What is the known proper resolution for this issue? I am facing the same issue. 

I'm having the same issue with 17.9.4a.
From WLC debug I see 4 login attempts (before setting clients as excluded) but from ISE Live Logs I'm seeing only one request and not the others. It seems that WLC is "caching" authentication.
Someone solved this?

Hello,

In the Windows update of November 10th, EAP was updated to support TLS 1.2. This means that during the TLS handshake, the server announces support for TLS 1.2, enabling the use of TLS 1.2.

> Here is the solution to the problem of configuring TLS version. By default, EAP must add a DWORD value to the TlsVersion registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13 The value of this registry key can be 0xC0, 0x300, or 0xC00

We are also experiencing the same issues.  Clients will lose connectivity and cannot reconnect.  Over-the-air pcaps indicate and traces " %DOT1X-5-FAIL: R0/0: wncd: Authentication failed for client (xxxx.5ba3.xxxx) with reason (Cred Fail)...".  The odd part is that ISE does not receive an AAA requests at all.  No attempts are logged in Radius Live Logs.   The AP and controller seem to be issuing the credential failure on their own.   We've had a tac case open since Nov 2023.  

Any input from the community will be much appreciated.

Hello,

Yes, the problem has been solved for me. The problem was definitely in Windows 11, possibly in some people with Windows 10 too. To solve this problem, please follow these steps:

To add EAP-TTLS 1.3 to the Windows registry, you typically need to modify registry entries related to network authentication protocols. However, please be cautious when making changes to the registry, as incorrect modifications can cause system instability or other issues. Here's a general guide on how you might proceed:

1. Open Registry Editor: Press Windows Key + R, type regedit, and press Enter to open the Registry Editor.

2. Navigate to the Correct Key: Navigate to the appropriate key for your network authentication settings. Typically, this is located at:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13

   1. Add a New Subkey: Right-click key, then select New > Key. Name this new key TTLS.

   2. Add Protocol Version: Within the TTLS key, create a new DWORD (32-bit) value. Name it Tlsversion.

   3. Set Protocol Version: Double-click on the Tlsversion value you just created and set its value data to "ofc0". This value represents EAP-TTLS version 1.3.

   4. Save Changes: Close the Registry Editor and restart your computer for the changes to take effect.

I encountered the same issue in my case. When I tested login in with my phone(Android and IOS), there were no logs on the WLC and NPS. However, when I tested with my PC, logs appeared on the NPS, but the username was incorrect. It used the host/computer name instead of the domain/username. I’m not sure if you’ve experienced a similar event.

And I found something strange. On the same day when this issue occurred, my syslog didn’t receive any logs from the Wireless LAN Controller (WLC) until today. It appears that the WLC has stopped sending logs to my syslog server

Is there any solution for this issue ?

We have the same issue. A WLC9800-L (v17.9.5) doesnt authenticate iphone client, we got these logs in WLC:

Jul 9 18:31:10.101: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (aaaa.bbbb.cccc) on Interface capwap_90000034 AuditSessionID 084114AC0003176298C38A07. Failure reason: Authc fail. Authc failure reason: Cred Fail.

Jul 9 18:31:10.101: %DOT1X-5-FAIL: Chassis 1 R0/0: wncd: Authentication failed for client (aaaa.bbbb.cccc) with reason (Cred Fail) on Interface capwap_90000034 AuditSessionID 084114AC0003176298C38A07 Username: xxxxxx

WLC used to authenticate the iphone (ios 17.5.1) without problems. No logs are written on Cisco ISE nor Windows AD. A credential and mac must to be met in order to be authenticated in Cisco ISE. Only new connections from iphones (android devices work) to this SSID are having problems.

If you enable private wifi address at iphone an error log is successfuly created in Cisco ISE (which is correct), other way none logs are recorded. It seems like WLC doesnt send anything to Cisco ISE.

If someone has clue for this behavior I will appreciate it.