cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
39224
Views
13
Helpful
13
Replies

Windows 11 machines fail to complete EAP-TLS authentication with ISE

saleem771
Level 1
Level 1

Hi All,

We are facing issue in Windows 11 to authenticate with Cisco ISE 3.1 using EAP-TLS.  Same issue was in ISE 2.6. Then we upgraded but issue was not fixed. No any connect or posture modules are in use. Simple EAP-TLS authentication we are trying. Root and Intermediate certificates are available on Windows 11 machine. When machine tries to connect, Action Required message pop ups in windows to sign in. But sign in fails too. Surprisingly same windows 11 machines EAP-TLS authentication works fine with Aruba Clear pass but fails in Cisco ISE. Cisco TAC has advised to open case with Microsoft too. Windows 10 machines are working fine. But when we connect windows 11 machine then getting given below error,

Event5400 Authentication failed
Failure Reason12511 Unexpectedly received TLS alert message; treating as a rejection by the client
ResolutionEnsure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!
Root causeWhile trying to negotiate a TLS handshake with the client, ISE received an unexpected TLS alert message. This might be due to the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.
1 Accepted Solution

Accepted Solutions

saleem771
Level 1
Level 1

This issue was basically from Windows 11 Group Policy. Which was not selecting Root and Intermediate certificates in windows 11 machines. after doing some workaround, I selected manually and it worked like a charm. 

Given below are the set of commands to enable authentication settings in windows 11,

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies" /f

reg delete "HKCU\Software\Microsoft\WindowsSelfHost" /f

reg delete "HKCU\Software\Policies" /f

reg delete "HKLM\Software\Microsoft\Policies" /f

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies" /f


reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /f

reg delete "HKLM\Software\Microsoft\WindowsSelfHost" /f

reg delete "HKLM\Software\Policies" /f

reg delete "HKLM\Software\WOW6432Node\Microsoft\Policies" /f

reg delete "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies" /f

reg delete "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /f

You need to run these commands as administrator and then restart the machine. After restart manually select the root and intermediate certificates to fix the issue.

We are going to open ticket with Microsoft to get permanent fix.

 

 

 

View solution in original post

13 Replies 13

Amrut.
Level 1
Level 1

Check which edition and version of windows 11 you are trying to connect with ISE.

saleem771
Level 1
Level 1

Windows 11 Enterprise, Version 22H2, OS Build 22621.189

Amrut.
Level 1
Level 1

Provide more information about you connecting Windows to your network:

  • network type: wired or wireless?
  • authentication type: MAB, user authentication, machine authentication?
  • credentials: pre-shared key, username+password, digital certificate?
  • Share live logs on ISE.
  • the error message screen is showing on windows.

Could you try to update LAN Drivers to the latest one?

 

saleem771
Level 1
Level 1

Wired

User and Machine Authentication

Digital Certificate, username+Password

12803Extracted TLS ChangeCipherSpec message
 12804Extracted TLS Finished message
 12801Prepared TLS ChangeCipherSpec message
 12802Prepared TLS Finished message
 12816TLS handshake succeeded
 12509EAP-TLS full handshake finished successfully
 12505Prepared EAP-Request with another EAP-TLS challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12504Extracted EAP-Response containing EAP-TLS challenge-response
 12511Unexpectedly received TLS alert message; treating as a rejection by the client
 61025Open secure connection with TLS peer
 11504Prepared EAP-Failure
 11003Returned RADIUS Access-Reject

saleem771
Level 1
Level 1

In Windows11, Action Required Signin Pops up, after clicking on signin , it tries to reauthenticate. and fails again and again.

Amrut.
Level 1
Level 1

Check the windows 11 wired configuration setting with the below article.

https://learn.microsoft.com/en-us/mem/intune/configuration/wired-network-settings-windows/

The device you tried to connect, is already connected with your domain environment or the first time you tried with this one?

 

Amrut.
Level 1
Level 1

check if there is any rule that checks the end pint OS version.

Greg Gibbs
Cisco Employee
Cisco Employee

I can confirm that there is no general issue using Win11 version 22H2 with 802.1x EAP-TLS and Cisco ISE 3.1. I tested the same using my Surface Pro and the following scenario.

