Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Mark H

Client Using Incorrect Protocol

Hi everyone,

After lots of testing with laptops authentication with ISE over wireless using EAP-TLS, we have a few laptops that despite having the same client configuration attempt to use PEAP. This ultimately fails and I'm unsure why they're trying to use PEAP, since I've also disabled PEAP as an applicable protocol within ISE.

Any ideas? They're all Windows 7 (x64) using the native supplicant with the Cisco NAC agent for posturing. They're all set to use 'smart card or certificate', not to validate the server certificate and use computer authentication.


Mark H

Here is some more detail...

One client was attempting to authentication using PEAP but failing due to "12511 Unexpectedly received TLS alert message; treating as a rejection by the  client". We're using internally generated certificates here but we of course trust our corporate CA. On top of that, in the supplicant we disable 'validate server certificate'. However, once I followed this article ( the client started using EAP-TLS and was successful.

Another client, which has the same group policy for the wireless network settings works fine with no changes needed.

However a third one, which has the same group policy but has not had the modification from the Microsoft article continues to use PEAP.

I have been able to resolve this, pity I can't mark my own response as the answer.

SSIDs are case sensitive. The SSID was defined as "AAA-CORP", but the group policy we have defined "AAA-Corp". It meant it wasn't auto connecting and when people were manually connecting, it obviously found it and tried to connect but failed as it used the default authentication settings within Windows.

Muhammad Munir

Hi Mark

Just to add FYI

If you’re configuring your 802.1x settings via Group Policy you’ll see sometimes EAP-PEAP request from clients in your radius server log during booting even if you’ll set EAP-TLS. This error happened in our case with 1/3 of the boots with some models. The error is caused by a timing problem during startup. Sometimes the 802.1x is faster and sometimes the Group Policy is, and if the 802.1x is faster than the default configuration is taken, which is PEAP. Which lead to a EAP-NAK by the radius server.

Content for Community-Ad