Security Policy-Access Mobility Express

tandemike · ‎07-01-2019

I have configured my ISE running version 2.6 to authenticate wireless clients.Users coming in from Android,Apple and linux machines can authenticate correctly and have access to the network,but with regards to windows clients this is not possible.This comes as error 5400 and i googled the error from other forums and it was pointing to certificate issue.So i had to manually accept the certificate on my windows test machine in windows and sharing centre an it worked perfectly.Now the questions is i have thousands of users and i cant go one after to update.If i use a supplicant like anyconnect it works fine.Do we have another route other than the mentioned above to solve this issue

patoberli · ‎07-03-2019

Normally, if the users makes a fresh connection to the SSID (assuming you are talking about wireless), they get asked if the certificate is correct and if they agree to that, they have wireless access. This is completely normal on Windows and SSIDs with a certificate authentication. Only way around that is to have managed devices and push the wireless configuration via Group Policy, including the certificate.

The idea about showing and accepting the certificate is to avoid man in the middle attacks. Only if the correct certificate (thumbprint) is shown, the user should connect.

tandemike · ‎07-05-2019

Hi patoberli

Through further digging i found out that the problem is between ISE and CIS server(LDAP) is not supporting PEAP and MSCHAPv2.Any workaround on this

patoberli · ‎07-05-2019

I don't know the product CIS and haven't used ISE so far for wireless.
Make sure that TLS1.0 is enabled though, some modern radius servers might have that disabled, but at least for Windows 7 and some OS X clients this is required when using PEAP with MSCHAPv2.