cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1062
Views
10
Helpful
3
Replies

Surface Pro 4 with EAP Chaining

Marvin Rhoads
Hall of Fame
Hall of Fame

I have an ISE deployment with EAP chaining using AnyConnect NAM.

It has been working fine.

..until we tried a Surface Pro 4 (basically a Windows 10 tablet).

It fails machine authentication (passes user authentication) with the result:

24344  RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,<machine name redacted>

The tablet has a recent (just minutes earlier) connection to the domain and we have verified the computer account is present and correct in AD. The domain is at the Server 2008 R2 functional level if that matters.

I contrasted successful Windows 7 laptop scenario with EAP chaining and they work perfectly. In that case, the comparable message is:

24343   RPC Logon request succeeded -<machine name redacted> 

Has anyone seen this?

3 Replies 3

I have the same problem. Have you found out what was causing this, Marvin?

pietrulewiczmarek  ,

I haven't had a chance to work with the customer subsequently, but one of the ISE TMEs pointed pointed me to a possible solution here:

http://globalconfig.net/fix-eap-chaining-userpassedmachinefailed-issue-windows-8/

From that article, it appears that Windows 10 is preventing 3rd party providers (e.g., AnyConnect NAM) from getting the machine credentials in cleartext by default. Changing a registry key makes it do so.

Let me know if you get a chance to test it out. If it works, it's probably good to include it in a domain GPO - in my experience changed registry settings have a way of being reset with Windows Updates.

Hi Marvin

It's nice to hear that windows 7 PC work with EAP chaining.I was trying to implement the same but I'm having issues.

I'm using ISE 2.1 and AnyConnect '4.3 and trying to do EAP-Chaning for dit1x and posturing.

When Laptop is conncted to network first time it get authenticated and postured correctly  and if we logout and re-loging dot1x authentication get failed.This authentication fail happen for sometime and become okay after some time(1hr or more).

I have tested even with windows 8 PC in that I had to do registry HACK for Lsa.but same previous result was observed.

Can you pls share a AnyConnect version,configuration.xml and the eap-chaning rules.

Thanks in advanced.