Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Windows 10 EAP-TLS client authentication not working but machine does

We are rolling out dot1x and are having issues with user authentication. Both the client and machine certs as well as the Eap cert on ISE were signed by our internal CA and PEAP works without issue.  If I set the supplicant to EAP-TLS and only Computer authentication everything works fine. User will not authenticate, and the ISE logs state the supplicant stopped responding. I have a TAC case open and we have discovered that the supplicant doesn’t respond with the client/user cert in the radius access-request after it has received the access-challenge from ISE that contains the full ISE chain. The capture of the machine authentication shows the response with the TLS certificate chain of machine. Does this mean the client doesn’t trust ISE but the machine does?  I have checked the cert store for both user and computer and they contain the intermediate and root CA. 

Has anyone else had this issue?





Cisco Employee

Re: Windows 10 EAP-TLS client authentication not working but machine does

If you are worrying about the client auth not trusting ISE, then you may set it to not verify the server certificate.

It's likely MS Windows OS has trouble to retrieve the client certificate in the user cert store or it does not consider it a proper certificate for EAP-TLS. TAC might be willing to help recreating it. You might also consider engaging Microsoft support.


Re: Windows 10 EAP-TLS client authentication not working but machine does

Thanks for the response, the ISE logs show the user name that is in the certificate, and when I tell the supplicant to use a different username it prompts for the certificate and the only one that is valid is the intended certificate.  I will try to change the client to not check the certificate, but I don't understand if that is truly the issue that machine works.

I am hoping to get support from MS next week.