS Port Id GigabitEthernet8/5<BR />NAS Port Type Ethernet</P> Wed, 03 Nov 2021 15:10:29 GMT https://community.cisco.com/t5/network-access-control/eap-tls-sha-2-certificate-thin-client-not-working/m-p/4497237#M570823 anilkumar.cisco 2021-11-03T15:10:29Z https://community.cisco.com/t5/network-access-control/eap-tls-sha-2-certificate-thin-client-not-working/m-p/4498205#M570875 <P>Please review&nbsp;</P> <UL> <LI><A href="https://community.cisco.com/t5/security-documents/how-to-implement-digital-certificates-in-ise/ta-p/3630897" target="_self">How To Implement Digital Certificates in ISE</A></LI> </UL> Fri, 05 Nov 2021 01:50:36 GMT https://community.cisco.com/t5/network-access-control/eap-tls-sha-2-certificate-thin-client-not-working/m-p/4498205#M570875 hslai 2021-11-05T01:50:36Z https://community.cisco.com/t5/network-access-control/eap-tls-sha-2-certificate-thin-client-not-working/m-p/4514882#M571526 <P>There was issue at the client site.. they were not presenting certificate properly.. and because of that.. ISE were not able to identify and validate the certificate match in AD as binary comparison..</P><P>&nbsp;</P><P>after that correction issue resolved..</P> Wed, 08 Dec 2021 01:49:34 GMT https://community.cisco.com/t5/network-access-control/eap-tls-sha-2-certificate-thin-client-not-working/m-p/4514882#M571526 anilkumar.cisco 2021-12-08T01:49:34Z