Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4660
Views
1
Helpful
5
Replies

ISE 2.4 - EAP-TLS Not Working - Windows 10 client

Go to solution
daniel.born007
Level 1
Level 1

‎08-28-2019 10:53 AM - edited ‎08-28-2019 10:54 AM

I currently have ISE 2.4 setup with 802.1x for wired authentication using PEAP with EAP-MSCHAP v2. This works great. Recently my System Admin team rolled out credential guard, this causes the EAP-MSCHAP to not work. I need to now do EAP-TLS, certificate based.

 

On Windows 10, I changed the authentication method to Microsoft: Smart Card or other certificate. Now when I plug in a laptop or desktop, the NIC instantly says Authentication Failed. Any ideas? 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
daniel.born007
Level 1
Level 1
In response to Jason Kunst

‎09-03-2019 01:04 PM

Thanks everyone for your help. I was missing the machine cert AND the user cert for authentication. Without those on the supplicant, it wont even initiate the process.  I was able to get this going, I have a rule as well in ISE where it attempts the EAP-TLS first, then the PEAP process. All is working fine now.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-28-2019 11:02 AM

Are your ISE policies configured to support eap-tls?
Policy->Policy Elements->Results->Authentication->Allowed Protocols (Then assign proper profile to your policy set)
I assume you are using the native supplicant. Do the workstations have a valid certificate for authentication? Is your goal to accomplish both user & computer auth? Can you share supplicant configs as well as ISE policy sets & switchport configs?
0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎08-28-2019 09:25 PM

By default, Windows does not enable EAP on the wired interfaces.  You have to enable this under the Windows Services (Wired AutoConfig). Once you have done that, go to the Ethernet adapter and then check the new Security tab that has appeared.  Has the supplicant been provisioned?

0 Helpful

Go to solution
daniel.born007
Level 1
Level 1
In response to Arne Bier

‎08-29-2019 08:35 AM

I do have the WIred AutoConfig set, so I do see the Authentication tab. I am using the native windows 10 supplicant. My system admins are quite sure what settings to have set and checked. I see there are 2 places to have the Smart card or certificate selected. What should the windows settings be set to?

0 Helpful

Go to solution
daniel.born007
Level 1
Level 1
In response to Jason Kunst

‎09-03-2019 01:04 PM

Thanks everyone for your help. I was missing the machine cert AND the user cert for authentication. Without those on the supplicant, it wont even initiate the process.  I was able to get this going, I have a rule as well in ISE where it attempts the EAP-TLS first, then the PEAP process. All is working fine now.

0 Helpful
Customers Also Viewed These Support Documents