https://community.cisco.com/t5/network-access-control/ise-2-6-patch-5-macbook-wireless-fail-using-peap-mschapv2/m-p/4145430#M562664 <P>Mac OSX does not really have the same separate Computer/User states as Windows. They also do not have the native ability to join an AD domain, so I'm not sure how you have machine auth happening against any MacBooks.</P> <P>Where I've seen customers using PEAP-MSCHAPv2 with MacBooks, they considered them single-user devices, used JAMF Pro to enrol and configure the Network Profile with the user credentials, and only authenticated against the user credentials.</P> <P>From the logs you provided, I would also infer you are trying to use MAR (WasMachineAuthenticated = True)? If that's the case, I would strongly recommend against using MAR as it has known user experience issues with Windows PCs. I don't know that MAR has ever even been tested with OSX as it does not have a clear separation of Computer/User states.</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html" target="_blank" rel="noopener">Machine Access Restriction Pros and Cons</A>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 02 Sep 2020 22:58:51 GMT Greg Gibbs 2020-09-02T22:58:51Z https://community.cisco.com/t5/network-access-control/ise-2-6-patch-5-macbook-wireless-fail-using-peap-mschapv2/m-p/4145252#M562650 <P>ISE 2.6 patch 5</P><P>Macbook</P><P>Wireless connection:&nbsp; user authc, previous machine authc</P><P>&nbsp;</P><P>Hello,</P><P>&nbsp;</P><P>Do we know if there is still an issue with Macbook using PEAP(MSCHAPv2)?</P><P>&nbsp;</P><P>I have some macbook successfully connect on ISE (user &amp; Machine.&nbsp; i.e. user authc, successful previous machine authc) using LEAP but fail using PEAP(CHAPv2) stating below.</P><P>&nbsp;</P><TABLE cellpadding="3" border="0"><TBODY><TR><TD>&nbsp;</TD><TD>24715</TD><TD>ISE has not confirmed locally previous successful machine authentication for user in Active Directory</TD></TR><TR><TD>&nbsp;</TD><TD>24714</TD><TD>ISE peers have not confirmed previous successful machine authentication for user in Active Directory</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Thanks</P> Wed, 02 Sep 2020 17:10:19 GMT https://community.cisco.com/t5/network-access-control/ise-2-6-patch-5-macbook-wireless-fail-using-peap-mschapv2/m-p/4145252#M562650 KelvinT 2020-09-02T17:10:19Z https://community.cisco.com/t5/network-access-control/ise-2-6-patch-5-macbook-wireless-fail-using-peap-mschapv2/m-p/4145430#M562664 <P>Mac OSX does not really have the same separate Computer/User states as Windows. They also do not have the native ability to join an AD domain, so I'm not sure how you have machine auth happening against any MacBooks.</P> <P>Where I've seen customers using PEAP-MSCHAPv2 with MacBooks, they considered them single-user devices, used JAMF Pro to enrol and configure the Network Profile with the user credentials, and only authenticated against the user credentials.</P> <P>From the logs you provided, I would also infer you are trying to use MAR (WasMachineAuthenticated = True)? If that's the case, I would strongly recommend against using MAR as it has known user experience issues with Windows PCs. I don't know that MAR has ever even been tested with OSX as it does not have a clear separation of Computer/User states.</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html" target="_blank" rel="noopener">Machine Access Restriction Pros and Cons</A>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 02 Sep 2020 22:58:51 GMT https://community.cisco.com/t5/network-access-control/ise-2-6-patch-5-macbook-wireless-fail-using-peap-mschapv2/m-p/4145430#M562664 Greg Gibbs 2020-09-02T22:58:51Z https://community.cisco.com/t5/network-access-control/ise-2-6-patch-5-macbook-wireless-fail-using-peap-mschapv2/m-p/4145690#M562681 <P>Hi Greg,</P><P>&nbsp;</P><P>Thanks for you respond.</P><P>&nbsp;</P><P>We are receiving a user and machine authc from the macbook configured with LEAP but not macbooks configure with PEAP(MSCHAPv2).&nbsp; Doing some search I see old conversations about ISE/Macbook/PEAP(MSCHAPv2) issues which is why I asked.</P><P>&nbsp;</P><P>I'm not an apple/macbook tech so my knowledge is very limited.&nbsp; I can say I see on the ISE logs actually similar behavior as EAP-FAST.&nbsp; The user and machine is sent in the same log and MARS is used for those macbooks configured with LEAP.</P><P>&nbsp;</P><P>Side note:&nbsp; I am aware of the limitations with MAR.&nbsp; Someone gave me a very good workaround.&nbsp; Switch user causes the machine to reauthc every time.&nbsp; So every time switch user is selected I see machine authc on ISE.&nbsp; The user can log back in and get connected.&nbsp; So just selecting switch user (no additional log in is required) then the same user logs back in is the best workaround.</P><P>&nbsp;</P><P>Thanks again Greg&nbsp;</P><P>&nbsp;</P> Thu, 03 Sep 2020 10:20:42 GMT https://community.cisco.com/t5/network-access-control/ise-2-6-patch-5-macbook-wireless-fail-using-peap-mschapv2/m-p/4145690#M562681 KelvinT 2020-09-03T10:20:42Z