Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16593
Views
25
Helpful
13
Replies

ISE 2.2 and Windows 10 wireless 802.1x

Go to solution
asmlicense
Level 1
Level 1

‎05-23-2017 03:45 AM - edited ‎03-11-2019 12:44 AM

Hi all,

I have ISE 2.0 running environment with wireless 802.1x scenario. I have tested Windows 10, but it failed to connect network with 802.1x. Now out system enginners want to upgrade clients from windows 8.1 to windows 10. But we are in hesitation because of Windows 10 perfomance.

I would like to know if anything has changed with ISE 2.2. Also, I am not sure if it is ISE side or windows side matter.

In brief, does ISE 2.2 802.1x work with windows 10?

3 people had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ajc
Level 7
Level 7
In response to asmlicense

‎06-22-2017 08:55 AM

From the link provided by Mohamed, 2.0.0.306 patch 1 should have the fix so you should not have to upgrade to 2.2. Actually 2.2 is a recent release and I am testing it in the lab. In fact, I am having issues with the Certificate TAG Group for Webauth, Sponsor portal, etc; so I would not suggest you to go into that version yet even though you are talking about EAP authentication.

View solution in original post

Go to solution
Farhan Mohamed
Cisco Employee
Cisco Employee
In response to asmlicense

‎06-22-2017 11:50 AM

Correct! Patch fix is important if you do not want to upgrade...

View solution in original post

13 Replies 13

Go to solution
ajc
Level 7
Level 7

‎05-24-2017 01:51 PM

We are currently using Win 7 on PEAP/EAP-TLS with no issues. I tested on Windows 10 and it worked BUT I found that the mandatory profile used on Win 7 devices sometimes has to be created manually for those devices as well if you do not have a GPO to deploy.

Could you please post the error messsage on ISE Live Authentications? 

Go to solution
asmlicense
Level 1
Level 1
In response to ajc

‎06-08-2017 06:58 AM

I got "5200 Authentication succeeded" message in ISE.

  11001 Received RADIUS Access-Request
  11017 RADIUS created a new session
  15049 Evaluating Policy Group
  15008 Evaluating Service Selection Policy
  15048 Queried PIP - Normalised Radius.RadiusFlowType
  15004 Matched rule - Dot1X
  11507 Extracted EAP-Response/Identity
  12500 Prepared EAP-Request proposing EAP-TLS with challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
  12800 Extracted first TLS record; TLS handshake started
  12805 Extracted TLS ClientHello message
  12806 Prepared TLS ServerHello message
  12807 Prepared TLS Certificate message
  12809 Prepared TLS CertificateRequest message
  12505 Prepared EAP-Request with another EAP-TLS challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12504 Extracted EAP-Response containing EAP-TLS challenge-response
  12505 Prepared EAP-Request with another EAP-TLS challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12504 Extracted EAP-Response containing EAP-TLS challenge-response
  12505 Prepared EAP-Request with another EAP-TLS challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12504 Extracted EAP-Response containing EAP-TLS challenge-response
  12505 Prepared EAP-Request with another EAP-TLS challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12504 Extracted EAP-Response containing EAP-TLS challenge-response
  12505 Prepared EAP-Request with another EAP-TLS challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12504 Extracted EAP-Response containing EAP-TLS challenge-response
  12505 Prepared EAP-Request with another EAP-TLS challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12504 Extracted EAP-Response containing EAP-TLS challenge-response
  12505 Prepared EAP-Request with another EAP-TLS challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12504 Extracted EAP-Response containing EAP-TLS challenge-response
  12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for user user
  12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for ASM ICA1
  12811 Extracted TLS Certificate message containing client certificate
  12812 Extracted TLS ClientKeyExchange message
  12813 Extracted TLS CertificateVerify message
  12804 Extracted TLS Finished message
  12801 Prepared TLS ChangeCipherSpec message
  12802 Prepared TLS Finished message
  12816 TLS handshake succeeded
  12509 EAP-TLS full handshake finished successfully
  12505 Prepared EAP-Request with another EAP-TLS challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12504 Extracted EAP-Response containing EAP-TLS challenge-response
  15041 Evaluating Identity Policy
  15006 Matched Default Rule
  22071 Identity name is taken from AD account Implicit UPN
  15013 Selected Identity Source - *******
  24432 Looking up user in Active Directory - *******
  24325 Resolving identity - E=user@domain.com,CN=user user,user user,user@domain.com
  24313 Search for matching accounts at join point - domain.com
  24359 Incoming identity was not rewritten - E=user@domain.com,CN=user user
  24359 Incoming identity was not rewritten - user user
  24359 Incoming identity was not rewritten - user@domain.com
  24319 Single matching account found in forest - *******
  24323 Identity resolution detected single matching account
  24700 Identity resolution by certificate succeeded - *******
  22037 Authentication Passed
  12506 EAP-TLS authentication succeeded
  24423 ISE has not been able to confirm previous successful machine authentication
  15036 Evaluating Authorization Policy
  24432 Looking up user in Active Directory - *******
  24355 LDAP fetch succeeded - domain.com
  24416 User's Groups retrieval from Active Directory succeeded - *******
  15048 Queried PIP - *******.ExternalGroups
  15048 Queried PIP - Network Access.EapAuthentication
  15004 Matched rule - ASM_USERS_DOT1X_AUTH_WIRELESS_ADMINS
  15016 Selected Authorization Profile - Admin_Access_Profile
  11022 Added the dACL specified in the Authorization Profile
  11503 Prepared EAP-Success
  11002 Returned RADIUS Access-Accept
0 Helpful

Go to solution
asmlicense
Level 1
Level 1
In response to asmlicense

‎06-21-2017 11:16 PM

Can anyone help?

