Showing results for 
Search instead for 
Did you mean: 

802.1X EAP-TLS


Hello everyone,


I am currently in the process of rolling out Dot1x in a small classified network. The network has the following:


(12) Windows 10 Machines using native supplicant software

(1) Cisco C9300 acting as the authenticator

(1) Cisco ISE acting as the authentication Server using AD for credentials


I configured certificate auto-enrollment for machines and users in the AD and it is working fine; all machines as well as users are able to get their certificate to authenticate with EAP-TLS. Everything was working fine until I had to switch around 3 machines to different switchports. Out of the 3 machines that I switched around only 1 can still authenticate. The others two no longer can.


I am thinking this might have something to do with the mac address-table, DHCP or something like that. Anyone have had this issue before? Any help will be appreciated!




7 Replies 7

VIP Community Legend VIP Community Legend
VIP Community Legend

what you see logs on the switch and ISE.


***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I will take a look at the ISE and Switch logs tomorrow and post it here. Currently stucked home with the Snow Storm (NY).



I reviewed the ISE logs and the workstation is being rejected with the reason that "the workstation abandoned the EAP session and started a new one." Any idea on why does this happen?



That issue is most often due to supplicant configuration issues. It can be difficult to troubleshot due to there being so many potential variables on endpoint configurations. I'd start with verifying the various settings under the supplicant configuration (security tab of the network adapter properties). You didn't mention how you pushed out the configurations - was it via GPO or manually set them?



The supplicant configurations are pushed via GPO. So the workstation having the issues has the same configuration as the rest of the machines. 

GPO should standardize the supplicant config.

Is it a wired or wireless adapter? I have seen driver issues with wireless sometimes cause this. Less often is that the case with wired.


Unity Connection has a "Route from subsequent routing rule" choice that can be used for this sort of "snow day" function (i.E. Everybody calling in hears a message after which the decisionlink that is routed to where it'd have long past commonly after that.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers