I have a five year old deployment running 2.4 patch 4. When I built ISE I originally wanted domain computers to authenticate using EAP-TLS. For reasons I can't remember I could not get that working and I settled for MAB for machine authentication and PEAP-MSCHAPv2 for user authentication.

Yesterday I started to work with EAP-TLS authentication again and I got a wired authentication working for EAP-TLS. The problem is that I had several machines drop their sessions and try to use EAP-TLS. This totally locked their authentication and I was forced to turn of my EAP-TLS rule. The problem was that I created a whole new rule for EAP-TLS, but I made the mistake of putting the rule above my PEEP rule. I have since moved the EAP-TLS below PEAP, but my test machine stops at the PEAP rule with the error saying that I had a computer using a rule for authentication using username and password, but the machine is configured for certificate authentication.

I need some assistance with an authentication rule that will allow both EAP methods to live together without interference of each other. I'm wondering if under the PEAP and EAP-TLS authentication rules if I need to set the advanced options i.e. "if authentication failes" set it to "continue" rather than "reject" or something like that. Since I am making headway on EAP-TLS I would like to continue to get this working for wireless so I can have it complete to where all I have to do is set the GPO to pull the machine/user certificate and go live. Any assistance would be great. Thank you.