https://community.cisco.com/t5/network-access-control/ise-single-ssid-byod-windows-endpoint-user-experience/m-p/2474682#M88227 <PRE style="font-family:monospace; font-size:12px; white-space:normal; white-space:-moz-pre-wrap; white-space:pre-wrap; white-space:-pre-wrap; white-space:-o-pre-wrap; word-wrap:break-word;"> &lt;B&gt;Symptom:&lt;/B&gt; Some endpoint devices (Windows OS) have issues with wildcard cert when CN contains * (start) as wildcard the PEAP authentication fails due to "12511 Unexpectedly received TLS alert message; treating as a rejection by the client" &lt;B&gt;Conditions:&lt;/B&gt; when the wildcard cert contains * (start) as wildcard in CN &lt;B&gt;Workaround:&lt;/B&gt; create wildcard with * (start) e.g. CN= aaa.cisco.com</PRE> Fri, 01 Aug 2014 01:27:51 GMT Saurav Lodh 2014-08-01T01:27:51Z https://community.cisco.com/t5/network-access-control/ise-single-ssid-byod-windows-endpoint-user-experience/m-p/2474679#M88220 <P>We are implementing wireless BYOD using Cisco ISE 1.2 and WLC 7.4x. We are using PEAP / MS-CHAP v2 for wireless security. We are able to on-board iOS, Adroid, and MAC OS endpoints using single SSID and Native supplicant provisiong seems to work fine with these endpoints. We are having issues with Windows clients. On Windows client, when the user selects the SSID, it is prompting for userid/password, but never gets a pop-up for server certificate. We are using a third party public wildcard certificate on ISE for HTTP/EAP authentication.&nbsp; On ISE, we are getting: <SPAN style="color: #ff0000;">12511 Unexpectedly received TLS alert message; treating as a rejection by the client.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></P> Mon, 11 Mar 2019 04:22:19 GMT https://community.cisco.com/t5/network-access-control/ise-single-ssid-byod-windows-endpoint-user-experience/m-p/2474679#M88220 rchilukuri 2019-03-11T04:22:19Z https://community.cisco.com/t5/network-access-control/ise-single-ssid-byod-windows-endpoint-user-experience/m-p/2474680#M88222 <HTML><HEAD></HEAD><BODY><P>It seems you are running into an Internal bug where PEAP/TLS authentication fails on Windows when using a Wildcard Certificate. Other devices such as Android, MAC OS etc work fine. During testing, this was found to be an issue with blank CN. Does your certificate have a blank CN field as well?</P><P></P><P>Unfortunately the bug is not resolved yet, and still being worked on.</P><P></P><P> Thanks,</P><P>Aastha</P><P></P><P>*Please rate helpful posts*</P></BODY></HTML> Mon, 10 Feb 2014 17:41:31 GMT https://community.cisco.com/t5/network-access-control/ise-single-ssid-byod-windows-endpoint-user-experience/m-p/2474680#M88222 Aastha Chaudhary 2014-02-10T17:41:31Z https://community.cisco.com/t5/network-access-control/ise-single-ssid-byod-windows-endpoint-user-experience/m-p/2474681#M88225 <HTML><HEAD></HEAD><BODY><TABLE border="0" cellpadding="0" cellspacing="0" width="900"><TBODY><TR><TD align="right" height="140" style="height: 105.0pt; width: 83pt;" width="110">12511</TD><TD style="border-left: none; width: 83pt;" width="110">EAP</TD><TD style="border-left: none; width: 188pt;" width="250">Unexpectedly&nbsp;&nbsp; received TLS alert message; treating as a rejection by the client</TD><TD style="border-left: none; width: 240pt;" width="320">While trying to&nbsp;&nbsp; negotiate a TLS handshake with the client, ISE received an unexpected TLS&nbsp;&nbsp; alert message. This might be due to the supplicant not trusting the ISE&nbsp;&nbsp; server certificate for some reason. ISE treated the unexpected message as a&nbsp;&nbsp; sign that the client rejected the tunnel establishment.</TD><TD style="border-left: none; width: 83pt;" width="110">Warn</TD></TR></TBODY></TABLE></BODY></HTML> Tue, 11 Feb 2014 19:08:27 GMT https://community.cisco.com/t5/network-access-control/ise-single-ssid-byod-windows-endpoint-user-experience/m-p/2474681#M88225 blenka 2014-02-11T19:08:27Z https://community.cisco.com/t5/network-access-control/ise-single-ssid-byod-windows-endpoint-user-experience/m-p/2474682#M88227 <PRE style="font-family:monospace; font-size:12px; white-space:normal; white-space:-moz-pre-wrap; white-space:pre-wrap; white-space:-pre-wrap; white-space:-o-pre-wrap; word-wrap:break-word;"> &lt;B&gt;Symptom:&lt;/B&gt; Some endpoint devices (Windows OS) have issues with wildcard cert when CN contains * (start) as wildcard the PEAP authentication fails due to "12511 Unexpectedly received TLS alert message; treating as a rejection by the client" &lt;B&gt;Conditions:&lt;/B&gt; when the wildcard cert contains * (start) as wildcard in CN &lt;B&gt;Workaround:&lt;/B&gt; create wildcard with * (start) e.g. CN= aaa.cisco.com</PRE> Fri, 01 Aug 2014 01:27:51 GMT https://community.cisco.com/t5/network-access-control/ise-single-ssid-byod-windows-endpoint-user-experience/m-p/2474682#M88227 Saurav Lodh 2014-08-01T01:27:51Z