https://community.cisco.com/t5/network-access-control/ise-802-1x-authentication-failure-12535-the-eap-tls-session/m-p/5364994#M599632 <P>Hi,</P> <P>&nbsp;&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/112193">@matthew.goli1</a>&nbsp;Try disabling Credential Guard on client side:</P> <P><A href="https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=reg" target="_blank">https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=reg</A></P> <P>Thanks,</P> <P>Cristian.</P> Sat, 24 Jan 2026 19:17:48 GMT Cristian Matei 2026-01-24T19:17:48Z https://community.cisco.com/t5/network-access-control/ise-802-1x-authentication-failure-12535-the-eap-tls-session/m-p/5361273#M599546 <P>Hello,</P><P>I have been experiencing a number of Windows endpoints failing 802.1x authentication with the failure reason of "<SPAN>12535 The EAP-TLS session ticket received from supplicant is expired".&nbsp; When this occurs the endpoint's Wired Event log shows this event message:<BR />============================================</SPAN></P><DIV>Wired 802.1X Authentication failed.</DIV><DIV>&nbsp;</DIV><DIV><SPAN>Network Adapter: Intel(R) Ethernet Connection (11) I219-LM</SPAN></DIV><DIV><SPAN>Interface GUID: {caad02e9-f125-4451-bed6-b19c17cfd2b1}</SPAN></DIV><DIV><SPAN>Peer Address: 5067AECA6791</SPAN></DIV><DIV><SPAN>Local Address: D8BBC181B75E</SPAN></DIV><DIV><SPAN>Connection ID: 0x2</SPAN></DIV><DIV><SPAN>Identity: host/S23IA15.wfn.int</SPAN></DIV><DIV><SPAN>User: -</SPAN></DIV><DIV><SPAN>Domain: -</SPAN></DIV><DIV><SPAN>Reason: 0x50005</SPAN></DIV><DIV><SPAN>Reason Text: The message received was unexpected or badly formatted.</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>Error Code: 0x80090326</SPAN></DIV><DIV><SPAN>============================================</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>Googling this isn't turning up many answers for me yet.</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>When the client fails 802.1x authentication, it then authenticates via MAB successfully, but our MAB policy places a Block all ACL on that endpoint causing a disruption.</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>After a few minutes the client re-authenticates successfully with 802.1x.</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>This is on an ISE deployment with ISE version 3.2 patch 9.</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>I did have a TAC open and we disabled "EAP TLS Session Resume" based on their recommendations but still seeing this issue occur randomly across different clients on our network.</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>Wondering if anyone here has some more insight on this issue and what can be done about it.</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>Matt.</SPAN></DIV><DIV>&nbsp;</DIV><P><SPAN>&nbsp;</SPAN></P> Wed, 14 Jan 2026 17:20:36 GMT https://community.cisco.com/t5/network-access-control/ise-802-1x-authentication-failure-12535-the-eap-tls-session/m-p/5361273#M599546 matthew.goli1 2026-01-14T17:20:36Z https://community.cisco.com/t5/network-access-control/ise-802-1x-authentication-failure-12535-the-eap-tls-session/m-p/5362978#M599586 <P>I was under the impression that this relates to the Stateless Session Resume (which is separate to the EAP-TLS Session Resume feature - this feature is where the Server (ISE) keeps track of the session lifetime) - have you got this enabled still?&nbsp; Try disabling that. I don't know how many vendor products support this (Windows native supplicant probably does).</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ArneBier_0-1768871126077.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/258104i478642B84C414735/image-size/large?v=v2&amp;px=999" role="button" title="ArneBier_0-1768871126077.png" alt="ArneBier_0-1768871126077.png" /></span></P> <P>&nbsp;</P> Tue, 20 Jan 2026 01:07:27 GMT https://community.cisco.com/t5/network-access-control/ise-802-1x-authentication-failure-12535-the-eap-tls-session/m-p/5362978#M599586 Arne Bier 2026-01-20T01:07:27Z https://community.cisco.com/t5/network-access-control/ise-802-1x-authentication-failure-12535-the-eap-tls-session/m-p/5364994#M599632 <P>Hi,</P> <P>&nbsp;&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/112193">@matthew.goli1</a>&nbsp;Try disabling Credential Guard on client side:</P> <P><A href="https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=reg" target="_blank">https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=reg</A></P> <P>Thanks,</P> <P>Cristian.</P> Sat, 24 Jan 2026 19:17:48 GMT https://community.cisco.com/t5/network-access-control/ise-802-1x-authentication-failure-12535-the-eap-tls-session/m-p/5364994#M599632 Cristian Matei 2026-01-24T19:17:48Z