Solved: Re: Windows 7 Machines unable to pass dot1x authentication

bongkw · ‎07-27-2017

Recently we start to get a lots of dot1x authentication failure with reasons as below, anyone know what could be the reason contributed to it ?

Authentication Details

Source Timestamp	2017-07-27 17:20:35.539
Received Timestamp	2017-07-27 17:20:35.539
Policy Server	psn02
Event	5400 Authentication failed
Failure Reason	11512 Extracted EAP-Response/NAK packet requesting to use unsupported EAP protocol; EAP-negotiation failed
Resolution	Ensure that the client's supplicant is properly configured to use an EAP protocol allowed by ISE in Allowed Protocols.
Root cause	Extracted from the RADIUS message an EAP-Response/NAK packet, rejecting the previously-proposed EAP-based protocol, and requesting to use another protocol instead, per the configuration of the client's supplicant. However, the requested EAP-based protocol is currently not supported by ISE.
Username	NPI40728B
Endpoint Id	XXXXXXXXXXX
Calling Station Id	XXXXXXXXXXX
IPv4 Address	A.A.A.A
Audit Session Id	00000000000017E699C2CF65
Authentication Method	dot1x
Service Type	Framed
Network Device	SWE221
Device Type	All Device Types#Switch
Location	All Locations#Hongkong
NAS IPv4 Address	B.B.B.B
NAS Port Id	GigabitEthernet4/33
NAS Port Type	Ethernet
Response Time	1

hslai · ‎07-27-2017

The error is similar to ACS 5.6 with PEAP-GTC: Unsupported EAP Type? | AAA, Identity and NAC | Cisco Support Community

View solution in original post

Arne Bier · ‎07-27-2017

Can you share with us your Windows 7 supplicant configuration?

Are you allowing those protocols in your Authentication Policy? It's good practice to only allow the protocols that you are expecting, and to uncheck all the others (e.g. if you don't have LEAP in your environment, then don't waste time offering it to clients, etc.)

hslai · ‎07-27-2017

The error is similar to ACS 5.6 with PEAP-GTC: Unsupported EAP Type? | AAA, Identity and NAC | Cisco Support Community