03-11-2018 07:57 AM - edited 02-21-2020 10:48 AM
Hi!
It may be a windows issue but I thought to check here if someone know the answers.
I am succesfully running EAP-TLS with machine certifcate auth from last few months for windows 7 and windows 10. Two of my users reported issue that they cannot connect to it. I can see in the ISE logs that the client is trying to connect. I can see the error like below. (I am checking it from my chrome history)
Failure Reason: 12303 failed to negotiate EAP, because PEAP not allowed in
I even tried with manual SSID with the required parameters but it didnt work as welly.
Any suggestion?
03-11-2018 11:20 AM - edited 03-11-2018 11:30 AM
The client is trying to use PEAP instead of EAP-TLS. This might be a timing issue, GPO not applying properly, etc. There is a list of Windows hotfixes for 802.1X environments , you might find it helpful.
What do you see in Windows event log on the affected machines? (there is one specifically for Wireless, Event Log -> Applications and Services log -> Microsoft -> Windows -> WLAN AutoConfig -> Operational)
I do see this sometimes in our environment with wired EAP-TLS. Machines at boot attempt to authenticate with PEAP for a second, I see failures in the ISE auth log, but then straight after they perform EAP-TLS auth and pass as expected.
03-12-2018 07:20 AM
Thanks. It looks like something only happening on windows 7 computer. More users reported that. It works fine on Windows 10 computer.
03-12-2018 07:39 AM
Hi!
I looked into the logs and I can see that Identity: NULL as compared to my windows 10 machine where Identity: on my machine is my machine name.
Wireless 802.1x authentication failed.
Reason: Explicit Eap failure received
Error: 0x80420014
EAP Reason: 0x80420102
EAP Root cause String:
EAP Error: 0x80420014
03-12-2018 01:45 PM - edited 03-12-2018 01:45 PM
I would go with the GPO not applying the profile for EAP-TLS properly on those win machines as indicated before.
When I DO NOT have that predefined profile on the company Win 7/10 owned device (open network and sharing devices --- > manage wireless networks --- > profile with the same name as EAP-TLS SSID) , the device automatically tries PEAP even though I am trying to connect to the EAP-TLS SSID.
Once I manually add that "profile" for EAP-TLS, problem solved.
03-14-2018 05:51 AM
Its already set to EAP-TLS authentication. I dont see its using PEAP.
08-02-2018 12:21 AM
Hello Agrissimanis,
Apologies for crashing into this thread, but I also have a similar issue - but all with Windows 10.
When you say "This might be a timing issue, GPO not applying properly, etc" what are your timing recommendations?
Thank you.
Regards,
J
06-05-2019 12:33 AM
06-05-2019 01:18 AM
Hi!
I moved away from that Job but if I recall well it started with other windows 7 machines as well. I think it was some TLS related thing on Windows 7. As other machines start getting the patch from Microsoft then they started with the same problem.
What I did was to create another policy for PEAP as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide