Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
807
Views
0
Helpful
3
Replies

Client Using Incorrect Protocol

Mark H
Level 1
Level 1

‎02-17-2014 09:52 PM - edited ‎03-10-2019 09:24 PM

Hi everyone,

After lots of testing with laptops authentication with ISE over wireless using EAP-TLS, we have a few laptops that despite having the same client configuration attempt to use PEAP. This ultimately fails and I'm unsure why they're trying to use PEAP, since I've also disabled PEAP as an applicable protocol within ISE.

Any ideas? They're all Windows 7 (x64) using the native supplicant with the Cisco NAC agent for posturing. They're all set to use 'smart card or certificate', not to validate the server certificate and use computer authentication.

Mark

Labels:
0 Helpful
3 Replies 3

Mark H
Level 1
Level 1

‎02-18-2014 01:55 PM

Here is some more detail...

One client was attempting to authentication using PEAP but failing due to "12511 Unexpectedly received TLS alert message; treating as a rejection by the  client". We're using internally generated certificates here but we of course trust our corporate CA. On top of that, in the supplicant we disable 'validate server certificate'. However, once I followed this article (

http://support.microsoft.com/kb/2518158) the client started using EAP-TLS and was successful.

Another client, which has the same group policy for the wireless network settings works fine with no changes needed.

However a third one, which has the same group policy but has not had the modification from the Microsoft article continues to use PEAP.

0 Helpful

Mark H
Level 1
Level 1
In response to Mark H

‎02-18-2014 06:16 PM

I have been able to resolve this, pity I can't mark my own response as the answer.

SSIDs are case sensitive. The SSID was defined as "AAA-CORP", but the group policy we have defined "AAA-Corp". It meant it wasn't auto connecting and when people were manually connecting, it obviously found it and tried to connect but failed as it used the default authentication settings within Windows.

0 Helpful

Muhammad Munir
Level 5
Level 5

‎02-20-2014 04:24 AM

Hi Mark

Just to add FYI

If you’re configuring your 802.1x settings via Group Policy you’ll see sometimes EAP-PEAP request from clients in your radius server log during booting even if you’ll set EAP-TLS. This error happened in our case with 1/3 of the boots with some models. The error is caused by a timing problem during startup. Sometimes the 802.1x is faster and sometimes the Group Policy is, and if the 802.1x is faster than the default configuration is taken, which is PEAP. Which lead to a EAP-NAK by the radius server.

0 Helpful
Customers Also Viewed These Support Documents