12-19-2022 11:42 PM
Hi All,
We are facing issue in Windows 11 to authenticate with Cisco ISE 3.1 using EAP-TLS. Same issue was in ISE 2.6. Then we upgraded but issue was not fixed. No any connect or posture modules are in use. Simple EAP-TLS authentication we are trying. Root and Intermediate certificates are available on Windows 11 machine. When machine tries to connect, Action Required message pop ups in windows to sign in. But sign in fails too. Surprisingly same windows 11 machines EAP-TLS authentication works fine with Aruba Clear pass but fails in Cisco ISE. Cisco TAC has advised to open case with Microsoft too. Windows 10 machines are working fine. But when we connect windows 11 machine then getting given below error,
Event | 5400 Authentication failed |
Failure Reason | 12511 Unexpectedly received TLS alert message; treating as a rejection by the client |
Resolution | Ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client! |
Root cause | While trying to negotiate a TLS handshake with the client, ISE received an unexpected TLS alert message. This might be due to the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment. |
Solved! Go to Solution.
01-01-2023 04:58 AM - edited 01-22-2024 12:04 AM
This issue was basically from Windows 11 Group Policy. Which was not selecting Root and Intermediate certificates in windows 11 machines. after doing some workaround, I selected manually and it worked like a charm.
Given below are the set of commands to enable authentication settings in windows 11,
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies" /f
reg delete "HKCU\Software\Microsoft\WindowsSelfHost" /f
reg delete "HKCU\Software\Policies" /f
reg delete "HKLM\Software\Microsoft\Policies" /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies" /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /f
reg delete "HKLM\Software\Microsoft\WindowsSelfHost" /f
reg delete "HKLM\Software\Policies" /f
reg delete "HKLM\Software\WOW6432Node\Microsoft\Policies" /f
reg delete "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies" /f
reg delete "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /f
You need to run these commands as administrator and then restart the machine. After restart manually select the root and intermediate certificates to fix the issue.
We are going to open ticket with Microsoft to get permanent fix.
12-20-2022 12:07 AM
Check which edition and version of windows 11 you are trying to connect with ISE.
12-20-2022 01:26 AM
Windows 11 Enterprise, Version 22H2, OS Build 22621.189
12-20-2022 02:03 AM
Provide more information about you connecting Windows to your network:
Could you try to update LAN Drivers to the latest one?
12-20-2022 02:29 AM
Wired
User and Machine Authentication
Digital Certificate, username+Password
12803 | Extracted TLS ChangeCipherSpec message | |
12804 | Extracted TLS Finished message | |
12801 | Prepared TLS ChangeCipherSpec message | |
12802 | Prepared TLS Finished message | |
12816 | TLS handshake succeeded | |
12509 | EAP-TLS full handshake finished successfully | |
12505 | Prepared EAP-Request with another EAP-TLS challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12504 | Extracted EAP-Response containing EAP-TLS challenge-response | |
12511 | Unexpectedly received TLS alert message; treating as a rejection by the client | |
61025 | Open secure connection with TLS peer | |
11504 | Prepared EAP-Failure | |
11003 | Returned RADIUS Access-Reject |
12-20-2022 02:31 AM
In Windows11, Action Required Signin Pops up, after clicking on signin , it tries to reauthenticate. and fails again and again.
12-20-2022 04:20 AM
Check the windows 11 wired configuration setting with the below article.
https://learn.microsoft.com/en-us/mem/intune/configuration/wired-network-settings-windows/
The device you tried to connect, is already connected with your domain environment or the first time you tried with this one?
12-20-2022 04:32 AM
check if there is any rule that checks the end pint OS version.
12-20-2022 08:30 PM
I can confirm that there is no general issue using Win11 version 22H2 with 802.1x EAP-TLS and Cisco ISE 3.1. I tested the same using my Surface Pro and the following scenario.
With the above setup, both the Computer and User sessions are authenticated/authorised as expected based on my AuthC/AuthZ Policies.
Example live logs:
Some suspicious points in the details provided earlier in this thread:
For the latter, you should confirm that the User certificate meets the requirements for EAP-TLS based on the information here:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap
If you have multiple certificates in the Computer and/or User store, you should use the certificate matching option in the supplicant to define the Issuing CA for the certificate you want the supplicant to present for 802.1x. This is found in the Advanced option in the main Properties window. You should also ensure that your internal CA is selected in the Trusted Root Certificate Authorities section.
Example:
05-17-2024 03:19 AM
@greg Recommendation was spot on!
Note : If using Windows Server as your root CA double check both the User & Computer Certificates have been pushed to their respective stores and have the root CA in both user and Computer Trusted Store as Greg has put it.
Thanks Greg
12-20-2022 11:48 PM - edited 01-22-2024 12:04 AM
Thanks for detailed reply.
One thing which i noticed in your settings is that you are not connecting to any server to verify server's identity. But we are using.
Regarding Suspicious points I want to clarify,
1. Digital Certificates are being used for authentication. Username Password is for user login to machine.
2. I am attaching herewith settings of LAN Card
01-01-2023 04:58 AM - edited 01-22-2024 12:04 AM
This issue was basically from Windows 11 Group Policy. Which was not selecting Root and Intermediate certificates in windows 11 machines. after doing some workaround, I selected manually and it worked like a charm.
Given below are the set of commands to enable authentication settings in windows 11,
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies" /f
reg delete "HKCU\Software\Microsoft\WindowsSelfHost" /f
reg delete "HKCU\Software\Policies" /f
reg delete "HKLM\Software\Microsoft\Policies" /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies" /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /f
reg delete "HKLM\Software\Microsoft\WindowsSelfHost" /f
reg delete "HKLM\Software\Policies" /f
reg delete "HKLM\Software\WOW6432Node\Microsoft\Policies" /f
reg delete "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies" /f
reg delete "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /f
You need to run these commands as administrator and then restart the machine. After restart manually select the root and intermediate certificates to fix the issue.
We are going to open ticket with Microsoft to get permanent fix.
06-09-2023 09:45 AM
We are running into the same issue with 11 and TLS. Did MS ever give you a permanent fix?
04-01-2023 06:08 AM
I thought I was having a similar problem. Turns out Win10 and Win11 handle conflicting GPOs with multiple wireless profiles differently. I was getting "action required" only on Win11. Using rsop.msc, I determined that there was an empty wireless profile from a GPO that shouldn't have had a wireless profile. There wasn't even an SSID name defined. The empty wireless profile was #1 and my desired wireless profile was #2. What was interesting is that Win10 somehow was seeing that wireless profile #2 for "server verification" (ISE pki cert) and when manually clicking the SSID I would not get a action required message. Win11 when manually clicking the SSID, I would get the action required message. What the heck. Once I deleted the completely empty wireless profile, my desired 802.1x GPO wireless profile started working for the first time ever. I had to adjust a few things on the fly to not take down the company, such as profile name matching the SSID name, and cert selection (not server verification CA checkboxes) to checkbox the appropriate CA. No more clicking the SSID manually to connect.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide