cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1601
Views
5
Helpful
2
Replies

Client not using EAP-TLS

rajitoor55
Level 1
Level 1

I am trying to setup single SSID BYOD with ISE as intermediate CA issuing certificates.

 

With my configuration client is getting redirected appropriately for device registration and then is prompted for installing profile with network setup assistant. 

However on reauthentication after this it does not match EAP-TLS policy and matches the lower policy which redirects back to have profile installed.

If I match just based on the fact that the device was added in the identity group in the redirection process it matches and shows the authentication method/protocol as dot1x/PEAP and not dot1x/EAP-TLS

 

Client provisioning resource is correctly configured to use EAP-TLS and correct cert template,

Correct user cert and root CA cert are also getting installed with NSA setup.

 

Why the client is not using EAP-TLS as connection method for wireless connection, NSA should be taking care of it.

 

ISE 2.7, WIN10, CiscoTemporalAgentWindows 4.10.05050

 

1 Accepted Solution

Accepted Solutions

It turned out to be simple mistake on my side. In NSP profile SSID name had a typo. 

 

View solution in original post

2 Replies 2

hslai
Cisco Employee
Cisco Employee

It seems you might have used the posture client provisioning flow instead of the BYOD one. Both use a NSA.

Please review Cisco ISE BYOD Prescriptive Deployment Guide, and verify that the Windows supplicant configured as expected. 

It turned out to be simple mistake on my side. In NSP profile SSID name had a typo.