https://community.cisco.com/t5/network-access-control/windows-10-trying-to-do-machine-auth-thru-ise/m-p/4196376#M564266 <P>do ise have a mechanism to reject an authentication request (for a period of time) after a laptop keeps failing to authenticate?&nbsp;</P><P>then once the duration is finished ise will allow laptop for a new auth request.&nbsp;</P> Thu, 10 Dec 2020 03:09:55 GMT Meuserid1979 2020-12-10T03:09:55Z https://community.cisco.com/t5/network-access-control/windows-10-trying-to-do-machine-auth-thru-ise/m-p/4195682#M564235 <P>Hi experts, im not really sure how to title this discussion. the scenario is this:</P><P>&nbsp;</P><P>wireless network is on 802.1x authentication thru ise (version 2.7).&nbsp;</P><P>&nbsp;</P><P>windows10 &lt;---&gt;cisco AP&lt;---&gt;WLC &lt;--&gt; Cisco ise</P><P>&nbsp;</P><P>AD is integrated to ise. users are authenticating thru a lists of AD OUs.&nbsp;</P><P>&nbsp;</P><P>authC - AD usernames/password are being checked against those selected OUs populated on ise</P><P>&nbsp;</P><P>authZ - is either permit access or dynamic vlan assignement</P><P>&nbsp;</P><P>on windows 10 wireless properties , "user or computer authentication" is the selected option.&nbsp;</P><P>machine authentication is disabled on ISE. But on ise logs, some windows are trying to do machine authentication first then after a while the user authentication will be done and user will get connected.</P><P>&nbsp;</P><P>is that windows10 machine behaviour or there is some settings on ise that can be changed so that the laptops will stop doing the machine authentication? thanks in advance</P> Wed, 09 Dec 2020 07:23:41 GMT https://community.cisco.com/t5/network-access-control/windows-10-trying-to-do-machine-auth-thru-ise/m-p/4195682#M564235 Meuserid1979 2020-12-09T07:23:41Z https://community.cisco.com/t5/network-access-control/windows-10-trying-to-do-machine-auth-thru-ise/m-p/4195703#M564236 Hi,<BR /><BR />when you boot the machine it will try to login using machine authentication<BR />(before the user login). The same thing when you logoff from your machine,<BR />it will try machine authentication to stay connected as there is no user<BR />details in the credentials store (lsass.exe).<BR /><BR />This is normal pattern with windows clients whether using native supplicant<BR />or anyconnect supplicant. If you disable machine authm you will start<BR />getting issues like machine not connected to network at boot with password<BR />changed. The user will attempt new password but it will accept cached<BR />password only as it can't see AD.<BR /><BR />***** please remember to rate useful posts<BR /> Wed, 09 Dec 2020 08:10:02 GMT https://community.cisco.com/t5/network-access-control/windows-10-trying-to-do-machine-auth-thru-ise/m-p/4195703#M564236 Mohammed al Baqari 2020-12-09T08:10:02Z https://community.cisco.com/t5/network-access-control/windows-10-trying-to-do-machine-auth-thru-ise/m-p/4195748#M564239 <P>thanks . appreciate the reply.&nbsp;</P> Wed, 09 Dec 2020 10:07:10 GMT https://community.cisco.com/t5/network-access-control/windows-10-trying-to-do-machine-auth-thru-ise/m-p/4195748#M564239 Meuserid1979 2020-12-09T10:07:10Z https://community.cisco.com/t5/network-access-control/windows-10-trying-to-do-machine-auth-thru-ise/m-p/4196376#M564266 <P>do ise have a mechanism to reject an authentication request (for a period of time) after a laptop keeps failing to authenticate?&nbsp;</P><P>then once the duration is finished ise will allow laptop for a new auth request.&nbsp;</P> Thu, 10 Dec 2020 03:09:55 GMT https://community.cisco.com/t5/network-access-control/windows-10-trying-to-do-machine-auth-thru-ise/m-p/4196376#M564266 Meuserid1979 2020-12-10T03:09:55Z