The Microsoft support help pages might be either giving confusing or incorrect info.
ISE 2.0 FCS without patches is impacted. ISE 2.0 Patch 1 is the one providing the fix for this issue.
See Resolved Issues in Cisco ISE Version 2.0.0.306—Cumulative Patch 1
Table 12 Cisco ISE Patch Version 2.0.0.306—Patch 1 Resolved Caveats
Caveat | Description |
---|
CSCuw88770 | ISE 2.0 PEAP TLS 1.2 wireless authentication fails with Android 6 and Win 10. This issue occurred because in TLS 1.2, the mechanism of MPPE keys generation has been changed for EAP-TLS, PEAP, and EAP-TTLS. EAP-FAST is not affected. Symptom: Authentication reports from logs show that the authentication is successful; however, the state on the WLC of the client session is dot1x required. Wireless packet captures reveal that 4-way handshakes following EAP-success are not completing, either M1 and M2 or M1 only. Conditions: This issue occurs when a combination of the following conditions are true: - If you have Cisco ISE, Release 2.0 FCS version with no patch installed.
- Wireless LAN with L2 security configured for WPA2 Enterprise.
- A device with Android 6 or Windows 10 version 1511 tries to authenticate.
- Protocols used are PEAP or TTLS or EAP-TLS
Workaround: - For Android, none. You cannot configure TLS version from Android client or Cisco ISE
- For Windows 10 clients, you may disable TLS 1.2 and enable TLS 1.0:
– Create DWORD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13\TlsVersion and set the associate DWORD value to C0. – Restart EapHost service. |