Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1947
Views
0
Helpful
9
Replies

ISE Windows 11 issue

Go to solution
Maurice Ball
Level 6
Level 6

‎03-02-2026 12:21 AM

I have an issue I hope someone could help me with. I am having an issue with 802.1x authentication on ISE. They are using PEAP with certificate computer only authentication and everything appears to be configured correctly but authentication continues to fail on Windows 11 wired clients. Note: They are using  the same setup with Windows 10 clients and it works without any issues but with Windows 11 clients it fails on the wired connection but is successful with Windows 11 clients on the wireless connection. Basically it works everywhere correctly with the exception of the Windows 11 wired clients. Do you have any idea of what could be causing the issue?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jonatan Jonasson
VIP
VIP

‎03-02-2026 08:37 AM

To add to what others have said, take a look at the endpoint logs, they can often direct you into the right direction.

One item I'd like to point out, is that in windows11 there were some changes regarding the server validation.
In win10 and earlier, it used to be enough to have the CA in the trust store if you had server validation enabled/checked, but in some win11 update it became required to specifically select which CA you were going to trust.
One of the signs that people were running into this were that win11 clients failed where older clients worked.

Is it possible that this might be your case, and this might be correctly configured in your wifi GPO but not in the wired group policy?

Again, check the endpoints logs in the event viewer, they can be very valuable in determining why the authentication fails if it's the client refusing to continue the process.

 

---
Please mark helpful answers & solutions
---

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Rob Ingram
VIP
VIP

‎03-02-2026 12:25 AM

@Maurice Ball Windows 11 credentials guard is likely causing the problem as PEAP is insecure and blocked, you'd need to move to certificate authentication EAP-TLS or PEAP-TLS

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues

 

0 Helpful

Go to solution
Maurice Ball
Level 6
Level 6

‎03-02-2026 12:55 AM

Thanks for the quick reply but the credential guard looks to be disabled. The system account also has full access to the certificate's private key and Windows 11 fast startup is disabled. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Maurice Ball

‎03-02-2026 01:05 AM

@Maurice Ball I assume the computers are still in the same OU in the domain and getting the GPO settings with the correct wired 802.1x authentication being applied?

What do the ISE logs give as the reason for failing to authenticate?

 

0 Helpful

Go to solution
Maurice Ball
Level 6
Level 6

‎03-02-2026 01:11 AM

Correct. I am getting a 5440 error on ISE but it is showing that the handshake was successful. 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Maurice Ball

‎03-02-2026 01:23 AM

@Maurice Ball usually an endpoint issue, take packet captures and run debugs on the switch.

0 Helpful

Go to solution
andrewswanson
Level 11
Level 11

‎03-02-2026 08:18 AM

Hi

Have you had a look at this thread regarding Windows 11 using TLS 1.3? It has a link to another thread showing how to disable this on windows 11 clients

hth

Andy

https://community.cisco.com/t5/network-access-control/ise-3-3-802-1x-eap-tls-tls1-3/td-p/5354087

 

0 Helpful

Go to solution
Maurice Ball
Level 6
Level 6
In response to andrewswanson

‎03-02-2026 11:56 PM

I have not checked this so thanks for the information.

0 Helpful

Go to solution
Jonatan Jonasson
VIP
VIP

‎03-02-2026 08:37 AM

To add to what others have said, take a look at the endpoint logs, they can often direct you into the right direction.

One item I'd like to point out, is that in windows11 there were some changes regarding the server validation.
In win10 and earlier, it used to be enough to have the CA in the trust store if you had server validation enabled/checked, but in some win11 update it became required to specifically select which CA you were going to trust.
One of the signs that people were running into this were that win11 clients failed where older clients worked.

Is it possible that this might be your case, and this might be correctly configured in your wifi GPO but not in the wired group policy?

Again, check the endpoints logs in the event viewer, they can be very valuable in determining why the authentication fails if it's the client refusing to continue the process.

 

---
Please mark helpful answers & solutions
---
0 Helpful

Go to solution
Maurice Ball
Level 6
Level 6
In response to Jonatan Jonasson

‎03-02-2026 11:56 PM

Ok, thanks.

0 Helpful
Customers Also Viewed These Support Documents