cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
283
Views
3
Helpful
5
Replies

Cisco ISE prepend host/ to hostname

cghaderpour
Level 1
Level 1

I'm deploying Cisco ISE with Meraki to authenticate computers on wifi using eap-tls with machine certificate.

when users click on ssid it complete the authentication and join the network properly. If windows computers try connecting automatically I see ISE shows the hostname has host/ prepend on it. I have adjusted the advanced setting on ISE to rewrite host/[hostnam].[domain] to [hostname].[domain] but this seems to be not fixing the problem for me.

Also this is the error and after this client will fail to connect automatically so users must click on ssid to join

vent5440 Endpoint abandoned EAP session and started new
Failure Reason5440 Endpoint abandoned EAP session and started new
ResolutionVerify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root causeEndpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.

 

1 Accepted Solution

Accepted Solutions

If the user is prompted when trying to connect, it usually means that the supplicant is not configured to trust the Root CA certificate that signed the ISE EAP certificate.

You should confirm your supplicant settings to ensure you have ticked the proper Root CA certificate as per this example:

Screenshot 2024-12-09 at 12.27.28 pm.png

View solution in original post

5 Replies 5

The „host/„ is what differentiates a machine auth from a user auth. It has to be there and there is nothing that has to be manipulated. The error suggests that you are not using certificates but still have credential guard enabled. Short-term solution is to disable credential guard which can be done with GPOs. Long term solution is to deploy certificates.

cghaderpour
Level 1
Level 1

I have disabled the credential guard on a few test machine and that didn't help. We are using machine certificate for authentication. We have a profile deployed to computers  so that they automatically connect and when they turned on but they never complete the authentication by themselves without user interaction.  as soon as users click on the ssid and confirm the connection the process takes place. this is an example of Successful authentication when user click to connect the ssid.

24319Single matching account found in forest - xxxx.local0
 24323Identity resolution detected single matching account1
 24700Identity resolution by certificate succeeded - copany-AD0
 22037Authentication Passed0
 12506EAP-TLS authentication succeeded0
 61026Shutdown secure connection with TLS peer0
 15036Evaluating Authorization Policy0
 24209Looking up Endpoint in Internal Endpoints IDStore - company-machine@domain.local1
 24211Found Endpoint in Internal Endpoints IDStore37
 15048Queried PIP - Radius.User-Name1
 24433Looking up machine in Active Directory - company-machine@domain.local
 24355LDAP fetch succeeded
 24435Machine Groups retrieval from Active Directory succeeded
 15048Queried PIP - compay-AD.ExternalGroups3
 15016Selected Authorization Profile - PermitAccess0
 22081Max sessions policy passed0
 22080New accounting session created in Session cache0
 11503Prepared EAP-Success1
 11002Returned RADIUS Access-Accept

If the user is prompted when trying to connect, it usually means that the supplicant is not configured to trust the Root CA certificate that signed the ISE EAP certificate.

You should confirm your supplicant settings to ensure you have ticked the proper Root CA certificate as per this example:

Screenshot 2024-12-09 at 12.27.28 pm.png

JPavonM
VIP
VIP

The problem could be in the Authorization policy as authentication is success, do you have the Domain Computers group under any of the authorization policies?

yes I have setup an authorization policy to check against existence of identity in external identity source which is my AD in this case.