Hi

ISE 2.0. Corp PC joined to the AD, OS Win 8.1. I have created a GPO following this https://technet.microsoft.com/en-us/library/dd759154.aspx

So computer acc have auth, after that - users auth does. It works fine until I enable option: Validate server certificate. We have bought for the EAP a public certicate from  Thawte, Thawte root is distrubluted via GPO - users trusted it.

After Windows OS is booted I have seen this on switch:

sh authentication sessions interface gi1/0/19 details
Interface: GigabitEthernet1/0/19
MAC Address: xxxx
IPv6 Address: Unknown
IPv4 Address: 10.x.x.x
User-Name: host/notebook.domain.local
Status: Unauthorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: 10s (local), Remaining: 9s
Session Uptime: 170s
Common Session ID: 0A6401090000002303AF7A9D
Acct Session ID: 0x0000001F
Handle: 0x3900000F
Current Policy: POLICY_Gi1/0/19

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Method status list:
Method State

dot1x Stopped

So Machine auth is stucked. I noticed that if now I login in Windows and just logout, Machine auth is proceed correctly, so as user then.

I couldn't figured out where is bug or some miscofiguration: Windows, ISE or dot1x on switch.

Switch 2960S, IOS 15.2.2, thw newest, tried another one - no luck. Debug is showed:

%DOT1X-5-FAIL: Authentication failed for client (MAC) on Interface Gi1/0/19 AuditSessionID 0A6401090000001C03831815

%RADIUS-4-RADIUS_DEAD: RADIUS server 10.x,x,x:1812,1813 is not responding.

%RADIUS-4-RADIUS_ALIVE: RADIUS server 10.x,x,x::1812,1813 is being marked alive.