AnyConnect Network Access Manager can't handle machine authentication

akbasah · ‎07-03-2018

I'm using PEAP-mschapv2 for machine authentication(wired-dot1x). Client authenticated against AD when using windows native client but when I using nam, it fails.

Client Windows 10 version 1803 it's updated.

I have tried Windows 7 client with same nam config and client was authenticated successfully.

Can someone help me for solution?

I'm using freeradius and freeradius uses ntlm for authentication.

Rahul Govindan · ‎07-03-2018

Windows 10 requires a registry fix for NAM machine auth to work.

From the Anyconnect release notes:

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect46/release/notes/b_Release_Notes_AnyConnect_4_6.html#ID-1454-000002d1

Spoiler

For Network Access Manager, machine authentication using machine password will not work on Windows 8 or 10 / Server 2012 unless a registry fix described in Microsoft KB 2743127 is applied to the client desktop. This fix includes adding a DWORD value LsaAllowReturningUnencryptedSecrets to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa registry key and setting this value to 1. This change permits Local Security Authority (LSA) to provide clients like Cisco Network Access Manager with the Machine password. It is related to the increased default security settings in Windows 8 or 10 / Server 2012. Machine authentication using Machine certificate does not require this change and will work the same as it worked with pre-Windows 8 operating systems.