0 Helpful

Go to solution
cajones
Level 1
Level 1

‎06-08-2017 06:44 AM

We had problems with Win10 as well. In our existing 802.1x for Win7 we are using MSChap and authenticate against user cert and AD, however, with Win10 that did not work.  We had to change the supplicant to use EAP-TLS and only check machine cert.

0 Helpful

Go to solution
Farhan Mohamed
Cisco Employee
Cisco Employee

‎06-22-2017 04:43 AM

After you apply the Windows 10 November update to a device, you cannot connect to a WPA-2 Enterprise network that's using certificates for server-side or mutual authentication (EAP TLS, PEAP, TTLS). Which means you have to apply the patch and update the RADIUS servers then it should work, Please check the link below for detailed information for this fix:-

https://support.microsoft.com/en-us/help/3121002/windows-10-devices-can-t-connect-to-an-802.1x-environment

0 Helpful

Go to solution
asmlicense
Level 1
Level 1
In response to Farhan Mohamed

‎06-22-2017 04:56 AM

Do you mean to upgrade ISE 2.0 to 2.2?

0 Helpful

Go to solution
ajc
Level 7
Level 7
In response to asmlicense

‎06-22-2017 08:55 AM

From the link provided by Mohamed, 2.0.0.306 patch 1 should have the fix so you should not have to upgrade to 2.2. Actually 2.2 is a recent release and I am testing it in the lab. In fact, I am having issues with the Certificate TAG Group for Webauth, Sponsor portal, etc; so I would not suggest you to go into that version yet even though you are talking about EAP authentication.

Go to solution
Farhan Mohamed
Cisco Employee
Cisco Employee
In response to asmlicense

‎06-22-2017 11:50 AM

Correct! Patch fix is important if you do not want to upgrade...

Go to solution
ajc
Level 7
Level 7
In response to asmlicense

‎07-17-2017 10:17 AM

I tested 802.1x PEAP/EAP-TLS on Windows 10 device using ISE 2.2 with no issues. However, we are facing issues with the sponsor portal and guest portals on that version which requires to stop/restart the services to make it work. Still working on this part.

0 Helpful

Go to solution
samuel.heinrich
Level 1
Level 1
In response to Farhan Mohamed

‎05-04-2018 01:26 PM

out customer runs ISE 2.3.0.298 with the newest patch "3".

 

he is using EAP-PEAP with mschap "computer authentication"

the setup is working fine with windows 7 clients. now the customer reported that his test with the win10 clients were unsuccessful.

 

i followed the the microsoft guide to force the win10 clients to TLS1.0:

 

"To configure the TLS version that EAP uses by default, you must add a DWORD value that's named TlsVersion to the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13


The value of this registry key can be 0xC0, 0x300, or 0xC00."

 

 

i can see that the EAP requests are comming with tls1.0 but the requests still get dropped.

did i overlook something?

 

 

 

Authentication Details

Source Timestamp 2018-05-04 22:22:05.551
Received Timestamp 2018-05-04 22:22:05.551
Policy Server TILLISE1
Event 5440 Endpoint abandoned EAP session and started new
Failure Reason 5440 Endpoint abandoned EAP session and started new
Resolution Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root cause Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.
Username host/W10TEST01.tillotts.com
Endpoint Id 60:F6:77:xxxxxxxx
Authentication Protocol PEAP (EAP-MSCHAPv2)
Network Device NAD_10.60.1xxxx
Device Type All Device Types#WLAN Controller
Location All Locations#Datacenter
NAS IPv4 Address 10.60.1xxxx
NAS Port Type Wireless - IEEE 802.11

 

Other Attributes

ConfigVersionId 43
AcsSessionID TILLISE1/314836393/11
NAS-Port 13
CPMSessionID 0a3c0a0a0001b34e5aecc0dd
EndPointMACAddress 60-F6-77-xxxxx
ISEPolicySetName WIRELESS_SECURE
StepLatency 75=15525
TLSCipher ECDHE-RSA-AES256-SHA
TLSVersion TLSv1
DTLSSupport Unknown
RadiusFlowType Wireless802_1x
Model Name 2504
Software Version 8.5.120.0
Network Device Profile Cisco
Location Location#All Locations#Datacenter
Device Type Device Type#All Device Types#WLAN Controller
IPSEC IPSEC#Is IPSEC Device#No
Network_Devices Network_Devices#Network_Devices#WLCs
Device IP Address 10.60.xxxxx

 

Result

RadiusPacketType Drop

 

 

 

0 Helpful

Go to solution
asmlicense
Level 1
Level 1

‎06-22-2017 11:06 PM

It is fixed, thank you. There 4 more patches for 2.0. Do you recommend to apply them too?

0 Helpful

Go to solution
ajc
Level 7
Level 7
In response to asmlicense

‎06-27-2017 09:54 AM

Another person just replied reporting issues again 2.1 patch 3 (no 2.0 patch 1). So looks like something was broken when cisco changed the version. Therefore, I would suggest you to stay on 2.0 patch 1. (I am currently on 1.4.0.253 patch 10 and moving directly to 2.2 patch 1 - still evaluating).

Go to solution
Eder Marcos Camacho Gomez
Level 1
Level 1

‎06-23-2017 04:18 PM

I have the same problem in ISE version 2.1 patch 3

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents