Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
894
Views
0
Helpful
1
Replies

AnyConnect Network Access Manager can't handle machine authentication

akbasah
Level 1
Level 1

‎07-03-2018 06:19 AM - edited ‎02-21-2020 11:00 AM

I'm using PEAP-mschapv2 for machine authentication(wired-dot1x). Client authenticated against AD when using windows native client but when I using nam, it fails.

Client Windows 10 version 1803 it's updated.

I have tried Windows 7 client with same nam config and client was authenticated successfully.

Can someone help me for solution?

 

I'm using freeradius and freeradius uses ntlm for authentication. 

Labels:
0 Helpful
1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

‎07-03-2018 07:06 AM

Windows 10 requires a registry fix for NAM machine auth to work.

 

From the Anyconnect release notes:

 

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect46/release/notes/b_Release_Notes_AnyConnect_4_6.html#ID-1454-000002d1

 

 

Spoiler

For Network Access Manager, machine authentication using machine password will not work on Windows 8 or 10 / Server 2012 unless a registry fix described in Microsoft KB 2743127 is applied to the client desktop. This fix includes adding a DWORD value LsaAllowReturningUnencryptedSecrets to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa registry key and setting this value to 1. This change permits Local Security Authority (LSA) to provide clients like Cisco Network Access Manager with the Machine password. It is related to the increased default security settings in Windows 8 or 10 / Server 2012. Machine authentication using Machine certificate does not require this change and will work the same as it worked with pre-Windows 8 operating systems.

0 Helpful
Customers Also Viewed These Support Documents