So computer acc have auth, after that - users auth does. It works fine until I enable option: Validate server certificate. We have bought for the EAP a public certicate from Thawte, Thawte root is distrubluted via GPO - users trusted it.
After Windows OS is booted I have seen this on switch:
sh authentication sessions interface gi1/0/19 details Interface: GigabitEthernet1/0/19 MAC Address: xxxx IPv6 Address: Unknown IPv4 Address: 10.x.x.x User-Name: host/notebook.domain.local Status: Unauthorized Domain: DATA Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Restart timeout: 10s (local), Remaining: 9s Session Uptime: 170s Common Session ID: 0A6401090000002303AF7A9D Acct Session ID: 0x0000001F Handle: 0x3900000F Current Policy: POLICY_Gi1/0/19
Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Method status list: Method State
So Machine auth is stucked. I noticed that if now I login in Windows and just logout, Machine auth is proceed correctly, so as user then.
I couldn't figured out where is bug or some miscofiguration: Windows, ISE or dot1x on switch.
Switch 2960S, IOS 15.2.2, thw newest, tried another one - no luck. Debug is showed:
%DOT1X-5-FAIL: Authentication failed for client (MAC) on Interface Gi1/0/19 AuditSessionID 0A6401090000001C03831815
%RADIUS-4-RADIUS_DEAD: RADIUS server 10.x,x,x:1812,1813 is not responding.
%RADIUS-4-RADIUS_ALIVE: RADIUS server 10.x,x,x::1812,1813 is being marked alive.
Yep. I think in the same way about issue with native suppl. Yes, I've already tried to disable GPO and manully configure test PC - no luck. It just stucking on dot1x auth so as error on switch about unreacheble switch.
Some manuals that I've found in Internnet says that it need to disable cert checks. It weird. Thats may me think that I have no problem with AnyConnect. Unfortunately in our enterprise deployment installing AnyConnect on all user PC is not a option. So I have to use Native Windows Suppl.