salodh,

Thank you for your response. Below is the authorization policy it should hit. The trouble is the workstation wants to use PEAP for some reason but we don't want PEAP because we're certificate-based. I understand what you're saying, and it's because I didn't word my question correctly. 

If the NAK would not request PEAP, it would continue on to the following Authorization Policy (and succeed):

Again, this PEAP request only happens occasionally. This same workstation will work at other days/times. If I could figure out why some workstations randomly request PEAP (or find a way to force EAP only) I think that would take care of it.

Thanks again, sir.

Andrew

Did you happen to ever find a solution to this? Experiencing the same thing here which throws all clients into my BYOD policy

Nothing yet, unfortunately. I hope to involve Microsoft support soon, but I'm waiting on our server team to open a case. This was the TAC response (there's an option you can try - Policy > Policy Elements > Results > Authentication > Allowed Protocols > Default Network Access > Preferred Network Protocol > EAP-TLS): 

We've run into this before, it might happen if you mistype SSID in the NSP profile. For example, real SSID is TEST_TEST, but in NSP profile you type TEST-TEST, and Wizard won't complain about it on the client, but Wizard won't update the correct SSID on supplicant from PEAP to EAP-TLS and therefore it will continue to use PEAP.

Andrew,

Was this ever resolved and if so do you mind sharing the fix?  We have upgraded to ISE 1.4 from 1.2 and are expierencing the same issue with about 30 clients.  Not a huge deal as we are supporting around 15K but still annoying and is driving our users nuts.

We are using EAP-TLS for Wireless Machine authentications only, using a mixture of WISM-2 and 5508 Controllers.  All running code 7.6.130.26

This was not expierenced or at least not reported with ISE 1.1 to 1.3 and we've been up and running for almost 3 years.

We are currently running ISE 1.4 Patch 3 and tested with P4 without luck either.  The clients login to the machine using PIV which doesnt point to ISE.  Later in the day, they realize there PIV card has been locked out due to Failed Attempts.

Thanks and any help is appreciated.

Ryan,

Our issue was related to DLL updates. I've included a transcript from our Microsoft case.

Best of luck,
Andrew

Issue:  Few laptops are requesting for PEAP when the authentication protocol is set to EAP-TLS on the Cisco ISE RADIUS server using Wired 802.1X network.

Cause:  The dot3svc.dll file was not updated.

Resolution:  Updated dot3svc.dll to the latest version.

Troubleshooting steps followed:

-              Collected WLAN ETL and RAS traces on the client while reproducing the issue.

-              Commands:

netsh trace start scenario=LAN capture=yes persistent=yes tracefile=c:\lan-client.etl

netsh ras set tracing * enable

Reproduced the issue.

Stop the traces using the commands:

netsh trace stop

netsh ras set tracing * disable 

-              From the traces we found that we were getting EAP: Identity Request packets but we were not seeing any response.

-              We also found that the Dot3svc packet was throwing an error and ignoring the preceding packet.

15:41:08.1117768 293 0.0000000  svchost.exe (332)   Dot3svc_MicrosoftWindowsWiredAutoConfig Dot3svc_MicrosoftWindowsWiredAutoConfig:No 1X port exists. Ignoring the packet received

-              Updated the dot3svc.dll file on the clients. Link: http://support.microsoft.com/kb/2736878/en-us

-              On one of the other clients we updated the rastls.dll file. Link: http://support.microsoft.com/kb/2494172

Andrew,

Wow excellent notes and Thanks a million for sharing.  5 Stars and i'll provide an update once we test.  Well done my man.

Andrew,

We had the help desk update the clients as you suggested.  We just recieved word yesterday its happening again.  Whats weird is it cleared the issue for approx 5 days then returned.  I'm going to have them contact Microsoft as well and see what they discover.

Thanks for the assistance.

Awesome Andrew also have this issue with an implementation for a client with ISE 1.3

Have you found any solution?

I've got the same issue with ISE 2.0...

Wired clients, unplugging/plugging network cable helps, but it isn't an acceptable solution.

Hi,

Seems it's a supplicant issue. If you're using windows 7 native supplicant, check the hotfix KB 2481614.

https://supportforums.cisco.com/discussion/11916581/cisco-ise-8021x-eap-tls-list-applicable-hot-fixes

https://supportforums.cisco.com/blog/12256681/getting-past-intermittentunexplained-8021x-problems-windows-7

Hope this helps.

Regards,

Christos