Re: ISE 2.6 EAP-Fast failure - User succes and machine failed - Anyconnect 4.5

raulantoniorz91 · ‎09-10-2019

Hi,

We are migrating configuration from ISE 1.4 to ISE 2.6. To authenticate, PCs use AD credentials as user and machine via EAP-FAST, but we found that is failing. I see user is succes and machine failes to against AD. I checked configuration in ISEv1.4 and is the same as ISEv2.6. We are using a PC with Anyconnectv4.5 to test and it can authenticate with any problem in ISEv1.4.

In logs I see this issue, also I attached a txt file with the logs from this authentication test

24344

RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,PR-RCUEVASIL$@

This is the current configuration in ISEv2.6, same as ISEv1.4

Thank you for your help.

Colby LeMaire · ‎09-10-2019

At first glance, it seems as though the computer account password is incorrect which would mean that either the computer is not joined to the domain or would need to be removed and rejoined. That is what the RPC Logon Failed message means. But you say it works just fine on the other ISE instance. Are both ISE instances joined to the same AD domain? If the machine fails on the new ISE and you move it to the old ISE, does it work? If that is the case, then the AD machine account isn't the problem.

Can you send a screenshot of your Radius Live Logs screen filtered on the Endpoint ID (Mac Address) of the machine you are testing? And also send a screenshot of the details of the Live Log entries showing the failures. Send the entire details page so we can see all of the attributes of the session. Also, send screenshots of how you have the Anyconnect NAM profile configured specifically for the machine authentication section.

raulantoniorz91 · ‎09-11-2019

Hi,

Here are screenshots from page log for this test user, this is using Anyconnect 4.5 and have the configuration to authenticate with credentials stored for AD, but when connected NAM requires additional credentials.

Also, this are the erros that live logs shows:

Colby LeMaire · ‎09-11-2019

Remove the computer from the domain and rejoin it. Then test again and see if it still complains about the password for the machine account.

raulantoniorz91 · ‎09-11-2019

And that is why NAM requires login? Users only suppose to connect PC wired or wireless and gets automatically autenticated, but instead NAM shows login window.

Colby LeMaire · ‎09-11-2019

When the supplicant attempts authentication using one form of credentials/certificate and that fails, then the supplicant will prompt for other credentials or certificate. So yes, when the initial credentials fail, NAM prompts for other credentials.

jordanburnett · ‎09-11-2019

Are you using machine certificates or machine credentials for machine authentication? If you're using Machine Credentials for your NAM profile then you won't be able to use the native machine credentials by default, only machine certificates.

Can you show us what settings you have in your NAM XML profile under the <machine> section?

If it shows <authenticateWithPassword> you're using credentials, if it shows </authenticateWithCertificate> then you're using certificates.

With Windows 8/10 AnyConnect is no longer able to utilize the machine credentials for authentication. Microsoft made a change that limits what third party (i.e. AnyConnect) can access--one of the things they have limited is access to the decrypted machine credentials.

To utilize machine credentials, you have to make a change to the registry. See these articles for details:

https://social.technet.microsoft.com/Forums/ie/en-US/31825350-d3bf-4366-a4f5-acdca2f3cb81/allow-lsa-to-send-unencrypted-secrets-to-make-cisco-anyconnect-work?forum=win10itprosecurity

https://community.cisco.com/t5/vpn-and-anyconnect/windows-10-machine-authentication-with-anyconnect-nam/td-p/3462166

OR, if you have certificates on your machine, you can utilize Machine Certificates instead of Machine Credentials.

raulantoniorz91 · ‎09-12-2019

I think the problem is the register, we tried with a machine with register modified to allows unencrypted secrets and it works. But the other machine is not modified.

jordanburnett · ‎09-12-2019

Yep, if it's a newer Windows machine then it will require the registry modification if you want to use the machine credentials. However, you can use machine certificates if they're already deployed in your environment (that is what I did on a recent deployment).

raulantoniorz91 · ‎09-12-2019

Now both machines works in wired 801.x authentication. I see the same problem is present in wireless network, it shows same behavior, requires login to user and looks like NAM doesn't use machine for both user and machine authentication. This time in both machines with register modified. This end customer is using same WLC for ISEv2.4 and ISEv2.6. I checked model and OS is compatible, WLC 5508 with 8.3.131.

Configuration in wireless is following: