802.1X TEAP Authentication with Cisco ISE Troubleshooting

Mike Moss 5 Reputation points
2024-03-02T04:12:31.0533333+00:00

I am in the process of deploying wired network authentication using 802.1X. The tools in use are:

  • RADIUS Server: Cisco ISE
  • Supplicant: Windows 11 Native Supplicant
  • Protocols: TEAP / EAP-TLS with EAP-Chaining.
  • MS Intune

I have created a network profile and exported and put it into MS Intune and begin testing. Testing for the most part went well. Few minor things to fix, but overall was good. I started with a small group of 5 people, then slowly expanded the testing from 5 > 20 > 50 users. All had no issues. So i began phased rollouts. Did 100 people, then a few days later, 100 more. I have almost 300 users now fully on 802.1X. Just recently problems started to arise. About 15 or so users are failing 802.1X authentication and rolling over to MAB. < This is not good. All these endpoints are the same. Same hardware, same AD OU's/Groups, Same 802.1X settings, etc. They all have the proper machine and user certificates + Root CA. (Cert chain is good).

It seems these end points stop responding to ISE/ EAP authentication requests. I have a Cisco TAC support case open as well. But i think the issue is with Windows so i dont think Cisco is going to be able to help much.

Has anyone else deployed this config and know how to troubleshoot it? I've looked at the EAP logs, Wired AutoConfig logs, etc - no help there.

Any help is appreciated.

Windows for business | Windows Client for IT Pros | Networking | Network connectivity and file sharing
{count} vote

1 answer

Sort by: Most helpful
  1. Mike Moss 5 Reputation points
    2024-11-28T15:24:21.07+00:00

    This issue was enventually resolved. Prior to this 802.1X rollout we had Cisco AnyConnect installed on all our machines. We did push an uninstall to have this removed from all devices, but it seems even after an uninstall there are still remenants of AnyConnect installed. AnyConnect was intercepting EAP packets and thus failing the 802.1X authentication. Cisco TAC gave us a AnyConnect uninstall .exe and a command to run which removed all remaining remenants of AnyConnect. Once that was done, everything has been working great with zero issues since.

    If you previously used AnyConnect, reach out to Cisco TAC and ask them for the "PurgeNotifyObjects.exe". run this on all machines.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.