Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3083
Views
0
Helpful
8
Replies

Windows OS can not connect to the SSID that configured 802.1x

mostafashoaei
Level 1
Level 1

‎02-25-2017 10:41 AM - edited ‎03-11-2019 12:29 AM

Hi guys,

I Have ISE 2.1 and I didn't any problem in Wired connection, but when I ran wireless connection and configured 802.1x in Access points, i realized windows OS can not connect  to access points while Android and IOS can connect easy to them.

Moreover, I installed Cisco Any connect(NAM) on windows and made a appropriate profile and finally windows connect to access point easily.

However, my company doesn't have any policy to install Cisco Any Connect because we have many guests that they will bring their laptop and we can install it on each of them, so I forced fixed this problem as soon as possible.

when I want to connect to SSID, selected it and it showed the username and password, I enter the username and password correctly and then windows OS tried connect to SSID after a few moment it couldn't connect to SSID, when I check the radius live logs it showed "Authentication succeeded", but windows OS gave the error: "can't connect to the network".

I tested it in many OS version such as windows 10,8,7 and all of them gave same error.

I tested a TP-Link AP and configured it with WPA/WPA2 - Enterprise, it work very well for Android and IOS devices, but for windows it doesn't work.

I thought this problem related to Access point, I configured a Mikrotik wireless device as AP-bridge mode also radius settings in mikrotik I have same problem, Windows OS can not connect without any agent such as Cisco Any connect(NAM).

I demand you help me please.

Thanks for your time,

MSH,

1 person had this problem
Labels:
0 Helpful
8 Replies 8

jan.nielsen
Level 7
Level 7

‎02-26-2017 10:21 AM

Make sure you are not using a wildcard certificate on ISE, Windows does not like that.

Jan

0 Helpful

mostafashoaei
Level 1
Level 1
In response to jan.nielsen

‎02-27-2017 05:52 AM

Hi dear Jan

can you tel me,what to do that?

thanks for your answer,

0 Helpful

jan.nielsen
Level 7
Level 7
In response to mostafashoaei

‎02-28-2017 01:28 AM

Use a non wildcard certificate on ISE for your EAP protocols.

0 Helpful

mostafashoaei
Level 1
Level 1
In response to jan.nielsen

‎02-28-2017 12:41 PM

I didn't use any wildcard certificate on ISE for EAP or anything else, however even I divided certificates I signed a certificate related to Admin and another one related to EAP, but it doesn't work yet.

please help me, I got caught up.

Thanks for your attention.

 

0 Helpful

jan.nielsen
Level 7
Level 7
In response to mostafashoaei

‎02-28-2017 12:50 PM

So are you trying to use PEAP for this...ie username and password ?

The certificate on ISE, is it issued by a public CA ?

What steps have you taken to configure the windows supplicant ?

0 Helpful

mostafashoaei
Level 1
Level 1
In response to jan.nielsen

‎03-01-2017 10:32 PM

when I tried again it gave these errors

1-

Failure Reason     

5440 Endpoint abandoned EAP session and started new

Resolution 
Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.

Root cause     

Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.

2-

Failure Reason     
12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate


Resolution
Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.

Root cause

PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

Thanks a lot Jan

0 Helpful

kushsriva
Level 1
Level 1
In response to mostafashoaei

‎03-02-2017 03:24 AM

Hi,


It seems the Windows is not trusting the ISE certificate and thus failing the TLS handshake.

Could you check the following document and make sure the client is configured properly and has the CA certificate installed?

https://supportforums.cisco.com/document/68096/peap-authentication-configuration-example-windows-7

Thanks & Regards,

Kush

0 Helpful

mostafashoaei
Level 1
Level 1
In response to kushsriva

‎03-06-2017 03:20 AM

Hi dear Kushsriva,

I hope doing well,

first:

The fact that I thinking this is a bug is caused by I installing new version of ISE(2.2) and tried finally it's ok.

second

I ran reset-application on previous version(2.0.x) until it had problem and gave me below error:

Event    

5440 Endpoint abandoned EAP session and started new

Failure Reason    

5440 Endpoint abandoned EAP session and started new


Resolution    
Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.


Root cause    
Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.

==========================================================

I cant change version, I have to use current version(2.0)

please help,

Thanks a lot,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents