cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1356
Views
2
Helpful
13
Replies

Windows 10 and Windows 11 clients cancelled to connect WiFi

dijix1990
VIP
VIP

Hi, recently I bumped into problem, laptops with windows 10 and 11 that cancelled to connect WiFi. 

I have ISE 3.1 with connection to Windows AD and from ISE I can see this error.

Failure Reason 12511 Unexpectedly received TLS alert message; treating as a rejection by the client
Resolution Ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!

 

13 Replies 13

marce1000
VIP
VIP

 

                   - FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuh22029

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

klnnnnng
Level 1
Level 1

Hello,

so you are using EAP-TLS and the client has a valid Root Cert to validate the ISE EAP Authetication certificate?

Regards

 

yeah, some of my byod devices doesn't have root certificate but it works. For clients which have the problem I tried to install my root cert to "trusted root certification authorities" it didn't help btw. I found that enable hyper-v can help and it's strange but it help. So maybe my ISE certificate for eap doesn't match with windows clients because of bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuh22029? but I don't have CN which start from *. Maybe you know can I sent root certitficate to byod or I need install it always manually?

If you expect to join unmanaged devices which don't have your private enterprise certs installed there really is no good solution - you need to use public certificates which the devices will already trust by default.

Make sure your software is up to date as per TAC recommended link below.

Make sure the wireless client drivers on the Windows PCs are up to date - especially if they're Intel (but same applies to all vendors) because the Intel drivers had some major bugs in earlier releases.
https://www.intel.com/content/www/us/en/download/19351/windows-10-and-windows-11-wi-fi-drivers-for-intel-wireless-adapters.html

Yes I know it, but why after instaling my root certificate manually I can't connect and get the same error?

Did you make sure the drivers and OS were fully updated?

Assuming you did, then you'll just have to debug it on the client.  If you were testing on Windows then remember Windows has a user cert store (which only applies to the logged in user) and a machine cert store (which applies to all users).  If you installed the cert in a user cert store then no other user will be able to access that cert.  The cert needs to be installed in the machine cert store.  I'm not familiar with how other OS handle it but they might have something similar.

of cource my root cert placed on machine cert store as trusted root certification authorities

Are you telling the supplicant in the wireless profile to use the user/machine certificate which is issued by your internal CA? If not, Windows uses the first certificate so maybe not presenting the proper one to the RADIUS server.

Didn't know about it (about BYOD), for domain users it happens automatically. I will try to configure right certificate manually tomorrow

klnnnnng
Level 1
Level 1

Maybe you can check if the wireless profiles (see screenshot) are configured the same way or try disabling the validation for testing purposes.

dijix1990
VIP
VIP

Maybe I found the problem, one of my "Policy Service, pxGrid" Node has expired cert, I tried to generate CSR, but couldn't export it -  becuase of error "The CSR could not be found."

<smile> step number one if you get certificate errors: check that all the certificates are, in fact, still valid.
It's best practice to track all of your certificate expiry dates and make sure you start preparing for cert update 1 month before the cert expires.  How you do that tracking is up to you.  Some public CAs will send you reminders but otherwise you need you own system for alerting you when certs are due to expire.

It left from my colleague, so I found when I managed to see which certificate gets client and it was expired. I have two PAN and two PSN and one PAN with expired cert. now PAN it out of sync because of certificate. Maybe you know second PAN node must get master role after expiring certificate? or I need to do it manually? and second question Can I unbind expired certificate? or just choose valid certificate in ISE?

Review Cisco Networking for a $25 gift card