cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5708
Views
30
Helpful
21
Replies

Cisco ISE and windows 11

R1nzler
Beginner
Beginner

hello to all,

does anyone have tested a windows 11 machine with ISE?


I'm testing windows 11 and it does not authenticate automatically.

I have to login to the session and then windows 11 prompt me with the message "action required" and then takes me to the network do manually sign in to the network.

On windows 10 it works perfectly.

21 Replies 21

The same intune profile is pushed on all of our Windows 10 workstation and there are no issues. So again I ask, are there special config requirements for windows 11 ?

We are pushing the same exact intune profile on our windows 10 workstation and there are no issues. Again I ask, are there specific config requirements for windows 11 ?

From an ISE prospective, no.  From an InTune or Windows 11 prospective, maybe?

Willdozer
Beginner
Beginner

I too have the issue with Windows 11 where it prompts with "Action needed" and "You'll need to sign in or take other action go get full network access." except via wired (wireless works just fine). Running ISE 3.1 with the latest patch. On the switch port authentication display it sits at 'dot1x = running' and will run well beyond the dot1x timer setting. Like what was mentioned before, it looks like it is working on authenticating with the 'endpoint abandoned EAP session and started new' but will not continue until I "Sign in" to the network in Windows. I've verified our domain root CA's certificate is listed under the Trusted Root Certification Authorities and yet it seems like Windows does not trust the network.

We opened up a ticket with Microsoft but at this point they've been useless and give no effort in responding in less than a week's time with each email.

We want to start deploying Windows 11 but this is holding it up.

Any help would be appreciated!

@Willdozer - do you have some screenshots of the Windows 11 wired supplicant configuration that you're able to post here? You can always obscure any customer sensitive data.

CarlCarlson
Beginner
Beginner

I worked for a company that did eap-tls wired and wireless authentication.  We had the described issue for Windows 11 wired authentication , worked perfectly in Windows 10 and I THINK with wireless.  In our specific instance in Windows 10 we did not mark a  "Trusted Root Certificate Authorities:" server in the machine's dot1x settings.  When testing Windows 11, we found that simply selecting the CA that you specifically want to trust resolved the issue.  Additionally,  if you select the box "Connect to these servers", I have heard reports that in Windows 11 that becomes case sensitive.  So it that doesn't exactly match, with case, you will get the same popup.  A google search of this "Always On VPN Error 853 on Windows 11" will take you to a nice writeup describing the issue. 

To be clear our working config was verify the server's identity by validating the certificate.  NOT selecting Connect to these servers.  Select the trusted root cert authority for your ISE cert.

Carl, your working config did the trick for us as well. Our testing so far has been successful so we'll be pushing the change shortly.

Thank you for the helpful information!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers