5440 Supplicant abandon session start new: PEAP-MSCHAPv2

KelvinT · ‎07-23-2020

Hello, ISE 2.6 patch 7 PEAP Outer/MSCHAPv2 Inner 3850 switch IOS 16.9.4 Windows 10. 802.1x is enabled via GPO ISE logs show successful PEAP negotiation but when ISE sends inner MSCHAPv2 challenge....ISE shows endpoint supplicant abandon and start new. What's interesting is we do not see any radius debug log on the NAD. the show authentications interface detail shows authc with 802.1x. Any ideas?

Damien Miller · ‎07-23-2020

Run these two commands and see if you are able to see the debugs. The syntax changed at some point.

Set this trace:
set platform software trace smd switch active R0 radius debug

View the trace debugs:
show platform software trace message smd switch active r0

As for the cause, it's tough to say without more visibility. Has this endpoint authenticated successfully in the past?

KelvinT · ‎07-23-2020

Hi,

Thanks for the quick response.

This is a green field. Just installed.

ISE log shows 2 workstations successfully hitting the correct authz policy. I.e. completing both PEAP and MSCHAPv2. Unfortunately all other pc is failing with the error posted. It's in monitor mode so no major outage.

Greg Gibbs · ‎07-23-2020

Are there any differences between the working and non-working PCs in relation to support for UEFI/SecureBoot?

Be aware that, for Win10 PCs with UEFI//SecureBoot enabled, the default domain policy likely enables the Credential Guard feature which breaks MSCHAPv2.

You might want to check the supplicant settings for the non-working PCs to see if the following option is greyed out. If it is, CG is enabled and MSCHAPv2 will not work. You would need to disable CG in the domain policy or look at moving to EAP-TLS, using a different supplicant (like NAM), etc.

KelvinT · ‎07-23-2020

Yes Gregg! I do remember seeing that greyed out.

I will confirm tomorrow.

Thanks Gregg!