06-21-2021 07:13 AM
Good afternoon everyone,
is anyone else experiencing issues with PEAP(Mschapv2) User authentication?
Mschapv2 User auth was working fine in our environment for the last 4 weeks (We implemented this recently). This morning, all of a suddon, alot of users have been unable to authenticate with Cisco ISE 2.7.
The Windows 10 Clients (21H1) are connected to the lan with computer authentication. As soon as the user logged in, the client tried to authenticate with the username and failed. The client response was empty, so either the client refused to communicate with ISE or the authentication was never send by the client.
Computer authentication still works fine. As soon as the user logged out, the client authenticated successfully.
We haven't done any changes regarding 802.1x and we haven't done any updates on Cisco ISE. The Policy Sets and Active Directory connection are still looking fine.
The issues started today (this morning).
I was wondering if anyone else experienced some issues with user authentication lately.
Could this issue be related to a new Windows update?
Best regards,
Daniel
Solved! Go to Solution.
06-24-2021 08:59 AM
Good afternoon,
It looks like the issue we encountered came from a Windows option named "Enable single sign on for this network" on the authentication tab on the network adapter that was enabled in our group policy. It looks like Windows cached some of the user credentials (which worked fine for a couple of days or weeks). But at some point, the cached user credentials were not valid anymore and the Mschap v2 authentication stopped working for these users.
The computer authentication with Mschap v2 was still working fine. The issue was only related to the user authentication and kicked in as soon as a user logged on to the client.
Due to another option in Cisco ISE, invalid credentials were shown in the live logs as "Username" or "Username\Username". This led us to believe that the client was not sending the information at all, but I guess the client was just sending invalid user credentials due to caching and ISE masked them as "Username".
I did some tests with a non-domain joined client and when setting the authentication manually, everything was working fine. The Mschap v2 authentication worked without an issue.
I guess the issue was not related to Windows Updates or to Cisco ISE, but just a bad configuration in our group policy. I haven't had any time to check this in detail, but I guess it was "only" some issues with cached credentials.
06-21-2021 11:54 AM
There could be a lot of variables, but how does the computer itself auth? cert EAP-TLS? From my experience if a client doesn't auth, it may be the client doesn't trust the cert provided by the ISE server. Is the server self signed, domain CA, or public signed. Does the clients have the appropriate root/subCA certs for auth in their trusted, and have any of them expired. The expiring is a possibility if it happened recently to a lot of clients.
06-21-2021 06:19 PM
This could be an issue caused by the OS update if Credential Guard was enabled by that update. Check this post for more info on the Windows Credential Guard feature and how to confirm in the supplicant configuration.
06-24-2021 08:59 AM
Good afternoon,
It looks like the issue we encountered came from a Windows option named "Enable single sign on for this network" on the authentication tab on the network adapter that was enabled in our group policy. It looks like Windows cached some of the user credentials (which worked fine for a couple of days or weeks). But at some point, the cached user credentials were not valid anymore and the Mschap v2 authentication stopped working for these users.
The computer authentication with Mschap v2 was still working fine. The issue was only related to the user authentication and kicked in as soon as a user logged on to the client.
Due to another option in Cisco ISE, invalid credentials were shown in the live logs as "Username" or "Username\Username". This led us to believe that the client was not sending the information at all, but I guess the client was just sending invalid user credentials due to caching and ISE masked them as "Username".
I did some tests with a non-domain joined client and when setting the authentication manually, everything was working fine. The Mschap v2 authentication worked without an issue.
I guess the issue was not related to Windows Updates or to Cisco ISE, but just a bad configuration in our group policy. I haven't had any time to check this in detail, but I guess it was "only" some issues with cached credentials.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide