Certificate authentication and standard AD username/password are separate and should not be affecting one another. A few questions:

1. What happens to the certificate after the user changes the password? Is the certificate still present in the certificate store?

2. What is the error message that you see in ISE? Post screen shot(s) of the live authentication screen and the details page

3. Post screenshots of your AAA policies in ISE (authentication and authorization)

Thank you for rating helpful posts!

Actually we are not using AD,  clients are in workgroup environment.

And yes the certificate is present in the certificate store  after the users changes his win password.

Actually we don't get any error message on the ISE,  while the users try to connect to network, no msg displays on ISE authentication page at all.  it means the client doesnot send even any auth messages to ise as soon as he changes his win account password

Are the certs machine certs ? Are you installing the cert in the machine store in windows ?

Hello,

CSRs are generated as client-machine certifcates, and are being signed by our own private CA Windows-Server. and they are importerted to clients local-user & Loca-Machine certificate-store.

The certificates are used for wireless

NAD is the WLC , Version 7.4

Before I can provide more help I will also need:

1. What is the error message that you see in ISE? Post screen shot(s) of the live authentication screen and the details page

2.. Post screenshots of your AAA policies in ISE (authentication and authorization)

Hmm, ISE should still get a log weather or not the supplicant/client responds to the Radius challenge. So from what you are describing the client is not even starting the EAPoL process.

So I have a few more questions:

1. How are CSRs generated, who signs them and how are the certificates installed on the endpoints

2. Is this for wireless or wired

3. Please provide a screenshot of ISE's authentication and authorization policies

4. What is the make, model and version of the NADs that you are using

5. Confirm that you are trying to perform EAP-TLS based authentication

Hi Jan, I am not that proficient with AD/Workgroups so can you explain how changing a user password can affect a user certificate?

It happens with those users having administrative rights with thier win account profiles. Limited account users may not face such issues when changing thier win user passwords

Hi and thanks for getting back to me it is much appreciated

The users were this is happening to are just standard domain users not admins

Can you clarify exactly what you mean by administrative rights within the user account profiles

sorry to be a pain

I was getting same issue with those users whose windows account had aministrative priviledge who were in workgroup

However limited users do not face with such issues even if they change thier password. 

Think our issue may be a bit different then as non of the users who are having the issues have administrative rights. They are all just domain users they reset the password then on next any connect login the receive the error "certificate validation error"

Thanks for getting back to me though