Unable to get Windows native supplicant and TEAP working reliably.

MikeMoss · ‎11-27-2023

I have 802.1x configured and working in ISE (3.2 Patch 2) and Cisco Secure Client v5. This is using EAP-TLS / EAP-Chaining.

I have been asked if we could get rid of Secure Client NAM all together. So im attempting to get this working now with ISE and Windows native supplicant using TEAP / EAP-TLS (EAP-Chain). So far i've been unsucessful at this. I can see the machine talking to ISE (Live Logs), but instead of using 802.1x, the windows machine falls back to MAB. On the switch i see all these timeout errors...

%DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (MAC ADDRESS HERE) with reason (Timeout) on Interface Gi7/0/43 AuditSessionID 11FEA8C0000BBE0311FCB007 Username: anonymous

I have all my certs selected, EAP-TLS configured, EAP-Chaining enabled on ISE, policy rules configured, certs installed on both endpoint and ISE, etc - but still no luck. If i re-enable Secure Client on the same machine everything works fine - its only failing/timing out when using Windows native.

Anyone else have any luck getting TEAP to work with Windows 11 22H2? Or is there a published bug about this somewhere (Cisco or Microsoft)?

TY!

Greg Gibbs · ‎11-27-2023

I have Wired TEAP(EAP-TLS) with EAP Chaining working reliably in my lab on a Surface tablet running Win11 22H2.

You might try completely uninstalling NAM in case it is still intercepting EAP. Otherwise, please post more details of your supplicant configuration, ISE policy, etc. You can also get a packet capture on the client to see what the EAP communications look like and whether the client is presenting its User certificate.

ahollifield · ‎11-28-2023

What do you mean by EAP-TLS / EAP-Chaining? Do you mean TEAP? Are you configuring the native Windows supplicant manually or with a GPO? Like @Greg Gibbs said, make sure the NAM module is completely uninstalled.