Solved: ISE 3.1 - handful of supplicants declining auth when others work

adam imbruglio · ‎10-02-2023

Good morning,

My organization has set up ISE (3.1.0.518) for network access control; all of our laptops are running Windows 11 and we have group policy pushing TEAP settings to them. This is working for the vast majority of the 700 or so laptops currently connected, but we have a handful of devices that refuse to connect to the ISE protected network. At this time these are all Dell Latitude 5410s running up-to-date Windows 11 enterprise, with the same settings as all the other machines. When they try to connect though, they only show up as host/<pcname.domainame>,No user authentication is occurring. Checking the logs shows

11515

Supplicant declined inner EAP method selected by Authentication Policy but did not proposed another one; inner EAP negotiation failed

We've tried updating the wireless drivers, switching out the wireless cards, re-imaging the machines, but these laptops still refuse to get past this; I can't figure out what's different with them from all the others that are working fine.

Full radius log is attached.

Does anyone have any idea why this might be failing?

adam imbruglio · ‎10-05-2023

Issue solved! In case anyone else runs into this it appears to have been Credential Guard causing issues. Apparently some machines were sent out from Dell with the UEFI key to force Credential Guard on enabled. I noticed this was running despite our group policy disabling it on all three affected machines.

The procedure to disable the UEFI lock is at https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=intune#disable-credential-guard However it isn't /quite/ correct, you'll need to disable the lock and THEN disable Credential Guard in the registry, the opposite of what it shows there.

I'm not entirely sure why it was causing issues with ISE at all, however as soon as I disabled it all three machines connected without issue.

View solution in original post

andrewswanson · ‎10-02-2023

Hi

Is the group policy configured profile on the Dell Latitudes showing as being the same as the group policy configured profiles on the devices that are working?

You can export these profiles to compare with the cli command:

netsh wlan export profile name=<GROUP_POLICY_PROFILE>

hth
Andy

adam imbruglio · ‎10-03-2023

I just exported the profiles from one working laptop and the two that won't connect; all three are identical. This is driving my network admin and I absolutely nuts right now.

adam imbruglio · ‎10-05-2023

Issue solved! In case anyone else runs into this it appears to have been Credential Guard causing issues. Apparently some machines were sent out from Dell with the UEFI key to force Credential Guard on enabled. I noticed this was running despite our group policy disabling it on all three affected machines.

The procedure to disable the UEFI lock is at https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=intune#disable-credential-guard However it isn't /quite/ correct, you'll need to disable the lock and THEN disable Credential Guard in the registry, the opposite of what it shows there.

I'm not entirely sure why it was causing issues with ISE at all, however as soon as I disabled it all three machines connected without issue.