Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
593
Views
2
Helpful
5
Replies

win 10 reject ISE 802.1x wireless certificate

Uncle ZZL
Level 1
Level 1

‎12-04-2023 09:37 PM

Hi everyone :

I have a problem recently,some of our company computers can't connect the 802.1x network.

Our Radius Server : ISE ,version 2.7 patch9

computer system :win 10 professional 22H2 

WLC : cisco catalyst 9800-L wireless version 17.3.4c

when it connect to the wireless network, after i put the username/password, the computer show "can't connect to this network".

I check the WLC log:

% dot1x-5-fail: chassis 1 r0/0 :wncd:authentication failed for client (xxxx.xxxx.xxxx)with reason (timeout)

% dot1x-5-fail: chassis 1 r0/0:wncd:authentication failed for client (xxxx.xxxx.xxxx)with reason(cred fail)

About the ISE log:

12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

12934 supplicant stopped responding to ISE during PEAP tunnel establishment

I have done these method before:

1. change the win 10 TLS version to 1.2 ,or 1.0

2.when win  10 connect network ,i choose peap and uncheck the box "validate server certificates"

3.win 10 import the eap certificate from ise ,and check the box "validate server certificates"

All the methods are not work.

How can i resolve this problem ? Thank you all very much!

 

1 person had this problem
0 Helpful
5 Replies 5

MHM Cisco World
VIP
VIP

‎12-04-2023 09:54 PM

I dont get' you use EAP cert of ISE' are this cert. Is self-signed or it signed by CA win10 trust it?

If it self signed then check this guide how you add self signed cert. To client.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/201044-802-1x-authentication-with-PEAP-ISE-2-1.html#toc-hId--1292138879

0 Helpful

Uncle ZZL
Level 1
Level 1
In response to MHM Cisco World

‎12-04-2023 10:56 PM

Thank you for your help ! At the beginning, we don't use cert  in computer. We uncheck the box "verify the server's identity by validating the certificate " when connect to the network.But some computer can't connect it .And then i export the cert "Default self-signed server certificate" from ISE ,and install  it in the computer, as the guide you send to me .But it not work too. 

0 Helpful

Uncle ZZL
Level 1
Level 1
In response to MHM Cisco World

‎12-05-2023 12:49 AM

Hi, maybe i find the solution. I set two ssid on the wlc,for example A and B.I  set device authentication , add my computer mac address to it, and relate it to SSID A profile. But i never set mac filtering in SSID A or B. My computer can connect A ,but can't connect B.I remove the mac setting,my computer can connect A and B. Is that a bug ?Thank you!

 

Charlie Moreton
Cisco Employee
Cisco Employee
In response to Uncle ZZL

‎12-05-2023 07:18 AM

The Catalyst 9800-L Wireless Controller running release 17.3.4 has an SMU available for what seems to be this very issue.  Hitless/Recommended SMU, 9800 WLC stops sending RADIUS packets was released in 2021.

17.3.4c is VERY old and should be upgraded.  The current suggested release is 17.9.4a

 

Uncle ZZL
Level 1
Level 1
In response to Charlie Moreton

‎12-13-2023 10:28 PM

Yes,maybe i will update it,thank you!

0 Helpful
Customers Also Viewed These Support Documents