Re: EAP-TLS wireless issue on only one windows 7 client

Capricorn · ‎03-11-2018

Hi!

It may be a windows issue but I thought to check here if someone know the answers.

I am succesfully running EAP-TLS with machine certifcate auth from last few months for windows 7 and windows 10. Two of my users reported issue that they cannot connect to it. I can see in the ISE logs that the client is trying to connect. I can see the error like below. (I am checking it from my chrome history)

Failure Reason: 12303 failed to negotiate EAP, because PEAP not allowed in

I even tried with manual SSID with the required parameters but it didnt work as welly.

Any suggestion?

agrissimanis · ‎03-11-2018

The client is trying to use PEAP instead of EAP-TLS. This might be a timing issue, GPO not applying properly, etc. There is a list of Windows hotfixes for 802.1X environments , you might find it helpful.

What do you see in Windows event log on the affected machines? (there is one specifically for Wireless, Event Log -> Applications and Services log -> Microsoft -> Windows -> WLAN AutoConfig -> Operational)

I do see this sometimes in our environment with wired EAP-TLS. Machines at boot attempt to authenticate with PEAP for a second, I see failures in the ISE auth log, but then straight after they perform EAP-TLS auth and pass as expected.

Capricorn · ‎03-12-2018

Thanks. It looks like something only happening on windows 7 computer. More users reported that. It works fine on Windows 10 computer.

Capricorn · ‎03-12-2018

Hi!

I looked into the logs and I can see that Identity: NULL as compared to my windows 10 machine where Identity: on my machine is my machine name.

Wireless 802.1x authentication failed.

Reason: Explicit Eap failure received
Error: 0x80420014
EAP Reason: 0x80420102
EAP Root cause String:
EAP Error: 0x80420014

ajc · ‎03-12-2018

I would go with the GPO not applying the profile for EAP-TLS properly on those win machines as indicated before.

When I DO NOT have that predefined profile on the company Win 7/10 owned device (open network and sharing devices --- > manage wireless networks --- > profile with the same name as EAP-TLS SSID) , the device automatically tries PEAP even though I am trying to connect to the EAP-TLS SSID.

Once I manually add that "profile" for EAP-TLS, problem solved.

Capricorn · ‎03-14-2018

Its already set to EAP-TLS authentication. I dont see its using PEAP.

santiago.jem · ‎08-02-2018

Hello Agrissimanis,

Apologies for crashing into this thread, but I also have a similar issue - but all with Windows 10.

When you say "This might be a timing issue, GPO not applying properly, etc" what are your timing recommendations?

Thank you.

Regards,

J

Tarik Admani · ‎06-05-2019

Hi,
Curious to see what you found in your environment

Capricorn · ‎06-05-2019

Hi!

I moved away from that Job but if I recall well it started with other windows 7 machines as well. I think it was some TLS related thing on Windows 7. As other machines start getting the patch from Microsoft then they started with the same problem.

What I did was to create another policy for PEAP as well.