https://community.cisco.com/t5/network-access-control/eap-tls-failed-ssl-tls-handshake-after-a-client-alert/m-p/4634072#M575592 <P>Hi Everyone,&nbsp;</P><P>&nbsp;</P><P>I hope everyone is keeping well.</P><P>&nbsp;</P><P>We are in the process of deploying EAP-TLS in a pilot phase with a mix of Mac OS and Win10 machines in our estate. Currently Win10 machines are working and being authenticated to the Corporate WLAN, but Mac OS machines (not domain joined) try to connect, we are getting 50/50 split of passed/failed authentications, no changes are being made to either ISE or the Mac (managed by JAMF).</P><P>&nbsp;</P><P>Passed Auth -&nbsp;Event&nbsp;5200 Authentication succeeded</P><P>Failed Auth -&nbsp;Event&nbsp;5400 Authentication failed (&nbsp;Failure Reason&nbsp;12521 EAP-TLS failed SSL/TLS handshake after a client alert )</P><P>&nbsp;</P><P>It looks like the Mac is not accepting the EAP-TLS handshake with ISE and failing with the following result in ISE logs:<BR />12815 Extracted TLS Alert message<BR />12521 EAP-TLS failed SSL/TLS handshake after a client alert<BR />12507 EAP-TLS authentication failed</P><P>&nbsp;</P><P>Can you see in ISE what certificate is being sent as part of the EAP-TLS request, or if anyone has managed to get Mac OS machine working using EAP-TLS? I have seen a couple of forum posts mentioning about creating a 2nd SSID for Mac's, but not sure if this then is keep going forward with you then managing 2x SSID's for Win &amp; Mac OS machines.</P><P>&nbsp;</P><P>Thanks for your assistance.</P><P>&nbsp;</P><P>Regards,</P><P>James</P> Sat, 18 Jun 2022 07:30:23 GMT JAMES WEST 2022-06-18T07:30:23Z https://community.cisco.com/t5/network-access-control/eap-tls-failed-ssl-tls-handshake-after-a-client-alert/m-p/4634072#M575592 <P>Hi Everyone,&nbsp;</P><P>&nbsp;</P><P>I hope everyone is keeping well.</P><P>&nbsp;</P><P>We are in the process of deploying EAP-TLS in a pilot phase with a mix of Mac OS and Win10 machines in our estate. Currently Win10 machines are working and being authenticated to the Corporate WLAN, but Mac OS machines (not domain joined) try to connect, we are getting 50/50 split of passed/failed authentications, no changes are being made to either ISE or the Mac (managed by JAMF).</P><P>&nbsp;</P><P>Passed Auth -&nbsp;Event&nbsp;5200 Authentication succeeded</P><P>Failed Auth -&nbsp;Event&nbsp;5400 Authentication failed (&nbsp;Failure Reason&nbsp;12521 EAP-TLS failed SSL/TLS handshake after a client alert )</P><P>&nbsp;</P><P>It looks like the Mac is not accepting the EAP-TLS handshake with ISE and failing with the following result in ISE logs:<BR />12815 Extracted TLS Alert message<BR />12521 EAP-TLS failed SSL/TLS handshake after a client alert<BR />12507 EAP-TLS authentication failed</P><P>&nbsp;</P><P>Can you see in ISE what certificate is being sent as part of the EAP-TLS request, or if anyone has managed to get Mac OS machine working using EAP-TLS? I have seen a couple of forum posts mentioning about creating a 2nd SSID for Mac's, but not sure if this then is keep going forward with you then managing 2x SSID's for Win &amp; Mac OS machines.</P><P>&nbsp;</P><P>Thanks for your assistance.</P><P>&nbsp;</P><P>Regards,</P><P>James</P> Sat, 18 Jun 2022 07:30:23 GMT https://community.cisco.com/t5/network-access-control/eap-tls-failed-ssl-tls-handshake-after-a-client-alert/m-p/4634072#M575592 JAMES WEST 2022-06-18T07:30:23Z https://community.cisco.com/t5/network-access-control/eap-tls-failed-ssl-tls-handshake-after-a-client-alert/m-p/4634084#M575593 <P>&nbsp;</P> <P>&nbsp;- Check this thread :&nbsp;<A href="https://community.cisco.com/t5/network-access-control/eap-tls-issue/td-p/3545371" target="_blank">https://community.cisco.com/t5/network-access-control/eap-tls-issue/td-p/3545371</A></P> <P>&nbsp;M.</P> Sat, 18 Jun 2022 08:25:12 GMT https://community.cisco.com/t5/network-access-control/eap-tls-failed-ssl-tls-handshake-after-a-client-alert/m-p/4634084#M575593 Mark Elsen 2022-06-18T08:25:12Z https://community.cisco.com/t5/network-access-control/eap-tls-failed-ssl-tls-handshake-after-a-client-alert/m-p/4634399#M575598 <P>Hi James</P> <P>In ISE after the process of sucess AuthorZ you can see the serial number of certificate's template&nbsp; (when endpoint use TLS together with ISE). In mi experience, Mac work better with PEAP. You can add PEAP+Mac Address Internal (On ISE) to consolidate the access.</P> <P>Regards, Ivan.</P> Sun, 19 Jun 2022 02:23:47 GMT https://community.cisco.com/t5/network-access-control/eap-tls-failed-ssl-tls-handshake-after-a-client-alert/m-p/4634399#M575598 ivan.martin 2022-06-19T02:23:47Z