Cisco ISE not working with LDAPS for 8021.x Radius Authentication

hashimwajid1 — Mon, 19 Jan 2026 16:05:34 GMT

Hello,

I am configuring 8021.x Radius for Windows 11 Users, and I have integrated ISE 3.4 with Domain controller 2025 by using AD and LDAPS method and both integrated successfully, however when I use AD method then windows clients successfully authenticating, but when I switched Authentication method on ISE to LDAPS then Windows users authentication failing. below are logs from ISE.

I am using user/password credential from AD/LDAPS

Event 5400 Authentication failed
Username INVALID\INVALID
Endpoint Id C4:D6:D3:x.x.x
Endpoint Profile
Authentication Policy Wired_Access_Policy >> Wired_802.1X
Authorization Policy Wired_Access_Policy
Authorization Result

Authentication Details

Policy Server ISE01

Event 5400 Authentication failed

Failure Reason: 22064 Authentication method is not supported by any applicable identity store(s)

Resolution: The authentication method that was negotiated with the client was not supported by any of the identity stores specified by the authentication policy. Configure the endpoint client to use a different authentication method or change the authentication policy to allow an identity store that supports that authentication method

Root cause: Authentication method is not supported by any applicable identity store(s)

Username INVALID\INVALID
Endpoint Id C4:D6:D3:x.x.x
Calling Station Id C4-D6-D3-x.x.x
Audit Session Id 640C0A0A0000003BD6DF3230
Authentication Method dot1x
Authentication Protocol PEAP (EAP-MSCHAPv2)
Service Type Framed
Network Device Access-SW01
Device Type All Device Types#Cisco-Catalyst-Switch
Location All Locations#VIL
NAS IPv4 Address 10.1.1.10
NAS Port Id GigabitEthernet1/0/5
NAS Port Type Ethernet
Response Time 24 milliseconds

Other Attributes
ConfigVersionId 4262
Device Port 60997
DestinationPort 1812
RadiusPacketType AccessRequest
Protocol Radius
NAS-Port 50104
Framed-MTU 1468
State 37CPMSessionID=640C0A0A0000003BD6DF3230;34SessionID=KDD08ISE01/554749706/574;
NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow false
AcsSessionID ISE01/554749706/574
DetailedInfo Invalid username or password specified
SelectedAuthenticationIdentityStores LDAPS
IdentityPolicyMatchedRule Wired_802.1X
EndPointMACAddress C4-D6-D3-x.x.x
ISEPolicySetName Wired_Access_Policy
IdentitySelectionMatchedRule Wired_802.1X
TotalAuthenLatency 122
ClientLatency 98
TLSCipher ECDHE-RSA-AES256-GCM-SHA384
TLSVersion TLSv1.2
TLSSupportedGroups secp384r1
TLSSignatureAlgorithms NONE
DTLSSupport Unknown
Network Device Profile Cisco
Location Location#All Locations#VIL
Device Type Device Type#All Device Types#Cisco-Catalyst-Switch
IPSEC IPSEC#Is IPSEC Device#No
RADIUS Username INVALID\INVALID
Device IP Address 10.1.1.10
CPMSessionID 640C0A0A0000003BD6DF3230
Called-Station-ID 9C:A9:B8:F6:BE:84
CiscoAVPair service-type=Framed,
audit-session-id=640C0A0A0000003BD6DF3230,
method=dot1x,
client-iif-id=350331839

Result
RadiusPacketType AccessReject

Session Events
2026-01-19 19:32:15.37 Authentication failed

=======================

Steps
Step ID Description Latency (ms)
11001 Received RADIUS Access-Request
11017 RADIUS created a new session 0
15049 Evaluating Policy Group 0
15008 Evaluating Service Selection Policy 0
15048 Queried PIP - Normalised Radius.RadiusFlowType 2
11507 Extracted EAP-Response/Identity 2
12500 Prepared EAP-Request proposing EAP-TLS with challenge 0
12625 Valid EAP-Key-Name attribute received 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 4
11018 RADIUS is re-using an existing session 0
12301 Extracted EAP-Response/NAK requesting to use PEAP instead 0
12300 Prepared EAP-Request proposing PEAP with challenge 0
12625 Valid EAP-Key-Name attribute received 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 15
11018 RADIUS is re-using an existing session 0
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated 0
34166 Open secure connection with TLS peer 0
12318 Successfully negotiated PEAP version 0 0
12800 Extracted first TLS record; TLS handshake started 0
12805 Extracted TLS ClientHello message 0
12806 Prepared TLS ServerHello message 1
12807 Prepared TLS Certificate message 0
12808 Prepared TLS ServerKeyExchange message 14
12810 Prepared TLS ServerDone message 0
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 4
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 5
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 4
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 5
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 9
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12318 Successfully negotiated PEAP version 0 0
12810 Prepared TLS ServerDone message 0
12812 Extracted TLS ClientKeyExchange message 1
12803 Extracted TLS ChangeCipherSpec message 0
12804 Extracted TLS Finished message 0
12801 Prepared TLS ChangeCipherSpec message 0
12802 Prepared TLS Finished message 0
12816 TLS handshake succeeded 0
12310 PEAP full handshake finished successfully 0
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 24
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 1
12313 PEAP inner method started 0
11521 Prepared EAP-Request/Identity for inner EAP method 0
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 5
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
11522 Extracted EAP-Response/Identity for inner EAP method 0
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 0
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 19
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated 0
15041 Evaluating Identity Policy 0
15013 Selected Identity Source - LDAPS 3
22043 Current Identity Store does not support the authentication method; Skipping it - LDAPS 0
22064 Authentication method is not supported by any applicable identity store(s) 0
22058 The advanced option that is configured for an unknown user is used 0
22060 The 'Continue' advanced option is configured in case of a failed authentication request 0
11815 Inner EAP-MSCHAP authentication failed 0
11520 Prepared EAP-Failure for inner EAP method 0
22028 Authentication failed and the advanced options are ignored 0
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 3
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
34167 Shutdown secure connection with TLS peer 0
12307 PEAP authentication failed 0
11504 Prepared EAP-Failure 0
11003 Returned RADIUS Access-Reject 0

Re: Cisco ISE not working with LDAPS for 8021.x Radius Authentication

Cristian Matei — Mon, 19 Jan 2026 16:33:56 GMT

Hi,

@hashimwajid1 What you're seeing is expected. Due to security limitations, as these EAP-MSCHAPv2 require complex challenge-handshake mechanisms, LDAP or LDAPS integration lacks this capability.

Also documented here: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216190-configure-and-troubleshoot-ise-with-exte.html

Thanks,

Cristian.

topic Cisco ISE not working with LDAPS for 8021.x Radius Authentication in Network Access Control

Cisco ISE not working with LDAPS for 8021.x Radius Authentication

Re: Cisco ISE not working with LDAPS for 8021.x Radius Authentication