I have test setup with a sisco switch 802.1x enabled, Radius server Microsft CA en Windows 7 client. When we use a non-trusted certificate on the windows client? the port does not get set on the restricted vlan configured on the switch I have test setup with a cisco switch 802.1x enabled, Radius server (radiator) Microsft CA en Windows 7 client. When we use a non-trusted certificate on the windows client? the port does not get set on the restricted vlan configured on the switch The network traffic revealed some interesting stuff I think the problem is located between PC and Switch With an untrusted certificate the switch send the "Fatal alert Unknown CA" The client responds with a "Encrypted alert"( Eap-TLs Response with Flags 0x80) the switch does not see or understands this packet and resends the "Fatal alert Unknown CA" packet. Switch time's out and send the Eap-TLS failure to the client, and request immediately again the identity of the client. On Witch the client does not respond. After the "Auth Period" expires on the client, the client sends back a eapol-start message or if the "Auth Period" is larger, the client get an 169.x.x.x ipadres, EAPOL-Start is not send in this case With a revoked certificate, the switch sends a "Fatal Alert Certificate revoked" the clients send back a Eap-TLS Response (flags 0x0), switch send back a eap failure message. Switch proceeds with MAB. I have two questions, Why this strange behavior and how to solve this, please advise