Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1238
Views
0
Helpful
2
Replies

ISE 2.6 Patch 5: Macbook wireless fail using PEAP(MSCHAPv2)

KelvinT
Level 1
Level 1

‎09-02-2020 10:10 AM

ISE 2.6 patch 5

Macbook

Wireless connection:  user authc, previous machine authc

 

Hello,

 

Do we know if there is still an issue with Macbook using PEAP(MSCHAPv2)?

 

I have some macbook successfully connect on ISE (user & Machine.  i.e. user authc, successful previous machine authc) using LEAP but fail using PEAP(CHAPv2) stating below.

 

 24715ISE has not confirmed locally previous successful machine authentication for user in Active Directory
 24714ISE peers have not confirmed previous successful machine authentication for user in Active Directory

 

Thanks

0 Helpful
2 Replies 2

Greg Gibbs
Cisco Employee
Cisco Employee

‎09-02-2020 03:58 PM

Mac OSX does not really have the same separate Computer/User states as Windows. They also do not have the native ability to join an AD domain, so I'm not sure how you have machine auth happening against any MacBooks.

Where I've seen customers using PEAP-MSCHAPv2 with MacBooks, they considered them single-user devices, used JAMF Pro to enrol and configure the Network Profile with the user credentials, and only authenticated against the user credentials.

From the logs you provided, I would also infer you are trying to use MAR (WasMachineAuthenticated = True)? If that's the case, I would strongly recommend against using MAR as it has known user experience issues with Windows PCs. I don't know that MAR has ever even been tested with OSX as it does not have a clear separation of Computer/User states.

Machine Access Restriction Pros and Cons 

 

 

0 Helpful

KelvinT
Level 1
Level 1
In response to Greg Gibbs

‎09-03-2020 03:20 AM

Hi Greg,

 

Thanks for you respond.

 

We are receiving a user and machine authc from the macbook configured with LEAP but not macbooks configure with PEAP(MSCHAPv2).  Doing some search I see old conversations about ISE/Macbook/PEAP(MSCHAPv2) issues which is why I asked.

 

I'm not an apple/macbook tech so my knowledge is very limited.  I can say I see on the ISE logs actually similar behavior as EAP-FAST.  The user and machine is sent in the same log and MARS is used for those macbooks configured with LEAP.

 

Side note:  I am aware of the limitations with MAR.  Someone gave me a very good workaround.  Switch user causes the machine to reauthc every time.  So every time switch user is selected I see machine authc on ISE.  The user can log back in and get connected.  So just selecting switch user (no additional log in is required) then the same user logs back in is the best workaround.

 

Thanks again Greg 

 

0 Helpful
Customers Also Viewed These Support Documents