Thank you for your answer.

I will give this a try and let you know. Although I tried making the test_user account an admin account and that did not help. So I dont think it has anything to do with the AD objects. 

Currently doing user authentication with EAP-TLS. No machine authentication as of right now.

So do you have a rule for when the machine is logged out?  Or is your Pre-auth ACL configured correctly to allow it continue to hit the domain controller?   What do the logs look like when the user is logged off? 

When the user is logged off, the ISE logs show the machines attempting to authenticate but failing. But with the PRE-AUTH acl shouldnt the machines still be able to stay in the domain even without authenticating?

What does your switchport config look like?  What are you returning from ISE when the PC machine authentications fail?

The switch has the basic dot1x config:

Switchport Access Vlan ___

Switchport mode access

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

dot1x pae authenticator

ip access-group ACL-DEFAULT in

There is no multi-host or multi-domain in the config. Only machines connected to the switchport. No MAB configured either.

According to the ISE logs the machine authentication is failing for "host not found in identity store". The identity store that is using is AD. I did noticed that when the machine tries to authenticate it sends the name "host/Workstation-001", but the DNS record for it is "Workstation-001" (without the "host" at the beginning of the name). Not sure why is this happening.

This looks very much like an AD issue since ISE is telling you "host not found in identity store" which you said is AD. Have you looked in AD to be sure the computer is domain joined? Is it the same domain that ISE is querying?

host/Workstation-001 is a Windows thing and how they differentiate domain users vs domain computers when doing machine authentication.

We needs to see actual ISE errors or understand what policies you have configured and matched in ISE to know if that is what you expect. Also see some of the Authorization Rule examples @ Microsoft Active Directory Groups Authorizations

and those may help you.

Thank you for the info. I will go ahead and make some changes on the Policy sets and see if that makes the difference. I was thinking it had to do with the computer name but thank you for clarifying the "host" part on the name. I will get back to you and let you know how it goes.

I don't see "authentication open" configured, so your pre-auth ACL has no effect.  When ISE returns an access-reject for the machine authentication, the PC is blocked.  

Authentication Open is configured on the switchport. Sorry I forgot to include that line

Hello,

Thanks for the response. I will have to check and write back to you. It is on a classified network and I do not have remote access.

Hi @AbelBurgos5029 

You have to account for machine authentication when a user is not logged in.

My recommendation is to try to avoid having ISE sending access denied for multiple reasons. Just observe the authentication attempts filtering based on computer MAC address and observe what authentication attempts are been send to ISE when user logoff, if you're using Windows native client just configure user or computer in settings and when computer is authenticated then configure an ISE policy that allows access to AD environment, other resources and usually access from the helpdesk .

Also for user authentication is always better to perform password authentication as, as you've seen, you have to account for scenarios of first user login etc.

In general my scenarios for a port state are

• Computer LAN interface connected but PC not powered on (Wake on LAN enabled?)
• Computer booted but now user logged in (PC should be able to reach AD and which resources? Also does helpdesk needs access during that state?)
• Computer booted and user authenticated.
• A more rare one, Computer must perform PXE boot for provisioning. (MAB with limited access?)