  • Wired
  • Windows native supplicant configured for EAP-TLS with 'User or Computer' authentication
  • Both Computer and User certificates installed issued by the same internal CA that signed the ISE EAP certificate
  • Internal CA root chain installed in both the Computer and User certificate store
  • Supplicant configured to use certificate matching based on the internal Issuing CA

With the above setup, both the Computer and User sessions are authenticated/authorised as expected based on my AuthC/AuthZ Policies.

Example live logs:

Screenshot 2022-12-21 at 3.16.04 pm.png

Some suspicious points in the details provided earlier in this thread:

  1. It was mentioned that the authentication uses "Digital Certificate, username+Password". This is not possible; with EAP-TLS, authentication is done using the certificate attribute (e.g. Subject Common Name) as the identity based on how you have configured your Certificate Authentication Profile in ISE. It is not possible to use Username/Password with EAP-TLS. For Username/Password auth, you would need to use PEAP(MSCHAPv2).
  2. The comment "Action Required Signin Pops up" would indicate that something is either not configured properly in the supplicant, there are multiple certificates in the User store and the supplicant does not know which to use for 802.1x, or the supplicant is not finding a certificate that is valid for EAP-TLS.

For the latter, you should confirm that the User certificate meets the requirements for EAP-TLS based on the information here:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap

If you have multiple certificates in the Computer and/or User store, you should use the certificate matching option in the supplicant to define the Issuing CA for the certificate you want the supplicant to present for 802.1x. This is found in the Advanced option in the main Properties window. You should also ensure that your internal CA is selected in the Trusted Root Certificate Authorities section.

Example:

Screenshot 2022-12-21 at 3.26.44 pm.png

@greg Recommendation was spot on!

Note : If using Windows Server as your root CA double check both the User & Computer Certificates have been pushed to their respective stores and have the root CA in both user and Computer Trusted Store as Greg has put it.

Thanks Greg

saleem771
Level 1
Level 1

Thanks for detailed reply.

One thing which i noticed in your settings is that you are not connecting to any server to verify server's identity. But we are using.

Regarding Suspicious points I want to clarify,

1. Digital Certificates are being used for authentication. Username Password is for user login to machine.

2. I am attaching herewith settings of LAN Card

 

saleem771
Level 1
Level 1

This issue was basically from Windows 11 Group Policy. Which was not selecting Root and Intermediate certificates in windows 11 machines. after doing some workaround, I selected manually and it worked like a charm. 

Given below are the set of commands to enable authentication settings in windows 11,

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies" /f

reg delete "HKCU\Software\Microsoft\WindowsSelfHost" /f

reg delete "HKCU\Software\Policies" /f

reg delete "HKLM\Software\Microsoft\Policies" /f

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies" /f


reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /f

reg delete "HKLM\Software\Microsoft\WindowsSelfHost" /f

reg delete "HKLM\Software\Policies" /f

reg delete "HKLM\Software\WOW6432Node\Microsoft\Policies" /f

reg delete "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies" /f

reg delete "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /f

You need to run these commands as administrator and then restart the machine. After restart manually select the root and intermediate certificates to fix the issue.

We are going to open ticket with Microsoft to get permanent fix.

 

 

 

We are running into the same issue with 11 and TLS. Did MS ever give you a permanent fix?

tadmaz
Level 1
Level 1

I thought I was having a similar problem.  Turns out Win10 and Win11 handle conflicting GPOs with multiple wireless profiles differently.  I was getting "action required" only on Win11.  Using rsop.msc, I determined that there was an empty wireless profile from a GPO that shouldn't have had a wireless profile.  There wasn't even an SSID name defined.  The empty wireless profile was #1 and my desired wireless profile was #2.  What was interesting is that Win10 somehow was seeing that wireless profile #2 for "server verification" (ISE pki cert) and when manually clicking the SSID I would not get a action required message.  Win11 when manually clicking the SSID, I would get the action required message.  What the heck.  Once I deleted the completely empty wireless profile, my desired 802.1x GPO wireless profile started working for the first time ever. I had to adjust a few things on the fly to not take down the company, such as profile name matching the SSID name, and cert selection (not server verification CA checkboxes) to checkbox the appropriate CA.  No more clicking the SSID manually to connect.