Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2084
Views
10
Helpful
1
Replies

Machine 802.1X Fails on ISE but the AD said it authenticated succeffully

Go to solution
bob.bartlett
Level 1
Level 1

‎01-27-2020 02:11 PM

I am running ISE 2.6 and I am doing PEAP outside with MSCHAPV2 inside for machine authentication I have AnyConnect 4.8 on the machine that is trying to authenticate.  I get a message on ISE that says authentication failed due to incorrect password but when i look at the Security logs on the Domain Controller we are authenticating against is says the authentication was successful.  Any thoughts...

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎01-27-2020 02:34 PM

Hi Bob,

 

Have you modified the registry for the LSA workaround as per the AnyConnect Release Notes?

"For Network Access Manager, machine authentication using machine password will not work on Windows 8 or 10 / Server 2012 unless a registry fix described in Microsoft KB 2743127 is applied to the client desktop. This fix includes adding a DWORD value LsaAllowReturningUnencryptedSecrets to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa registry key and setting this value to 1. This change permits Local Security Authority (LSA) to provide clients like Cisco Network Access Manager with the Machine password. It is related to the increased default security settings in Windows 8 or 10 / Server 2012. Machine authentication using Machine certificate does not require this change and will work the same as it worked with pre-Windows 8 operating systems."

 

Cheers,

Greg

View solution in original post

1 Reply 1

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎01-27-2020 02:34 PM

Hi Bob,

 

Have you modified the registry for the LSA workaround as per the AnyConnect Release Notes?

"For Network Access Manager, machine authentication using machine password will not work on Windows 8 or 10 / Server 2012 unless a registry fix described in Microsoft KB 2743127 is applied to the client desktop. This fix includes adding a DWORD value LsaAllowReturningUnencryptedSecrets to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa registry key and setting this value to 1. This change permits Local Security Authority (LSA) to provide clients like Cisco Network Access Manager with the Machine password. It is related to the increased default security settings in Windows 8 or 10 / Server 2012. Machine authentication using Machine certificate does not require this change and will work the same as it worked with pre-Windows 8 operating systems."

 

Cheers,

Greg

Customers Also Viewed These Support Documents