01-27-2020 02:11 PM
I am running ISE 2.6 and I am doing PEAP outside with MSCHAPV2 inside for machine authentication I have AnyConnect 4.8 on the machine that is trying to authenticate. I get a message on ISE that says authentication failed due to incorrect password but when i look at the Security logs on the Domain Controller we are authenticating against is says the authentication was successful. Any thoughts...
Solved! Go to Solution.
01-27-2020 02:34 PM
Hi Bob,
Have you modified the registry for the LSA workaround as per the AnyConnect Release Notes?
"For Network Access Manager, machine authentication using machine password will not work on Windows 8 or 10 / Server 2012 unless a registry fix described in Microsoft KB 2743127 is applied to the client desktop. This fix includes adding a DWORD value LsaAllowReturningUnencryptedSecrets to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa registry key and setting this value to 1. This change permits Local Security Authority (LSA) to provide clients like Cisco Network Access Manager with the Machine password. It is related to the increased default security settings in Windows 8 or 10 / Server 2012. Machine authentication using Machine certificate does not require this change and will work the same as it worked with pre-Windows 8 operating systems."
Cheers,
Greg
01-27-2020 02:34 PM
Hi Bob,
Have you modified the registry for the LSA workaround as per the AnyConnect Release Notes?
"For Network Access Manager, machine authentication using machine password will not work on Windows 8 or 10 / Server 2012 unless a registry fix described in Microsoft KB 2743127 is applied to the client desktop. This fix includes adding a DWORD value LsaAllowReturningUnencryptedSecrets to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa registry key and setting this value to 1. This change permits Local Security Authority (LSA) to provide clients like Cisco Network Access Manager with the Machine password. It is related to the increased default security settings in Windows 8 or 10 / Server 2012. Machine authentication using Machine certificate does not require this change and will work the same as it worked with pre-Windows 8 operating systems."
Cheers,
Greg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide