Solved: Machine Authentication

Wasif.B · ‎10-15-2019

Hello everyone,

I am learning ISE, installed v2.4 VM, configured EAP-FAST, user is authenticating but the machine is not, wondering if anyone can help.

Authentication Details

Source Timestamp	2019-10-15 06:47:20.505
Received Timestamp	2019-10-15 06:47:20.506
Policy Server	ISE1
Event	5200 Authentication succeeded
Username	wasif,host/Test-Laptop
Endpoint Id	00:0C:29:F3:22:33
Calling Station Id	00-0C-29-F3-22-33
Endpoint Profile	Microsoft-Workstation
IPv4 Address	10.0.10.152
Authentication Identity Store	homelab-AD
Identity Group	Workstation
Audit Session Id	0A0063010000002601440902
Authentication Method	dot1x
Authentication Protocol	EAP-FAST (EAP-MSCHAPv2)
Service Type	Framed
Network Device	3560-G
Device Type	All Device Types#Wired
Location	All Locations#Chicago
NAS IPv4 Address	10.0.100.1
NAS Port Id	GigabitEthernet0/1
NAS Port Type	Ethernet
Authorization Profile	homelab-Limited
Posture Status	Compliant
Response Time	5 millisecon

Other Attributes

ConfigVersionId	79
DestinationPort	1812
Protocol	Radius
NAS-Port	50001
Framed-MTU	1500
State	37CPMSessionID=0A0063010000002601440902;28SessionID=ISE1/360474437/311;
NetworkDeviceProfileId	403ea8fc-7a27-41c3-80bb-27964031a08d
IsThirdPartyDeviceFlow	false
AcsSessionID	ISE1/360474437/311
UseCase	Eap Chaining
NACRadiusUserName	wasif
SelectedAuthenticationIdentityStores	homelab-AD
SelectedAuthenticationIdentityStores	Internal Endpoints
SelectedAuthenticationIdentityStores	Internal Users
SelectedAuthenticationIdentityStores	Guest Users
AuthenticationStatus	AuthenticationFailed
IdentityPolicyMatchedRule	homelab 802.1x
AuthorizationPolicyMatchedRule	CHAINING USER ONLY
CPMSessionID	0A0063010000002601440902
EndPointMACAddress	00-0C-29-F3-22-33
EapChainingResult	User succeeded and machine failed
ISEPolicySetName	Wired
IdentitySelectionMatchedRule	homelab 802.1x
AD-User-Resolved-Identities	wasif@homelab.local
AD-User-Candidate-Identities	TEST-LAPTOP$@homelab.local
AD-User-Join-Point	HOMELAB.LOCAL
AD-User-Resolved-DNs	CN=wasif,DC=homelab,DC=local
AD-Groups-Names	homelab.local/Employee
AD-Groups-Names	homelab.local/Users/Domain Users
IsMachineIdentity	false
UserAccountControl	4096
TLSCipher	ECDHE-RSA-AES256-GCM-SHA384
TLSVersion	TLSv1.2
DTLSSupport	Unknown
HostIdentityGroup	Endpoint Identity Groups:Profiled:Workstation
Network Device Profile	Cisco
Location	Location#All Locations#Chicago
Device Type	Device Type#All Device Types#Wired
ExternalGroups	S-1-5-21-630241409-3634873573-2845902898-1106
ExternalGroups	S-1-5-21-630241409-3634873573-2845902898-513
IdentityAccessRestricted	false
RADIUS Username	anonymous
Device IP Address	10.0.100.1
Called-Station-ID	00:13:C4:3C:D1:01
CiscoAVPair	service-type=Framed, audit-session-id=0A0063010000002601440902

Please if anyone can help me...giant thank you.

-Wasif.

#Mat · ‎10-15-2019

Hi WSB! Do you check your XML file? How should your machine be authenticated?

Regards!

.

View solution in original post

#Mat · ‎10-15-2019

Hi WSB! Do you check your XML file? How should your machine be authenticated?

Regards!

.

Wasif.B · ‎10-16-2019

Thank you Mat, I have resolved the issue. Thank you for your reply.

Panos Bouras · ‎10-16-2019

Hi,
Can you post the complete authentication results including the steps from the right column?
Did Anyconnect prompted you for a password during connection?
Also if your PC is Windows 10, did your perform the required registry settings for machine password, as per https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw01496/?referring_site=bugquickviewredir ?
Registry changes:
Navigate in Regedit to HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa.
Add a new DWORD(32-bit) Value.
Type LsaAllowReturningUnencryptedSecrets, and then press Enter.
Right-click LsaAllowReturningUnencryptedSecrets, click Modify….
Type 1 in the Value data box, and then click OK.

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

Wasif.B · ‎10-16-2019

Thank you Panos it's all sorted.

Machine Authentication

Authentication Details

Other Attributes

Tips to make Machine Authentication Work - PEAP Authentication

AnyConnect and machine certificate authentication

ISE Machine Authentication

machine authentication

Configure Machine Two Factor Authentication for Supplicant Access