Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
555
Views
1
Helpful
5
Replies

User or machine EAP-TLS authentication for the first time

icarimo
Level 1
Level 1

‎01-29-2025 03:58 PM

I have a SSID with EAP-TLS using certificates.

Initially my GPO was configured to only use user certificate.

However we found a issue for new users, that was not possible to login via Wi-Fi on the first login. Since they don´t have the certificate to authenticate on Wi-Fi and to have the certificate it requires internet connection.


To fix it, I updated the GPO to use computer or machine certificate.
Now, before first login, the user is able to connect to Wi-Fi via machine certificate. However, after the user logins for the first time, immediately he is disconnected to the Wi-Fi, and can´t connect manually because the user does not have a user certificate.

My doubt is:

  1. Is this the expected behavior?? I was expecting that we don´t lose Wi-Fi connection automatically ate this point during the logging process.
  2. If point 1 is the expected behavior, how can we overcome this situation? Because I don´t have wired connections.

Thank you

 

 

 

 

T

0 Helpful
5 Replies 5

icarimo
Level 1
Level 1

‎01-29-2025 04:02 PM

My current GPO:

icarimo_2-1738195354982.png

 

icarimo_0-1738195326748.png

icarimo_1-1738195349733.png

 

 

0 Helpful

Flavio Miranda
VIP
VIP
In response to icarimo

‎01-29-2025 04:22 PM

@icarimo 

 I think this is expected behavior. There are some discussions here in the forum related, this one below is a bit old but I believe can help you somehow.

https://community.cisco.com/t5/network-access-control/ise-deployment-eap-tls-machine-or-user-certificates-native/td-p/4094444

 

icarimo
Level 1
Level 1
In response to Flavio Miranda

‎01-29-2025 04:25 PM

Hello Flavio,

Thank you so much for the feedback.
Yes, I saw several discuss about this issue, however I didn´t no what is the solution to fix it

If you have ever faced it, please, let me know.

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to icarimo

‎01-29-2025 04:33 PM

This is absolutely expected behaviour due to the fact that the User GPO does not get applied until after the transition to the User state as shown in the order of operations image in the post shared by Flavio.

The best workaround for this 'catch-22' situation is using TEAP(EAP-TLS) as described in this discussion:
https://community.cisco.com/t5/network-access-control/eap-teap-first-time-user-login-chicken-amp-egg-scenario/td-p/4475351

 

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to icarimo

‎01-29-2025 04:35 PM

Usually the device is provisioned before the end user gets it.  That way everything is ready to go.  What I have seen done was to have another rule to allow PEAP or machine auth and then a GPO is pushed to prevent the onboarding SSID from being viewed/selected. 

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents