During the EAP-TLS authentication process with ISE, we encountered an error indicating that authentication had failed. Due to this, we fail to deploy a network access solution for the organization as it relies on Cisco ISE for the same. In this post, we are going to see what to do see what to when Windows machines fail to complete EAP-TLS authentication with ISE.
Event 5400 Authentication failed.
Fix Windows 11 machines fail to complete EAP-TLS authentication with ISE
If Windows machines fail to complete EAP-TLS authentication with ISE, with Event 5400 Authentication failed error, follow the solutions mentioned below.
- Delete retry entries
- Update your certificate validation behavior
- Contact Microsoft Support
Let us discuss them in detail.
Fix Event 5400 Authentication failed error
1] Delete registry entries
Usually, this issue is a result of the fact your Group Policy is not selecting Root and Intermediate certifcates. In order to resolve the issue, we are required to delete a few registry entries. However, before doing that, you should take a backup of registry entries. Once done, open the Command Prompt as an administrator and then run the following queries.
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies" /f reg delete "HKCU\Software\Microsoft\WindowsSelfHost" /f reg delete "HKCU\Software\Policies" /f reg delete "HKLM\Software\Microsoft\Policies" /f reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies" /f reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /f reg delete "HKLM\Software\Microsoft\WindowsSelfHost" /f reg delete "HKLM\Software\Policies" /f reg delete "HKLM\Software\WOW6432Node\Microsoft\Policies" /f reg delete "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies" /f reg delete "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /f
Note: You might get a few messages saying “ERROR: The system was unable to find the specified registry key or value” – just ignore them.
Once you’ve done this, reboot the computer. After a reboot, select the root and intermediate certificates.
2] Update your certificate validation behavior
In earlier versions of Windows, including Windows 10, the server certificate validation logic differed across various EAP methods. In Windows 11, Microsoft has standardized this logic to ensure consistent and predictable behavior that aligns with the WPA3-Enterprise specification. This new approach applies to all EAP authentication methods provided by Windows, including those used for Wi-Fi, Ethernet, and VPN connections. Since we are experiencing issues with EAP-TLS and TLS 1.3, we need to ensure that the RADIUS server is patched and up to date, or we should consider disabling TLS 1.3 on the server. Additionally, ensure that the root and intermediate certificates used by the ISE server are trusted by the Windows 11 client
3] Contact Microsoft Support
If all else fails, we recommend you contact Microsoft Support. For this, you can go to support.microsoft.com, and then sign in to your account. Then, you can raise a ticket, discuss about your issue, and hopefully, you will receive a solution.
Hopefully, you can resolve the issue using the solutions mentioned in this post.
Read: How to set up or change the EAP method for WiFi in Windows 11?
How do I enable EAP TLS session resume for ISE?
In order to enable TLS Session Resume for EAP-TLS, you need to go to Administration > System > Settings > Protocol > EAP-TLS. Now, you need to tick the checkbox that says Enable EAP TLS Session Resume and then enter the required values in the field for EAP TLS Session TImeout.
Read: How to change LAN Manager Authentication Level in Windows 11
What is EAP in ISE?
In the Cisco Identity Services Engine (ISE), EAP, or Extensible Authentication Protocol, provides secure authentication for devices trying to connect to the network. EAP is a framework that supports multiple authentication methods, allowing flexibility in how devices and users are authenticated.
Read: Cisco Packet Tracer Networking Simulation Tool and its free alternatives.
