08-11-2016 04:54 AM
Hi there,
I am testing ISE 2.1 with AC 4.3.1095 for Windows Machine authentication using certificate.
EAP method is EAP-FAST with EAP-TLS as inner method.
Authentication failed with error "5440 Endpoint abandoned EAP session and started new."
I have also tested User auth with the same AC profile as machine and it works. Certificate can be detected by AC and I am seeing hostname is corrected identified with CN.
Any idea?
Thanks
Wing Churn
08-12-2016 08:29 AM
We use 802.1x authentication and I use EAP-Chaining to do the machine/user authentication. Here is a doc, but a little different for ISE 2.1 (I also use ISE 2.1)
If this is what you are trying to do, I can try to show some of my settings if it helps.
08-12-2016 08:36 AM
I was referring to the same document and it works for "password" inner method Machine Auth. What I am trying to achieve here is Certificate as inner method.
Are you using certificate in your lab?
Thanks
08-12-2016 08:43 AM
For inner method we use EAP-MSCHAPv2 since the users log in.
What we do is machine joins and sits on a restricted network, then when the user logs in it re-checks and send them to whatever network they are assigned/have permissions to.
So your users join with a cert?
08-12-2016 08:48 AM
I am trying certificate for either Machine and User.
User Certificate works too but my customer is looking at Machine auth using certificate.
08-12-2016 09:01 AM
windows 8, 8.1, or 10?
There is an issue that windows will not pass the cert unencrypted to AnyConnect. Usually you will see in the failure bad credentials. This is fixed be adding the below reg key.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"LsaAllowReturningUnencryptedSecrets"=dword:00000001
As for Machine/user cert login, I have not done it, so not sure if it's much different from password.
08-12-2016 07:26 PM
Does it work if EAP-TLS auth by itself but not as an inner method of EAP-FAST? What are the auth protocol settings for the matched authentication policy?
08-12-2016 07:38 PM
Same error even with EAP-TLS. I only have 1 authentication policy default with certificate profile.
From ISE log AnyConnect is getting the correct certificate where CN is logged for username.
08-17-2016 08:34 AM
Try using the eventvwr to look at the AnyConnect log entries.
The user certificate might have some problem or even the AC profile because it has different sections for user auth and machine auth. If you need further help on this, try the Cisco internal alias on AnyConnect with a copy of your DART file.
08-19-2016 11:36 PM
Hi Hsing,
Thanks for the tip. Apparently, the certificate installed without private key even it showed "Certificate has associated private key" while we double clicked the certificate. EAP-TLS for machine works for Windows 7 after importing the same certificate again.
I will try out Windows 8.1 and Windows 10 using latest AC 4.3.02039 next week.
Thanks
Wing Churn
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide