I have Cisco ISE setup to use radius via our cisco switches and 802.1X configured on the user's machine. Everything seems to work fine, but when I login with our LAPS user account, LAPSUser (For this example), it won't properly apply the policy set because radius didn't authenticate. If I create an internal user with the same username and password it works, but I would rather not use that as a work around and am wondering if there is a way to do it without using certificates. I know I can setup MAB rules as well but I would rather not set that up for Workstations as well as that is quite tedious.
Example
For the authentication policy I have everything set to default and to just use "Continue" under options and won't work because authentication failed. I then tried to create a policy set if the username is LAPSUser and set everything to "Continue" and the failure reason is "Wrong Password".
Logs
| Authentication Method | dot1x |
| Authentication Protocol | PEAP (EAP-MSCHAPv2) |
| Service Type | Framed |
| Event | 5400 Authentication failed |
| Failure Reason | 22063 Wrong password |
| Resolution | Check the user credentials. Also check whether the password is wrong. |
| Root cause | Wrong password |
| 24210 | Looking up User in Internal Users IDStore - LAPSUser | 0 |
| | 24212 | Found User in Internal Users IDStore | 2 |
| | 22063 | Wrong password | 1 |
| | 22057 | The advanced option that is configured for a failed authentication request is used | 0 |
| | 22060 | The 'Continue' advanced option is configured in case of a failed authentication request | 0 |
| | 11823 | EAP-MSCHAP authentication attempt failed | 0 |
| | 12305 | Prepared EAP-Request with another PEAP challenge | 0 |
| | 11006 | Returned RADIUS Access-Challenge | 0 |
| | 11001 | Received RADIUS Access-Request | 5 |
| | 11018 | RADIUS is re-using an existing session | 0 |
| | 12304 | Extracted EAP-Response containing PEAP challenge-response | 0 |
| | 11810 | Extracted EAP-Response for inner method containing MSCHAP challenge-response | 0 |
