topic Re: EAP-TLS not working but PEAP is OK in Network Access Control

EAP-TLS not working but PEAP is OK

Ruelb2214 — Fri, 21 Mar 2025 08:40:55 GMT

Hi,

I been using PEAP for endpoints authentication in our infra, we authenticate machine + user ID to grant access on network and no issue.

Recently we needed to change to EAP-TLS method, by using the same certificate in ISE which is working with PEAP.

I edit the supplicant (Win11) settings from PEAP to EAP-TLS, refer to screenshots. Do note the ISE cert for EAP/Radius is sign by intermediate CA and both Root CA and intermediate are uploaded or trusted in ISE and supplicant Trust Root cert settings.

In addition, the cert auth profile is configured the same, we use cert attribute "Subject-Common Name"

As per checking on live logs, I can only see it receives the endpoint mac address instead of hostname (host/).

Do you think I miss some configuration on ISE or endpoint to make EAP-TLS working?

Re: EAP-TLS not working but PEAP is OK

Nikolai Catey — Fri, 21 Mar 2025 09:30:55 GMT

Do you use a radius server and have specified the VLAN for that certain user on the router

Regards - NC

Re: EAP-TLS not working but PEAP is OK

Ambuj M — Fri, 21 Mar 2025 10:05:44 GMT

go through part 1,2,3 here if it still doesn't work, send attach ISE logs.

Re: EAP-TLS not working but PEAP is OK

Ruelb2214 — Tue, 25 Mar 2025 06:48:40 GMT

@Ambuj M YES i been foloowing that link since start.

I did debug the problem is when machine boot up, based on the logs the machine did not sent username with "host/" attribute, instead it send only the mac address thus not able to authenticate.

Do you have idea why it sends mac address instead of machine hostname?

This is my interface config port and radius attribute:

switchport mode access
authentication event server dead action authorize vlan 125
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level pps 1k
storm-control multicast level 10.00
storm-control action trap
spanning-tree portfast

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria tries 3
radius-server retransmit 5
radius-server deadtime 2
radius-server load-balance method least-outstanding

Re: EAP-TLS not working but PEAP is OK

Ruelb2214 — Tue, 25 Mar 2025 07:09:32 GMT

Just to add in, if I configure PEAP on supplicant or endpoint, on the debug logs we are able to see the HOST\ attribute when machine authenticate. From this instance I can say there's no issue on the certificate itself.

Please enlighten me what could be the root cause

Re: EAP-TLS not working but PEAP is OK

Ruelb2214 — Thu, 03 Apr 2025 08:18:00 GMT

finally manage to find the root cause when I did wire shark capture.

The issue was the setting on the machine cert, the application setting was set to server auth instead of client auth.

Thank you guys for your response.