05-23-2017 03:45 AM - edited 03-11-2019 12:44 AM
Hi all,
I have ISE 2.0 running environment with wireless 802.1x scenario. I have tested Windows 10, but it failed to connect network with 802.1x. Now out system enginners want to upgrade clients from windows 8.1 to windows 10. But we are in hesitation because of Windows 10 perfomance.
I would like to know if anything has changed with ISE 2.2. Also, I am not sure if it is ISE side or windows side matter.
In brief, does ISE 2.2 802.1x work with windows 10?
Solved! Go to Solution.
06-22-2017 08:55 AM
From the link provided by Mohamed, 2.0.0.306 patch 1 should have the fix so you should not have to upgrade to 2.2. Actually 2.2 is a recent release and I am testing it in the lab. In fact, I am having issues with the Certificate TAG Group for Webauth, Sponsor portal, etc; so I would not suggest you to go into that version yet even though you are talking about EAP authentication.
06-22-2017 11:50 AM
Correct! Patch fix is important if you do not want to upgrade...
05-24-2017 01:51 PM
We are currently using Win 7 on PEAP/EAP-TLS with no issues. I tested on Windows 10 and it worked BUT I found that the mandatory profile used on Win 7 devices sometimes has to be created manually for those devices as well if you do not have a GPO to deploy.
Could you please post the error messsage on ISE Live Authentications?
06-08-2017 06:58 AM
I got "5200 Authentication succeeded" message in ISE.
11001 | Received RADIUS Access-Request | |
11017 | RADIUS created a new session | |
15049 | Evaluating Policy Group | |
15008 | Evaluating Service Selection Policy | |
15048 | Queried PIP - Normalised Radius.RadiusFlowType | |
15004 | Matched rule - Dot1X | |
11507 | Extracted EAP-Response/Identity | |
12500 | Prepared EAP-Request proposing EAP-TLS with challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12502 | Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated | |
12800 | Extracted first TLS record; TLS handshake started | |
12805 | Extracted TLS ClientHello message | |
12806 | Prepared TLS ServerHello message | |
12807 | Prepared TLS Certificate message | |
12809 | Prepared TLS CertificateRequest message | |
12505 | Prepared EAP-Request with another EAP-TLS challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12504 | Extracted EAP-Response containing EAP-TLS challenge-response | |
12505 | Prepared EAP-Request with another EAP-TLS challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12504 | Extracted EAP-Response containing EAP-TLS challenge-response | |
12505 | Prepared EAP-Request with another EAP-TLS challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12504 | Extracted EAP-Response containing EAP-TLS challenge-response | |
12505 | Prepared EAP-Request with another EAP-TLS challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12504 | Extracted EAP-Response containing EAP-TLS challenge-response | |
12505 | Prepared EAP-Request with another EAP-TLS challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12504 | Extracted EAP-Response containing EAP-TLS challenge-response | |
12505 | Prepared EAP-Request with another EAP-TLS challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12504 | Extracted EAP-Response containing EAP-TLS challenge-response | |
12505 | Prepared EAP-Request with another EAP-TLS challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12504 | Extracted EAP-Response containing EAP-TLS challenge-response | |
12571 | ISE will continue to CRL verification if it is configured for specific CA - certificate for user user | |
12571 | ISE will continue to CRL verification if it is configured for specific CA - certificate for ASM ICA1 | |
12811 | Extracted TLS Certificate message containing client certificate | |
12812 | Extracted TLS ClientKeyExchange message | |
12813 | Extracted TLS CertificateVerify message | |
12804 | Extracted TLS Finished message | |
12801 | Prepared TLS ChangeCipherSpec message | |
12802 | Prepared TLS Finished message | |
12816 | TLS handshake succeeded | |
12509 | EAP-TLS full handshake finished successfully | |
12505 | Prepared EAP-Request with another EAP-TLS challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12504 | Extracted EAP-Response containing EAP-TLS challenge-response | |
15041 | Evaluating Identity Policy | |
