cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4698
Views
0
Helpful
12
Replies

EAP Chaining not working with Cisco NAM, ISE 2.0 and Windows 10

abukuru95
Level 3
Level 3

Hello,

I have Windows 10 machines and i am trying to deploy Wired 802.1X for both machine and user authentication as clearly explained on the below link

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

I also have Cisco NAM supplicant 4.3 installed on end user devices and i am using EAP-FAST for authentication of users.

The problem is that it is kind of a hit and miss at the moment, It works sometimes, sometimes not. Surprisingly, I am prompted to re-enter credentials on the Cisco NAM client and i am still not able to authenticate using the right user credentials. I notice on the Cisco ISE radius logs that sometimes the windows machine sends the wrong username to ISE which results in authentication failure. The machine mac address is sent or anonymous as a username.

Does anyone have a solution on better way to deploy Wired 802.1X for Windows 10 using Cisco NAM and ISE 2.0? The most surprising is it does work sometimes and sometimes not. I also tried using Windows native supplicant and still not successful.

I did run a few Wireshark traces on the test machine while authenticating and it looks like the PC is submitting the right username, but to my surprise the ISE logs show a failed authentication message for the username anonymous.

I tried fine tuning the xml configuration file for NAM thinking it would be a problem, but no luck with that.

Any help or guidance or is very much appreciated !

For Wireless 802.1X using ISE 2.0 as a radius server and the NAM supplicant on Windows 10, all works with no issues 

Thanks in advance for any help on this !

12 Replies 12

abukuru95
Level 3
Level 3

The below has worked for me.

https://support.microsoft.com/en-us/kb/2743127

the link you provided applies to windows 8 not windows 10.

Hi Ryan,

It applies to windows 8 but also works for windows 10. The odd thing is that i also had it working well for wireless, but not wired.

I upgraded to the latest Anyconnect client version, applied the fix and it has since been working for me.

What error message do you see on your ISE/ACS logs for these failed connections? Does the Anyconnect client keep prompting to you to enter login credentials each time.

please rate if this helps!

ISE fails because it is getting the mac address rather than the user ID. we are on 4.3.03086 and are still having the issue how did you fix it? 

Have you tried the suggested registry fix below? This works for me on windows 10 machines. 

https://support.microsoft.com/en-us/kb/2743127

yep just tried.  No change, still not working correctly. I'm going to open a tac case. 

Hi

I have same issue.I'm runing ISE2.1 with AnyConnect 4.3 NAM and posture module.

I have done the Lsa registry hack for windows 8.

Issue is first time when we connect Laptop to Switch(Wired) it get authenticated and get postured.But if logoff an login it get  authentication failed.Once this authentication fails happens it will not get authenticated for sometime(1hr). Then it automatically get authenticated.In unsuccessful scenario AnyConnect keep prompting credentials.Switch shows dot1x failed syslog massage.But ther is no log in ISE live log.

Some times it show anonymous identity log.

Hi Ryan

Can you share configuration.xml and the port configuration.

Thanks

the microsoft link is no longer valid, seeing this as well on windows 10

myachi991
Level 1
Level 1

Could you give us the RADIUS Livelog, NAM Profile, and Windows NIC 802.1X configuration for the failed authentication?

Ryan McDonald
Level 4
Level 4

We are running into the exact same issue. Strange thing is wireless works without a problem. it is only affecting wired 802.1x. 

Hi I have the same issue sometimes getting on wireless and sometimes on wired 

 

Does anybody have a fix .. I have machine certificate based authentication + User authentication  with EAP FAST 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: