Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
34
Views
0
Helpful
0
Replies

ISE Machine / User Authentication Questions

Klo_J
Level 1
Level 1

‎11-26-2025 07:27 AM

Morning World:

TLDR:
What value is EAP chaining providing me at this point in time?  Is Machine authentication & posture assessment "good enough"?  Because of our environment, machine cert fallback no longer works when a PKI certificate (User CAC Card) is removed from the system.  NAM bugs out with errors, and causes issues with re-authentication.

Non-TLDR:
I currently support an environment where we have deployed Cisco ISE/DNAC/SDA fabric/etc.  We've run into an relatively recent issue where our systems were upgraded from Windows 11 21H2/22H2 to 24H2 and it's making me re-think how we're currently authenticating systems/users onto the network. 

We run EAP-TLS/EAP-FAST machine & user authentication.  Workstations are issued certs from our local CA.  PKI tokens are used for user authentication.  The issue that I've run into is that machine fallback no longer works when a user removes their PKI certificate from the machine, and NAM errors out with a "No Client Certificate available" message.  This causes machines to sit in limbo, or to authenticate via MAB to our quarantine network, which in turn causes issues when end-users try to log back into their systems.

Machine Fallback – (User Logged in, x.509 cert removed from the system) – No longer works.  We cannot figure out whether it’s a Windows 11 “Feature” that may have been implemented in one of the latest WIN11 upgrades (Credguard/Devguard?).  If a user pulls their smartcard out of the system, and so the certificate is no longer available, and an 802.1x reauthentication is triggered, the workstation certificate is never presented in the authentication session.  This is something that was previously working, so we are just trying to identify whether it’s a Windows issue or a new NAM bug.

I’ve tried implementing TEAP, bypassing Secure Client altogether and the results were the same.  This leads me to believe it’s a windows “feature” regarding credential stores, or protections that Microsoft has implemented in security rollups/revision upgrades.  At this point I’m just wondering what the purpose of the machine fallback is in ISE, unless in legacy implementations (PEAP/MSCHAPv2), this is still applicable.

Any thoughts/Advice is always helpful.

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents