https://community.cisco.com/t5/wireless/security-policy-access-mobility-express/m-p/3884024#M203905 Normally, if the users makes a fresh connection to the SSID (assuming you are talking about wireless), they get asked if the certificate is correct and if they agree to that, they have wireless access. This is completely normal on Windows and SSIDs with a certificate authentication. Only way around that is to have managed devices and push the wireless configuration via Group Policy, including the certificate.<BR /><BR />The idea about showing and accepting the certificate is to avoid man in the middle attacks. Only if the correct certificate (thumbprint) is shown, the user should connect. Wed, 03 Jul 2019 14:26:54 GMT patoberli 2019-07-03T14:26:54Z https://community.cisco.com/t5/wireless/security-policy-access-mobility-express/m-p/3882911#M203904 <P>&nbsp;</P><P>I have configured my ISE running version 2.6 to authenticate wireless clients.Users coming in from Android,Apple and linux machines&nbsp; can authenticate correctly and have access to the network,but with regards to windows clients this is not possible.This comes as error 5400 and i googled the error from other forums and it was pointing to certificate issue.So i had to manually accept the certificate on my windows test machine in windows and sharing centre an it worked perfectly.Now the questions is i have thousands of users and i cant go one after to update.If i use a supplicant like anyconnect it works fine.Do we have another route other than the mentioned above to solve this issue</P><P>&nbsp;</P> Mon, 05 Jul 2021 17:38:36 GMT https://community.cisco.com/t5/wireless/security-policy-access-mobility-express/m-p/3882911#M203904 tandemike 2021-07-05T17:38:36Z https://community.cisco.com/t5/wireless/security-policy-access-mobility-express/m-p/3884024#M203905 Normally, if the users makes a fresh connection to the SSID (assuming you are talking about wireless), they get asked if the certificate is correct and if they agree to that, they have wireless access. This is completely normal on Windows and SSIDs with a certificate authentication. Only way around that is to have managed devices and push the wireless configuration via Group Policy, including the certificate.<BR /><BR />The idea about showing and accepting the certificate is to avoid man in the middle attacks. Only if the correct certificate (thumbprint) is shown, the user should connect. Wed, 03 Jul 2019 14:26:54 GMT https://community.cisco.com/t5/wireless/security-policy-access-mobility-express/m-p/3884024#M203905 patoberli 2019-07-03T14:26:54Z https://community.cisco.com/t5/wireless/security-policy-access-mobility-express/m-p/3885254#M203906 Hi patoberli<BR /><BR /><BR />Through further digging i found out that the problem is between ISE and CIS server(LDAP) is not supporting PEAP and MSCHAPv2.Any workaround on this<BR /> Fri, 05 Jul 2019 13:02:53 GMT https://community.cisco.com/t5/wireless/security-policy-access-mobility-express/m-p/3885254#M203906 tandemike 2019-07-05T13:02:53Z https://community.cisco.com/t5/wireless/security-policy-access-mobility-express/m-p/3885289#M203907 I don't know the product CIS and haven't used ISE so far for wireless.<BR />Make sure that TLS1.0 is enabled though, some modern radius servers might have that disabled, but at least for Windows 7 and some OS X clients this is required when using PEAP with MSCHAPv2. Fri, 05 Jul 2019 13:38:25 GMT https://community.cisco.com/t5/wireless/security-policy-access-mobility-express/m-p/3885289#M203907 patoberli 2019-07-05T13:38:25Z