Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
708
Views
1
Helpful
4
Replies

ISE - EAP TLS Multiple Users login Auth Issue

AMA ALS
Community Member

‎01-05-2026 08:39 PM

I implemented Cisco ISE using EAP-TLS for user authentication. Authentication works fine for the machine owner only. However, when other users log in to different machines, authentication fails because their certificates are not installed on those machines.

We tested a scenario where user authentication fails and machine authentication passes, which initially provides limited access. However, once the machine is successfully authenticated and the user starts to log in, access is lost and the user is unable to connect to the network.

 How to solve this issue? 

@ISE 

0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎01-06-2026 12:47 AM

I see three ways to solve this:

  1. Only do Machine-Authentication and treat every user identically.
  2. Authenticate the machine with certificates, but use username/password for the user (a more legacy approach).
  3. Make sure that the certificate moves with the user => Smartcards.
--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Cristian Matei
VIP Alumni
VIP Alumni

‎01-06-2026 01:20 AM

Hi,

   If, most probably, you want to keep user authentication as well, you need to use an AD GPO that automatically installs user certificate upon user login, which will allow successful EAP-TLS authentication for the user as well (ensure that machine authorization allows connectivity with AD for this process to work); find more information as well as a complete guide here:

https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy

https://lostintransit.se/2024/11/07/leveraging-gpo-to-distribute-user-and-computer-certificate/

    The other option to keep the same solution you're looking for, would be to have the user certificate installed on a smart card / USB dongle and have the user attach it to the computer before login.

   Otherwise, use only machine authentication(however you'll not be able to perform different authorizations per user), or change PEAP (EAP-TLS) with PEAP(EAP-MSCHAPv2).

Thanks,

Cristian.

0 Helpful

AMA ALS
Community Member
In response to Cristian Matei

‎01-06-2026 02:57 AM

Hi @Cristian Matei

Thank you for your support. 

Machine authorization currently set to permit access, is the user certificate will installed during the machine authentication/ Authorization process?

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to AMA ALS

‎01-07-2026 05:35 PM

No. The user cert is enrolled by the user GPO, which happens after the user authentication process resulting in a catch-22 scenario.

Windows 802.1x order of operations.png

The best way to mitigate this issue is using TEAP with EAP Chaining as discussed in this post:
https://community.cisco.com/t5/network-access-control/eap-teap-first-time-user-login-chicken-amp-egg-scenario/td-p/4475351

 

0 Helpful
Customers Also Viewed These Support Documents