https://community.cisco.com/t5/network-access-control/anyconnect-network-access-manager-can-t-handle-machine/m-p/3409705#M548070 <P>Windows 10 requires a registry fix for NAM machine auth to work.</P> <P>&nbsp;</P> <P>From the Anyconnect release notes:</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect46/release/notes/b_Release_Notes_AnyConnect_4_6.html#ID-1454-000002d1" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect46/release/notes/b_Release_Notes_AnyConnect_4_6.html#ID-1454-000002d1</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-SPOILER> <P class="p">For Network Access Manager, machine authentication using machine password will not work on Windows 8 or 10 / Server 2012 unless a registry fix described in Microsoft KB 2743127 is applied to the client desktop. This fix includes adding a DWORD value LsaAllowReturningUnencryptedSecrets to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa registry key and setting this value to 1. This change permits Local Security Authority (LSA) to provide clients like Cisco Network Access Manager with the Machine password. It is related to the increased default security settings in Windows 8 or 10 / Server 2012. Machine authentication using Machine certificate does not require this change and will work the same as it worked with pre-Windows 8 operating systems.</P> </LI-SPOILER> Tue, 03 Jul 2018 14:06:02 GMT Rahul Govindan 2018-07-03T14:06:02Z https://community.cisco.com/t5/network-access-control/anyconnect-network-access-manager-can-t-handle-machine/m-p/3409655#M548069 <P>I'm using PEAP-mschapv2 for machine authentication(wired-dot1x). Client authenticated against AD when using windows native client but when I using nam, it fails.</P> <P>Client Windows 10 version 1803 it's updated.</P> <P>I have tried Windows 7 client with same nam config and client was authenticated successfully.</P> <P>Can someone help me for solution?</P> <P>&nbsp;</P> <P>I'm using freeradius and freeradius uses ntlm for authentication.&nbsp;</P> Fri, 21 Feb 2020 19:00:07 GMT https://community.cisco.com/t5/network-access-control/anyconnect-network-access-manager-can-t-handle-machine/m-p/3409655#M548069 akbasah 2020-02-21T19:00:07Z https://community.cisco.com/t5/network-access-control/anyconnect-network-access-manager-can-t-handle-machine/m-p/3409705#M548070 <P>Windows 10 requires a registry fix for NAM machine auth to work.</P> <P>&nbsp;</P> <P>From the Anyconnect release notes:</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect46/release/notes/b_Release_Notes_AnyConnect_4_6.html#ID-1454-000002d1" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect46/release/notes/b_Release_Notes_AnyConnect_4_6.html#ID-1454-000002d1</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-SPOILER> <P class="p">For Network Access Manager, machine authentication using machine password will not work on Windows 8 or 10 / Server 2012 unless a registry fix described in Microsoft KB 2743127 is applied to the client desktop. This fix includes adding a DWORD value LsaAllowReturningUnencryptedSecrets to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa registry key and setting this value to 1. This change permits Local Security Authority (LSA) to provide clients like Cisco Network Access Manager with the Machine password. It is related to the increased default security settings in Windows 8 or 10 / Server 2012. Machine authentication using Machine certificate does not require this change and will work the same as it worked with pre-Windows 8 operating systems.</P> </LI-SPOILER> Tue, 03 Jul 2018 14:06:02 GMT https://community.cisco.com/t5/network-access-control/anyconnect-network-access-manager-can-t-handle-machine/m-p/3409705#M548070 Rahul Govindan 2018-07-03T14:06:02Z