Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
690
Views
0
Helpful
5
Replies

EAP-TLS not working but PEAP is OK

Ruelb2214
Level 1
Level 1

‎03-21-2025 01:40 AM

 Hi,

I been using PEAP for endpoints authentication in our infra, we authenticate machine + user ID to grant access on network and no issue.

Recently we needed to change to EAP-TLS method, by using the same certificate in ISE which is working with PEAP.

I edit the supplicant (Win11) settings from PEAP to EAP-TLS, refer to screenshots. Do note the ISE cert for EAP/Radius is sign by intermediate CA and both Root CA and intermediate are uploaded or trusted in ISE and supplicant Trust Root cert settings.

In addition, the cert auth profile is configured the same, we use cert attribute "Subject-Common Name"

As per checking on live logs, I can only see it receives the endpoint mac address instead of hostname (host/).

Do you think I miss some configuration on ISE or endpoint to make EAP-TLS working?

Preview file
178 KB
Preview file
206 KB
0 Helpful
5 Replies 5

Nikolai Catey
Level 1
Level 1

‎03-21-2025 02:30 AM

Do you use a radius server and have specified the VLAN for that certain user on the router

Regards - NC

0 Helpful

ammahend
VIP Alumni
VIP Alumni

‎03-21-2025 03:05 AM

go through part 1,2,3  here if it still doesn't work, send attach ISE logs.

-hope this helps-
0 Helpful

Ruelb2214
Level 1
Level 1
In response to ammahend

‎03-24-2025 11:48 PM

@ammahend  YES i been foloowing that link since start.

I did debug the problem is when machine boot up, based on the logs the machine did not sent username with "host/" attribute, instead it send only the mac address thus not able to authenticate.

Do you have idea why it sends mac address instead of machine hostname?

This is my interface config port and radius attribute:

switchport mode access
authentication event server dead action authorize vlan 125
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level pps 1k
storm-control multicast level 10.00
storm-control action trap
spanning-tree portfast


radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria tries 3
radius-server retransmit 5
radius-server deadtime 2
radius-server load-balance method least-outstanding

 

0 Helpful

Ruelb2214
Level 1
Level 1

‎03-25-2025 12:09 AM

Just to add in, if I configure PEAP on supplicant or endpoint, on the debug logs we are able to see the HOST\ attribute when machine authenticate. From this instance I can say there's no issue on the certificate itself.

Please enlighten me what could be the root cause

 

0 Helpful

Ruelb2214
Level 1
Level 1

‎04-03-2025 01:18 AM

finally manage to find the root cause when I did wire shark capture.

The issue was the setting on the machine cert, the application setting was set to server auth instead of client auth.

Thank you guys for your response.

 

0 Helpful
Customers Also Viewed These Support Documents