https://community.cisco.com/t5/network-access-control/client-using-incorrect-protocol/m-p/2479417#M87970 <HTML><HEAD></HEAD><BODY><P>Here is some more detail...</P><P></P><P>One client was attempting to authentication using PEAP but failing due to "12511 Unexpectedly received TLS alert message; treating as a rejection by the&nbsp; client". We're using internally generated certificates here but we of course trust our corporate CA. On top of that, in the supplicant we disable 'validate server certificate'. However, once I followed this article (</P><P><A class="jive-link-external-small" href="http://support.microsoft.com/kb/2518158">http://support.microsoft.com/kb/2518158</A><SPAN>) the client started using EAP-TLS and was successful.</SPAN></P><P></P><P>Another client, which has the same group policy for the wireless network settings works fine with no changes needed.</P><P></P><P>However a third one, which has the same group policy but has not had the modification from the Microsoft article continues to use PEAP.</P></BODY></HTML> Tue, 18 Feb 2014 21:55:34 GMT Mark H 2014-02-18T21:55:34Z https://community.cisco.com/t5/network-access-control/client-using-incorrect-protocol/m-p/2479416#M87969 <P>Hi everyone,</P><P></P><P>After lots of testing with laptops authentication with ISE over wireless using EAP-TLS, we have a few laptops that despite having the same client configuration attempt to use PEAP. This ultimately fails and I'm unsure why they're trying to use PEAP, since I've also disabled PEAP as an applicable protocol within ISE.</P><P></P><P>Any ideas? They're all Windows 7 (x64) using the native supplicant with the Cisco NAC agent for posturing. They're all set to use 'smart card or certificate', not to validate the server certificate and use computer authentication.</P><P></P><P>Mark</P> Mon, 11 Mar 2019 04:24:47 GMT https://community.cisco.com/t5/network-access-control/client-using-incorrect-protocol/m-p/2479416#M87969 Mark H 2019-03-11T04:24:47Z https://community.cisco.com/t5/network-access-control/client-using-incorrect-protocol/m-p/2479417#M87970 <HTML><HEAD></HEAD><BODY><P>Here is some more detail...</P><P></P><P>One client was attempting to authentication using PEAP but failing due to "12511 Unexpectedly received TLS alert message; treating as a rejection by the&nbsp; client". We're using internally generated certificates here but we of course trust our corporate CA. On top of that, in the supplicant we disable 'validate server certificate'. However, once I followed this article (</P><P><A class="jive-link-external-small" href="http://support.microsoft.com/kb/2518158">http://support.microsoft.com/kb/2518158</A><SPAN>) the client started using EAP-TLS and was successful.</SPAN></P><P></P><P>Another client, which has the same group policy for the wireless network settings works fine with no changes needed.</P><P></P><P>However a third one, which has the same group policy but has not had the modification from the Microsoft article continues to use PEAP.</P></BODY></HTML> Tue, 18 Feb 2014 21:55:34 GMT https://community.cisco.com/t5/network-access-control/client-using-incorrect-protocol/m-p/2479417#M87970 Mark H 2014-02-18T21:55:34Z https://community.cisco.com/t5/network-access-control/client-using-incorrect-protocol/m-p/2479418#M87971 <HTML><HEAD></HEAD><BODY><P>I have been able to resolve this, pity I can't mark my own response as the answer.</P><P></P><P>SSIDs are case sensitive. The SSID was defined as "AAA-CORP", but the group policy we have defined "AAA-Corp". It meant it wasn't auto connecting and when people were manually connecting, it obviously found it and tried to connect but failed as it used the default authentication settings within Windows.</P></BODY></HTML> Wed, 19 Feb 2014 02:16:18 GMT https://community.cisco.com/t5/network-access-control/client-using-incorrect-protocol/m-p/2479418#M87971 Mark H 2014-02-19T02:16:18Z https://community.cisco.com/t5/network-access-control/client-using-incorrect-protocol/m-p/2479419#M87972 <HTML><HEAD></HEAD><BODY><P>Hi Mark</P><P></P><P>Just to add FYI</P><P></P><P style="text-align: justify;">If you’re configuring your 802.1x settings via Group Policy you’ll see sometimes EAP-PEAP request from clients in your radius server log during booting even if you’ll set EAP-TLS. This error happened in our case with 1/3 of the boots with some models. The error is caused by a timing problem during startup. Sometimes the 802.1x is faster and sometimes the Group Policy is, and if the 802.1x is faster than the default configuration is taken, which is PEAP. Which lead to a EAP-NAK by the radius server.<STRONG> </STRONG></P></BODY></HTML> Thu, 20 Feb 2014 12:24:48 GMT https://community.cisco.com/t5/network-access-control/client-using-incorrect-protocol/m-p/2479419#M87972 Muhammad Munir 2014-02-20T12:24:48Z