802.1X failing Authorization profile

adamgibs7 · ‎04-20-2018

dears,

I am doing EAP chaining and attached are the logs for the connection and screenshot for the authorization profile, the machine is in the AD domain still it is failing to authenticate ?? any hints experts.

the selected conditions are as belows

radius service type equal framed

radius nas port type equal Ethernet

Network access eap tunnel EAP-FAST

Network access authenticationmethod MSCHAPv2

Network access eap chaining results user and machine both succeeded

Francesco Molino · ‎04-20-2018

Hi

I see the following error in your log:

24344 RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,jack-XYZ-OLD-PC$@XYZ.local
24485 Machine authentication against Active Directory has failed because of wrong password - XYZ_AD

What os version are you running on your pc?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

adamgibs7 · ‎04-20-2018

Dear Francesco,

the windows version is 10 and I found the problem is due to the bug:

https://communities.cisco.com/thread/67962

and the fix is the below link

http://globalconfig.net/fix-eap-chaining-userpassedmachinefailed-issue-windows-8/

Thanks francesco

Francesco Molino · ‎04-20-2018

Yes that's why i asked the is version just to be sure.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

adamgibs7 · ‎04-20-2018

Dear Francesco

Please find the attached screenshot,

I have small queries related to the connection statistics, when I click to see the statistic I saw the below

In the security information section:

encryption : none

Server:

credential type: None

In credential type it should show me username/password please correct me if I m wrong ??

and about encryption the complete session from windows machine to the ISE is encrypted then why encryption is shown as none.

adamgibs7 · ‎04-22-2018

Dears,

Things were working cool, now I am failing as per the attached logs, it mentioned the AD not found , hence my tacacs is working with AD credentials, I don't understand y the machine is not found

Francesco Molino · ‎04-22-2018

Can you validate that the machine hasn't been removed from AD?

Can you try authenticating the machine only alone without eap-chaining to see what's happening?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

adamgibs7 · ‎04-24-2018

Thanks Francesco

Can you validate that the machine hasn't been removed from AD

it is available

Can you try authenticating the machine only alone without eap-chaining to see what's happening?

only machine also fails

Francesco Molino · ‎04-24-2018

Ok. when it fails, can you share the output of ISE and debug of the switch?
Also, can you share the config of ISE (policy-sets) ?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

adamgibs7 · ‎04-25-2018

Dear Francesco,

If you are a cisco employee here is the TAC case number 684359762

thanks