Buy or Renew
Buy or Renew
We are currently experiencing Knowledge Base board outages and are working to resolve. Thank you for your patience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1872
Views
5
Helpful
2
Replies

Windows 10 machine PEAP-TLS authentication fails unless I do a full disconnct/reconnect

Go to solution
rcullum
Level 1
Level 1

‎08-24-2020 05:57 AM

Have a strange problem. Customer is rolling out new Windows 10 desktops using dot1x wired machine PEAP-TLS auth. Machine authenticates first time its connected to the network. However, if the machine is rebooted, it won't authenticate again. It keeps failing but after about 20mins it will eventually authenticate OK. However, if I shutdown the switchport or physically disconnect/reconnect, the desktop authenticates straight away.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rcullum
Level 1
Level 1

‎09-29-2020 01:48 AM - edited ‎09-29-2020 01:48 AM

The issue was finally found to be with the client machines having more than one host certificate that could be used for authentication. Customer had pushed out additional host certs signed by another internal CA that ISE did not trust. Also, they had not tied down their supplicant to use a particular host cert.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎08-24-2020 06:42 AM

Turn off Radius suppression (Administration->System->Settings->Protocols->Radius).  Or if this is in production, you can bypass suppression for just this MAC address by clicking on the little target icon next to the MAC address in Live Logs and select to bypass suppression.  That will allow you to see everything coming from the client.  Go to the Radius Live Logs and filter on the Endpoint MAC address of a machine you can use to recreate.  Recreate the issue.  Then see what things ISE is seeing from that machine.  Packet capture using a SPAN port while the machine reboots will help a lot too.  You can also check the Event Viewer logs on the machine to see if there are issues with the network drivers or problems with GPO's being applied properly.

Go to solution
rcullum
Level 1
Level 1

‎09-29-2020 01:48 AM - edited ‎09-29-2020 01:48 AM

The issue was finally found to be with the client machines having more than one host certificate that could be used for authentication. Customer had pushed out additional host certs signed by another internal CA that ISE did not trust. Also, they had not tied down their supplicant to use a particular host cert.

0 Helpful
Customers Also Viewed These Support Documents