Solved: Re: Windows Defaulting to EAP-TLS Instead of PEAP for Non-Corporate SS

MSN · ‎05-18-2025

Environment:

Wireless Controller: Cisco 9800
RADIUS Server: Cisco ISE 3.3
Client Devices: Windows 10/11 Enterprise (Domain-joined)

SSIDs:

CORP-WiFi: Uses TEAP + EAP-TLS with EAP chaining (machine + user auth). Configured via GPO.
PersonalDevice: Intended for domain users' personal devices, using PEAP-MSCHAPv2 (user-only auth). Not configured via GPO.

Problem:

CORP-WiFi: Works as expected with EAP chaining (TEAP + EAP-TLS).
PersonalDevice: On domain-joined PCs (Windows 10/11), when manually connecting to this non-GPO SSID, the client defaults to EAP-TLS (computer authentication) instead of PEAP-MSCHAPv2.
- This causes the connection to fail in Cisco ISE due to no matching authorization rule (default deny).
- Non-domain devices (e.g., smartphones, personal laptops) connect successfully using PEAP-MSCHAPv2 with user credentials.

Expectation:
We want domain-joined PCs to default to PEAP-MSCHAPv2 (user auth only) when connecting to PersonalDevice, without requiring manual configuration by the end user.

Question:
Has anyone faced a similar situation or found a way to ensure that domain-joined Windows clients use PEAP-MSCHAPv2 by default for non-GPO-configured SSIDs?

andrewswanson · ‎05-18-2025

Hi
What is your ISE setting for "Preferred EAP Protocol" in your "Allowed Protocols"

Policy > Policy Elements > Results > Authentication > Allowed Protocols

If nothing is selected, ISE starts with EAP-TLS:

hth
Andy

View solution in original post

andrewswanson · ‎05-18-2025

Hi
What is your ISE setting for "Preferred EAP Protocol" in your "Allowed Protocols"

Policy > Policy Elements > Results > Authentication > Allowed Protocols

If nothing is selected, ISE starts with EAP-TLS:

hth
Andy

Windows Defaulting to EAP-TLS Instead of PEAP for Non-Corporate SSID