topic Re: ISE Windows 11 issue in Network Access Control

ISE Windows 11 issue

Maurice Ball — Mon, 02 Mar 2026 08:21:55 GMT

I have an issue I hope someone could help me with. I am having an issue with 802.1x authentication on ISE. They are using PEAP with certificate computer only authentication and everything appears to be configured correctly but authentication continues to fail on Windows 11 wired clients. Note: They are using the same setup with Windows 10 clients and it works without any issues but with Windows 11 clients it fails on the wired connection but is successful with Windows 11 clients on the wireless connection. Basically it works everywhere correctly with the exception of the Windows 11 wired clients. Do you have any idea of what could be causing the issue?

Re: ISE Windows 11 issue

Rob Ingram — Mon, 02 Mar 2026 08:25:57 GMT

@Maurice Ball Windows 11 credentials guard is likely causing the problem as PEAP is insecure and blocked, you'd need to move to certificate authentication EAP-TLS or PEAP-TLS

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues

Re: ISE Windows 11 issue

Maurice Ball — Mon, 02 Mar 2026 08:55:54 GMT

Thanks for the quick reply but the credential guard looks to be disabled. The system account also has full access to the certificate's private key and Windows 11 fast startup is disabled.

Re: ISE Windows 11 issue

Rob Ingram — Mon, 02 Mar 2026 09:05:36 GMT

@Maurice Ball I assume the computers are still in the same OU in the domain and getting the GPO settings with the correct wired 802.1x authentication being applied?

What do the ISE logs give as the reason for failing to authenticate?

Re: ISE Windows 11 issue

Maurice Ball — Mon, 02 Mar 2026 09:11:43 GMT

Correct. I am getting a 5440 error on ISE but it is showing that the handshake was successful.

Re: ISE Windows 11 issue

Rob Ingram — Mon, 02 Mar 2026 09:23:11 GMT

@Maurice Ball usually an endpoint issue, take packet captures and run debugs on the switch.

Re: ISE Windows 11 issue

andrewswanson — Mon, 02 Mar 2026 16:18:28 GMT

Have you had a look at this thread regarding Windows 11 using TLS 1.3? It has a link to another thread showing how to disable this on windows 11 clients

hth

Andy

https://community.cisco.com/t5/network-access-control/ise-3-3-802-1x-eap-tls-tls1-3/td-p/5354087

Re: ISE Windows 11 issue

Jonatan Jonasson — Mon, 02 Mar 2026 16:37:12 GMT

To add to what others have said, take a look at the endpoint logs, they can often direct you into the right direction.

One item I'd like to point out, is that in windows11 there were some changes regarding the server validation.
In win10 and earlier, it used to be enough to have the CA in the trust store if you had server validation enabled/checked, but in some win11 update it became required to specifically select which CA you were going to trust.
One of the signs that people were running into this were that win11 clients failed where older clients worked.

Is it possible that this might be your case, and this might be correctly configured in your wifi GPO but not in the wired group policy?

Again, check the endpoints logs in the event viewer, they can be very valuable in determining why the authentication fails if it's the client refusing to continue the process.

Re: ISE Windows 11 issue

Maurice Ball — Tue, 03 Mar 2026 07:56:00 GMT

I have not checked this so thanks for the information.

Re: ISE Windows 11 issue

Maurice Ball — Tue, 03 Mar 2026 07:56:48 GMT

Ok, thanks.