Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
931
Views
10
Helpful
3
Replies

Surface Pro 4 with EAP Chaining

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-09-2016 05:28 PM - edited ‎03-11-2019 12:04 AM

I have an ISE deployment with EAP chaining using AnyConnect NAM.

It has been working fine.

..until we tried a Surface Pro 4 (basically a Windows 10 tablet).

It fails machine authentication (passes user authentication) with the result:

24344  RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,<machine name redacted>

The tablet has a recent (just minutes earlier) connection to the domain and we have verified the computer account is present and correct in AD. The domain is at the Server 2008 R2 functional level if that matters.

I contrasted successful Windows 7 laptop scenario with EAP chaining and they work perfectly. In that case, the comparable message is:

24343   RPC Logon request succeeded -<machine name redacted> 

Has anyone seen this?

1 person had this problem
Labels:
0 Helpful
3 Replies 3

pietrulewiczmarek
Level 1
Level 1

‎10-05-2016 06:58 AM

I have the same problem. Have you found out what was causing this, Marvin?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to pietrulewiczmarek

‎10-05-2016 07:17 AM

pietrulewiczmarek  ,

I haven't had a chance to work with the customer subsequently, but one of the ISE TMEs pointed pointed me to a possible solution here:

http://globalconfig.net/fix-eap-chaining-userpassedmachinefailed-issue-windows-8/

From that article, it appears that Windows 10 is preventing 3rd party providers (e.g., AnyConnect NAM) from getting the machine credentials in cleartext by default. Changing a registry key makes it do so.

Let me know if you get a chance to test it out. If it works, it's probably good to include it in a domain GPO - in my experience changed registry settings have a way of being reset with Windows Updates.

Ridma Ransara Jayaweera
Level 1
Level 1

‎10-26-2016 10:50 AM

Hi Marvin

It's nice to hear that windows 7 PC work with EAP chaining.I was trying to implement the same but I'm having issues.

I'm using ISE 2.1 and AnyConnect '4.3 and trying to do EAP-Chaning for dit1x and posturing.

When Laptop is conncted to network first time it get authenticated and postured correctly  and if we logout and re-loging dot1x authentication get failed.This authentication fail happen for sometime and become okay after some time(1hr or more).

I have tested even with windows 8 PC in that I had to do registry HACK for Lsa.but same previous result was observed.

Can you pls share a AnyConnect version,configuration.xml and the eap-chaning rules.

Thanks in advanced.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents