Solved: Client not using EAP-TLS

rajitoor55 · ‎01-29-2022

I am trying to setup single SSID BYOD with ISE as intermediate CA issuing certificates.

With my configuration client is getting redirected appropriately for device registration and then is prompted for installing profile with network setup assistant.

However on reauthentication after this it does not match EAP-TLS policy and matches the lower policy which redirects back to have profile installed.

If I match just based on the fact that the device was added in the identity group in the redirection process it matches and shows the authentication method/protocol as dot1x/PEAP and not dot1x/EAP-TLS

Client provisioning resource is correctly configured to use EAP-TLS and correct cert template,

Correct user cert and root CA cert are also getting installed with NSA setup.

Why the client is not using EAP-TLS as connection method for wireless connection, NSA should be taking care of it.

ISE 2.7, WIN10, CiscoTemporalAgentWindows 4.10.05050

rajitoor55 · ‎01-31-2022

It turned out to be simple mistake on my side. In NSP profile SSID name had a typo.

View solution in original post

hslai · ‎01-30-2022

It seems you might have used the posture client provisioning flow instead of the BYOD one. Both use a NSA.

Please review Cisco ISE BYOD Prescriptive Deployment Guide, and verify that the Windows supplicant configured as expected.

rajitoor55 · ‎01-31-2022

It turned out to be simple mistake on my side. In NSP profile SSID name had a typo.