15006 | Matched Default Rule | |
22071 | Identity name is taken from AD account Implicit UPN | |
15013 | Selected Identity Source - ******* | |
24432 | Looking up user in Active Directory - ******* | |
24325 | Resolving identity - E=user@domain.com,CN=user user,user user,user@domain.com | |
24313 | Search for matching accounts at join point - domain.com | |
24359 | Incoming identity was not rewritten - E=user@domain.com,CN=user user | |
24359 | Incoming identity was not rewritten - user user | |
24359 | Incoming identity was not rewritten - user@domain.com | |
24319 | Single matching account found in forest - ******* | |
24323 | Identity resolution detected single matching account | |
24700 | Identity resolution by certificate succeeded - ******* | |
22037 | Authentication Passed | |
12506 | EAP-TLS authentication succeeded | |
24423 | ISE has not been able to confirm previous successful machine authentication | |
15036 | Evaluating Authorization Policy | |
24432 | Looking up user in Active Directory - ******* | |
24355 | LDAP fetch succeeded - domain.com | |
24416 | User's Groups retrieval from Active Directory succeeded - ******* | |
15048 | Queried PIP - *******.ExternalGroups | |
15048 | Queried PIP - Network Access.EapAuthentication | |
15004 | Matched rule - ASM_USERS_DOT1X_AUTH_WIRELESS_ADMINS | |
15016 | Selected Authorization Profile - Admin_Access_Profile | |
11022 | Added the dACL specified in the Authorization Profile | |
11503 | Prepared EAP-Success | |
11002 | Returned RADIUS Access-Accept |
06-21-2017 11:16 PM
Can anyone help?
06-08-2017 06:44 AM
We had problems with Win10 as well. In our existing 802.1x for Win7 we are using MSChap and authenticate against user cert and AD, however, with Win10 that did not work. We had to change the supplicant to use EAP-TLS and only check machine cert.
06-22-2017 04:43 AM
After you apply the Windows 10 November update to a device, you cannot connect to a WPA-2 Enterprise network that's using certificates for server-side or mutual authentication (EAP TLS, PEAP, TTLS). Which means you have to apply the patch and update the RADIUS servers then it should work, Please check the link below for detailed information for this fix:-
06-22-2017 04:56 AM
Do you mean to upgrade ISE 2.0 to 2.2?
06-22-2017 08:55 AM
From the link provided by Mohamed, 2.0.0.306 patch 1 should have the fix so you should not have to upgrade to 2.2. Actually 2.2 is a recent release and I am testing it in the lab. In fact, I am having issues with the Certificate TAG Group for Webauth, Sponsor portal, etc; so I would not suggest you to go into that version yet even though you are talking about EAP authentication.
06-22-2017 11:50 AM
Correct! Patch fix is important if you do not want to upgrade...
07-17-2017 10:17 AM
I tested 802.1x PEAP/EAP-TLS on Windows 10 device using ISE 2.2 with no issues. However, we are facing issues with the sponsor portal and guest portals on that version which requires to stop/restart the services to make it work. Still working on this part.
05-04-2018 01:26 PM
out customer runs ISE 2.3.0.298 with the newest patch "3".
he is using EAP-PEAP with mschap "computer authentication"
the setup is working fine with windows 7 clients. now the customer reported that his test with the win10 clients were unsuccessful.
i followed the the microsoft guide to force the win10 clients to TLS1.0:
"To configure the TLS version that EAP uses by default, you must add a DWORD value that's named TlsVersion to the following registry subkey:
The value of this registry key can be 0xC0, 0x300, or 0xC00."
i can see that the EAP requests are comming with tls1.0 but the requests still get dropped.
did i overlook something?
Authentication Details
|
Other Attributes
|
Result
|
06-22-2017 11:06 PM
It is fixed, thank you. There 4 more patches for 2.0. Do you recommend to apply them too?
06-27-2017 09:54 AM
Another person just replied reporting issues again 2.1 patch 3 (no 2.0 patch 1). So looks like something was broken when cisco changed the version. Therefore, I would suggest you to stay on 2.0 patch 1. (I am currently on 1.4.0.253 patch 10 and moving directly to 2.2 patch 1 - still evaluating).
06-23-2017 04:18 PM
I have the same problem in ISE version 2.1 patch 3
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide