This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
It may be a windows issue but I thought to check here if someone know the answers.
I am succesfully running EAP-TLS with machine certifcate auth from last few months for windows 7 and windows 10. Two of my users reported issue that they cannot connect to it. I can see in the ISE logs that the client is trying to connect. I can see the error like below. (I am checking it from my chrome history)
Failure Reason: 12303 failed to negotiate EAP, because PEAP not allowed in
I even tried with manual SSID with the required parameters but it didnt work as welly.
The client is trying to use PEAP instead of EAP-TLS. This might be a timing issue, GPO not applying properly, etc. There is a list of Windows hotfixes for 802.1X environments , you might find it helpful.
What do you see in Windows event log on the affected machines? (there is one specifically for Wireless, Event Log -> Applications and Services log -> Microsoft -> Windows -> WLAN AutoConfig -> Operational)
I do see this sometimes in our environment with wired EAP-TLS. Machines at boot attempt to authenticate with PEAP for a second, I see failures in the ISE auth log, but then straight after they perform EAP-TLS auth and pass as expected.
I looked into the logs and I can see that Identity: NULL as compared to my windows 10 machine where Identity: on my machine is my machine name.
Wireless 802.1x authentication failed.
Reason: Explicit Eap failure received
EAP Reason: 0x80420102
EAP Root cause String:
EAP Error: 0x80420014
I would go with the GPO not applying the profile for EAP-TLS properly on those win machines as indicated before.
When I DO NOT have that predefined profile on the company Win 7/10 owned device (open network and sharing devices --- > manage wireless networks --- > profile with the same name as EAP-TLS SSID) , the device automatically tries PEAP even though I am trying to connect to the EAP-TLS SSID.
Once I manually add that "profile" for EAP-TLS, problem solved.
Apologies for crashing into this thread, but I also have a similar issue - but all with Windows 10.
When you say "This might be a timing issue, GPO not applying properly, etc" what are your timing recommendations?
I moved away from that Job but if I recall well it started with other windows 7 machines as well. I think it was some TLS related thing on Windows 7. As other machines start getting the patch from Microsoft then they started with the same problem.
What I did was to create another policy for PEAP as well.