This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I am testing ISE 2.1 with AC 4.3.1095 for Windows Machine authentication using certificate.
EAP method is EAP-FAST with EAP-TLS as inner method.
Authentication failed with error "5440 Endpoint abandoned EAP session and started new."
I have also tested User auth with the same AC profile as machine and it works. Certificate can be detected by AC and I am seeing hostname is corrected identified with CN.
We use 802.1x authentication and I use EAP-Chaining to do the machine/user authentication. Here is a doc, but a little different for ISE 2.1 (I also use ISE 2.1)
If this is what you are trying to do, I can try to show some of my settings if it helps.
I was referring to the same document and it works for "password" inner method Machine Auth. What I am trying to achieve here is Certificate as inner method.
Are you using certificate in your lab?
For inner method we use EAP-MSCHAPv2 since the users log in.
What we do is machine joins and sits on a restricted network, then when the user logs in it re-checks and send them to whatever network they are assigned/have permissions to.
So your users join with a cert?
I am trying certificate for either Machine and User.
User Certificate works too but my customer is looking at Machine auth using certificate.
windows 8, 8.1, or 10?
There is an issue that windows will not pass the cert unencrypted to AnyConnect. Usually you will see in the failure bad credentials. This is fixed be adding the below reg key.
Windows Registry Editor Version 5.00
As for Machine/user cert login, I have not done it, so not sure if it's much different from password.
Does it work if EAP-TLS auth by itself but not as an inner method of EAP-FAST? What are the auth protocol settings for the matched authentication policy?
Same error even with EAP-TLS. I only have 1 authentication policy default with certificate profile.
From ISE log AnyConnect is getting the correct certificate where CN is logged for username.
Try using the eventvwr to look at the AnyConnect log entries.
The user certificate might have some problem or even the AC profile because it has different sections for user auth and machine auth. If you need further help on this, try the Cisco internal alias on AnyConnect with a copy of your DART file.
Thanks for the tip. Apparently, the certificate installed without private key even it showed "Certificate has associated private key" while we double clicked the certificate. EAP-TLS for machine works for Windows 7 after importing the same certificate again.
I will try out Windows 8.1 and Windows 10 using latest AC 4.3.02039 next week.