topic Re: User and Machine Authentication in Network Access Control

User and Machine Authentication

vivarock12 — Thu, 10 Jul 2025 23:16:57 GMT

Hello

Am having troubles getting my WIFI to work with machine authentication and user authentication i keept trying to reauthenticate every time im not really sure why it doing it at the machine authentication part, but it get that correct.

this is whats happening:
i created a new SSID on a classic WLC to do the test:

this is the SSID configuration:

the AP SW port config

im using the same VLAN for users and management, for the testing.

This is the configturation of the ISE

the thing is the machine auhthentication and users logs like it work but it wont assing the user its IP ADDRESS.

i try the same policy just with the ssid in other ruel and it worked like a charm

any idea what it migth be the problem?

Re: User and Machine Authentication

Rob Ingram — Fri, 11 Jul 2025 06:05:14 GMT

@vivarock12 are you using EAP Chaining (EAP-FAST or TEAP) or using MAR (no one recommends using MAR anyway)? If not using using EAP Chaining "Network Access WasMachineAuthenticated" will not work.

I would recommend using TEAP over EAP-FAST https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html

Re: User and Machine Authentication

MHM Cisco World — Wed, 16 Jul 2025 10:03:52 GMT

MHM

Re: User and Machine Authentication

MHM Cisco World — Wed, 16 Jul 2025 10:04:17 GMT

MHM

Re: User and Machine Authentication

vivarock12 — Fri, 11 Jul 2025 13:43:42 GMT

Hello Rob,

Thanks for the help as always, but i was trying to doit with MAR using PEAP aparently so ill try with TEAP one question do a need a user CERT for it?

Thanks for the help.

Re: User and Machine Authentication

vivarock12 — Fri, 11 Jul 2025 13:34:59 GMT

i was using WPA2 so do you recommend to use wpa3?

Re: User and Machine Authentication

MHM Cisco World — Fri, 11 Jul 2025 13:37:36 GMT

Hmm

It is wireless cases

Some wifi client support wpa3 abd other support wpa2' I will check the mix mode (using both in single SSID)

MHM

Re: User and Machine Authentication

Rob Ingram — Fri, 11 Jul 2025 13:58:38 GMT

@vivarock12

If using WPA2 enterprise then that implies you are using PEAP/MSCHAPv2 or EAP-TLS and in both instances certificates are used. PEAP/MSCHAPv2 validates the server ceritificate (ISE's EAP certificate) and EAP-TLS validates the client and server certificate.

If you want to use TEAP, then you can mix and match PEAP/MSCHAPv2 and EAP-TLS for user and machine authentication, TEAP will just combine the authentications together. So you could use certificate authentication for computer and PEAP/MSCHAPv2 for user, or use certificate for user aswell - you'd obviously have to distribute user certificates.

You do not need to use WPA3, EAP Chaining will work with WPA2 enterprise.

Re: User and Machine Authentication

vivarock12 — Tue, 15 Jul 2025 22:01:18 GMT

Guys sorry for the late reply, the TEAP solution worked but we have a problem now there using anyconnect with NAM im trying to generate a nam profile a wifi to use EAP-fast or TTLS using only MS-chap as authentication fo the machine and for the user but idid a TCP dump on the ISE but not getting any information from the "loggin that the Anyconnect is supposed to be doing" i dont know if you guys have fund the same trouble with anyconnect?

investigating i foundso recommendation to use TEAP without NAM because it wasnt working ethier but i dont know if they (client) would be able to disable the NAM. on the PCs.

investigating i ended up with the followinf that you need to do a register LsaAllowReturningUnencryptedSecrets, for eap-fast to work and

Microsoft support has informed that making this change will effectively make a hole in protecting the credentials.

Stated, :"kindly be informed that create and change registry key LsaAllowReturningUnencryptedSecrets to 1 will opens a hole in credential protection to allow application compatibility so applications (and yes attackers) can extract device secrets in clear text. This behavior is by design and improves protection of the LSA secret. Therefore we need to make it clear that they are opening a credential theft vector. Organizations concerned about credential theft attacks also known as pass-the-hash attacks, should understand that deploying this registry key makes it easy for attackers to steal the domain-joined device's clear-text password. "

this is in a LINK https://community.cisco.com/t5/vpn/windows-10-machine-authentication-with-anyconnect-nam/td-p/3462166

so is it true?

Re: User and Machine Authentication

Greg Gibbs — Tue, 15 Jul 2025 22:18:44 GMT

Yes, that is true but the same could be said of using MSCHAPv2 as it uses NTLMv1 which is just as vulnerable to pass-the-hash attacks.

Credential Guard is enabled by default on newer versions of Windows 11 and must be disabled to use MSCHAPv2.
https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues

If you're concerned about credential theft attacks, you should be using non-credential based authentication methods like EAP-TLS (as an inner or outer method). Microsoft has the same recommendation as stated in the link above.

Re: User and Machine Authentication

vivarock12 — Tue, 15 Jul 2025 22:26:57 GMT

so @Greg Gibbs the recomendation or best practice would be to use TEAP or EAP-FAST with certificates rigth?

Re: User and Machine Authentication

Greg Gibbs — Wed, 16 Jul 2025 04:44:40 GMT

Yes, you would need to use certificate-based authentication.

If you want to use EAP Chaining, you would need to use TEAP(EAP-TLS) [with the Windows native supplicant] or EAP-FAST(EAP-TLS) [with NAM]

Re: User and Machine Authentication

MHM Cisco World — Wed, 16 Jul 2025 10:49:14 GMT

this is TEAP Authc method

TEAP use two Auth
outer tunnel Authc use ISE cert only to authc
inner authc use
A- EAP-TLS (machine AND/OR user cert)
B-EAP-MSCHAPv2 (username/password)

the config ot TEAP for both TEAP(EAP-TLS) and TEAP(EAP-MSCHAPv2) is same in WLC select WAP2 or WPA3 enterprise with 802.1x

in ISE the differnt come

allow protocol
you need to allow EAP-MSCHAPv2 AND/OR EAP-TLS

Authz policy

You need differnt authz policy
one for machine and user cert authc successed (chain)
other for user cert authc successed

Re: User and Machine Authentication

vivarock12 — Fri, 25 Jul 2025 22:11:08 GMT

ok guys now im trying to doit with AEP-tls directly with the wired connection it work like a charm with out a trouble, but when im doing the same on the NAM its giving me 2 troubles if i try to select the Wireless network directly it gives me the following trouble:

i creted a NAM profile wuth the test network for the wifi ad is giving me the follogin trouble:

it gets stuck on associating

i did a network capture on the ise and the thing of im not seeing any request on it.

im working in a ISE3.1 with trial version.

so any idea on why im havving this trouible?

Re: User and Machine Authentication

MHM Cisco World — Fri, 25 Jul 2025 22:49:15 GMT

Can I see live log of ISE when wifi client with NAM failed

MHM

Re: User and Machine Authentication

vivarock12 — Fri, 25 Jul 2025 23:15:38 GMT

that the trouble i dont see anything on the ISE and i did a packet capture but i dont see any trouble on the ISE etheir. so is there and thing that can be done? or any idea?

Re: User and Machine Authentication

MHM Cisco World — Sat, 26 Jul 2025 12:14:31 GMT

https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/prime-nam-2440-appliance/221954-configure-secure-client-nam-for-dot1x-us.html

Follow guide to config Nam for eap-tls

MHM