It may be a windows issue but I thought to check here if someone know the answers.
I am succesfully running EAP-TLS with machine certifcate auth from last few months for windows 7 and windows 10. Two of my users reported issue that they cannot connect to it. I can see in the ISE logs that the client is trying to connect. I can see the error like below. (I am checking it from my chrome history)
Failure Reason: 12303 failed to negotiate EAP, because PEAP not allowed in
I even tried with manual SSID with the required parameters but it didnt work as welly.
The client is trying to use PEAP instead of EAP-TLS. This might be a timing issue, GPO not applying properly, etc. There is a list of Windows hotfixes for 802.1X environments , you might find it helpful.
What do you see in Windows event log on the affected machines? (there is one specifically for Wireless, Event Log -> Applications and Services log -> Microsoft -> Windows -> WLAN AutoConfig -> Operational)
I do see this sometimes in our environment with wired EAP-TLS. Machines at boot attempt to authenticate with PEAP for a second, I see failures in the ISE auth log, but then straight after they perform EAP-TLS auth and pass as expected.
Thanks. It looks like something only happening on windows 7 computer. More users reported that. It works fine on Windows 10 computer.
I looked into the logs and I can see that Identity: NULL as compared to my windows 10 machine where Identity: on my machine is my machine name.
Wireless 802.1x authentication failed.
Reason: Explicit Eap failure received
EAP Reason: 0x80420102
EAP Root cause String:
EAP Error: 0x80420014
I would go with the GPO not applying the profile for EAP-TLS properly on those win machines as indicated before.
When I DO NOT have that predefined profile on the company Win 7/10 owned device (open network and sharing devices --- > manage wireless networks --- > profile with the same name as EAP-TLS SSID) , the device automatically tries PEAP even though I am trying to connect to the EAP-TLS SSID.
Once I manually add that "profile" for EAP-TLS, problem solved.
Apologies for crashing into this thread, but I also have a similar issue - but all with Windows 10.
When you say "This might be a timing issue, GPO not applying properly, etc" what are your timing recommendations?
I moved away from that Job but if I recall well it started with other windows 7 machines as well. I think it was some TLS related thing on Windows 7. As other machines start getting the patch from Microsoft then they started with the same problem.
What I did was to create another policy for PEAP as well.