cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3130
Views
30
Helpful
21
Replies

Cisco ISE and windows 11

R1nzler
Beginner
Beginner

hello to all,

does anyone have tested a windows 11 machine with ISE?


I'm testing windows 11 and it does not authenticate automatically.

I have to login to the session and then windows 11 prompt me with the message "action required" and then takes me to the network do manually sign in to the network.

On windows 10 it works perfectly.

1 Accepted Solution

Accepted Solutions

CarlCarlson
Beginner
Beginner

I worked for a company that did eap-tls wired and wireless authentication.  We had the described issue for Windows 11 wired authentication , worked perfectly in Windows 10 and I THINK with wireless.  In our specific instance in Windows 10 we did not mark a  "Trusted Root Certificate Authorities:" server in the machine's dot1x settings.  When testing Windows 11, we found that simply selecting the CA that you specifically want to trust resolved the issue.  Additionally,  if you select the box "Connect to these servers", I have heard reports that in Windows 11 that becomes case sensitive.  So it that doesn't exactly match, with case, you will get the same popup.  A google search of this "Always On VPN Error 853 on Windows 11" will take you to a nice writeup describing the issue. 

To be clear our working config was verify the server's identity by validating the certificate.  NOT selecting Connect to these servers.  Select the trusted root cert authority for your ISE cert.

View solution in original post

21 Replies 21

marce1000
VIP Mentor VIP Mentor
VIP Mentor

 

 - For starters ,what is your ISE version  , for ISE 3.1 checkout : https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/compatibility_doc/b_ise_sdt_31.html#microsoftwindows . for the rest you will need to provide more details as to which authentication solutions are being used. If , for instance , there is  a supplicant , then is it compatible with Windows 11 ? After explaining all of this , a screenshot may also be helpful.

 M.

thomas
Cisco Employee
Cisco Employee

Yes, Windows 11 works with ISE.

You have not provided any information about how you expect Windows to connect to your network:

  • network type: wired or wireless?
  • authentication type: MAB, user authentication, machine authentication?
  • credentials: pre-shared key, username+password, digital certificate ?

You have not provided any ISE LiveLog error messages to potentially understand what ISE is seeing - if anything - and possibly why it is being rejected.

You have not provided any Screenshots of the actual Windows error.

See How to Ask The Community for Help 

Benoit Mennesson
Beginner
Beginner

Hello, I also have this issue.

We are working with ISE 3.1, the wifi authentification is done via local certificates delivered with Intune CSP. Our windows 11 computer aren't connecting automatically, and also whenever we try to connect to our primary SSID we get the following message (sorry for french) :

BenoitMennesson_0-1663867993477.png

Our windows 10 computer are working fine. I've checked the ise live logs, it seems that the Windows 11 computer fall into our "Windows 10 workstation" Endpoint profile

BenoitMennesson_1-1663868215873.png

I have tried playing with Regedit to try and disable this function (https://windowsreport.com/wifi-action-needed-windows-10/) but it doesn't seem to work on Windows 11. Are there any ise config requirements know for windows 11 ? Thanks a lot

In the live logs I also have the following error message : 5440 Endpoint abandoned EAP session and started new 

Check your wireless NIC Card drivers.  Make sure your windows install has the latest hotfixes too.

Hello, thanks for the response. I have an intel AX201 wireless card, that has been updated to the latest driver (22.160.0.) I sadly still have the issue, the "Connect automatically" box is checked.

The other way I've this manifest is bad RF.  What does your RF environment look like?  Have you done an active survey of your environment?  Interference sources, etc.

Yes we have had ESI tech do an exit survey after we installed our new 9k cisco ap's, and we followed their recommandation (a lot of them were indeed regarding our RF profiles.)

Our RF profile looks like this currently (for 2.4 and 5ghz) :

BenoitMennesson_0-1663935353160.png

BenoitMennesson_1-1663935501745.png

We don't have any channel overlap, our tx power is fine, and our RSSI is -75.

Are there specific RF config requirements for Windows 11 we need to do ? Thanks a lot

No, nothing specific.  Does that message say the certificate isn't trusted?  Sorry I don't speak French; but if so that is your issue.  

No problem, the message says the following :
"Continue connecting? If you expect to find ia-secur in this location, go ahead and connect. Otherwise, it may be a different network with the same name." There is also a pop-up windows message that says "Action required" instead of automatically connecting to our wifi.

Got it, so looks like two profiles for the same SSID are being pushed to the device or the settings in the inTune do not match what security requirements are in place for the SSID (PEAP vs EAP-TLS, computer/user auth, etc.).  If you "forget" the network and re-join do you see the same error?  

We do not have the option to "forget the network", since it is being pushed with certificats via intune csp.

Yeah then something is wrong with that InTune profile and/or your trusted certificates on the endpoint.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: