AnyConnect Network Access Manager can't handle machine authentication
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-03-2018 06:19 AM - edited 02-21-2020 11:00 AM
I'm using PEAP-mschapv2 for machine authentication(wired-dot1x). Client authenticated against AD when using windows native client but when I using nam, it fails.
Client Windows 10 version 1803 it's updated.
I have tried Windows 7 client with same nam config and client was authenticated successfully.
Can someone help me for solution?
I'm using freeradius and freeradius uses ntlm for authentication.
- Labels:
-
Other NAC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-03-2018 07:06 AM
Windows 10 requires a registry fix for NAM machine auth to work.
From the Anyconnect release notes:
For Network Access Manager, machine authentication using machine password will not work on Windows 8 or 10 / Server 2012 unless a registry fix described in Microsoft KB 2743127 is applied to the client desktop. This fix includes adding a DWORD value LsaAllowReturningUnencryptedSecrets to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa registry key and setting this value to 1. This change permits Local Security Authority (LSA) to provide clients like Cisco Network Access Manager with the Machine password. It is related to the increased default security settings in Windows 8 or 10 / Server 2012. Machine authentication using Machine certificate does not require this change and will work the same as it worked with pre-Windows 8 operating systems.
