We are successfully authenticating our Windows7 Wireless laptop users using Microsoft CA issued Machine Certificates to Cisco ACS Server v4.2 using EAP-TLS
However when AnyConnect 3.0.5080 is Installed and Network Access Manager (NAM) is running on the laptops NAM appears to be selecting details from the wrong certifcate for EAP-TLS authentication to ACS Server, it selects Username details from a Personal certificate on the users machine that is used by LYNC 2010 and does not use the Machine Certificate that is installed.
Attached is ACS logs that indicate this.
Will NAM always use details obtained from a Personal certificate in prefernce to a Machine certificate (if they both have the same domain name contained within them).
The issue has now been resolved with the excellent assistance of Cisco TAC - it was a configuration issue within our NAM Profile.
Im summary there were 2 Network Groups within our NAM profile "Default" and "Local Networks".
The profile was set correctly to use Machine Authentication for our wireless SSID in the "Default" group and was listed as an Administrator network within NAM (however as before this was failing and NAM was using the LYNC user certificate details).
Turns out there had been a test network with the same SSID set-up previously within the "Local Networks" group and this was listed as a User network and it is this one that NAM was using to try and authenticate.
When this test network was deleted from the "Local Networks" group we were then able to authenticate to our wireless SSID successfully using 802.1x and EAP-TLS