Re: User and Machine Authentication

vivarock12 · ‎07-10-2025

Hello

Am having troubles getting my WIFI to work with machine authentication and user authentication i keept trying to reauthenticate every time im not really sure why it doing it at the machine authentication part, but it get that correct.

this is whats happening:
i created a new SSID on a classic WLC to do the test:

this is the SSID configuration:

the AP SW port config

im using the same VLAN for users and management, for the testing.

This is the configturation of the ISE

the thing is the machine auhthentication and users logs like it work but it wont assing the user its IP ADDRESS.

i try the same policy just with the ssid in other ruel and it worked like a charm

any idea what it migth be the problem?

Rob Ingram · ‎07-10-2025

@vivarock12 are you using EAP Chaining (EAP-FAST or TEAP) or using MAR (no one recommends using MAR anyway)? If not using using EAP Chaining "Network Access WasMachineAuthenticated" will not work.

I would recommend using TEAP over EAP-FAST https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html

vivarock12 · ‎07-11-2025

Hello Rob,

Thanks for the help as always, but i was trying to doit with MAR using PEAP aparently so ill try with TEAP one question do a need a user CERT for it?

Thanks for the help.

Rob Ingram · ‎07-11-2025

@vivarock12

If using WPA2 enterprise then that implies you are using PEAP/MSCHAPv2 or EAP-TLS and in both instances certificates are used. PEAP/MSCHAPv2 validates the server ceritificate (ISE's EAP certificate) and EAP-TLS validates the client and server certificate.

If you want to use TEAP, then you can mix and match PEAP/MSCHAPv2 and EAP-TLS for user and machine authentication, TEAP will just combine the authentications together. So you could use certificate authentication for computer and PEAP/MSCHAPv2 for user, or use certificate for user aswell - you'd obviously have to distribute user certificates.

You do not need to use WPA3, EAP Chaining will work with WPA2 enterprise.

MHM Cisco World · ‎07-11-2025

MHM

MHM Cisco World · ‎07-11-2025

MHM

vivarock12 · ‎07-11-2025

i was using WPA2 so do you recommend to use wpa3?

MHM Cisco World · ‎07-11-2025

Hmm

It is wireless cases

Some wifi client support wpa3 abd other support wpa2' I will check the mix mode (using both in single SSID)

MHM

vivarock12 · ‎07-15-2025

Guys sorry for the late reply, the TEAP solution worked but we have a problem now there using anyconnect with NAM im trying to generate a nam profile a wifi to use EAP-fast or TTLS using only MS-chap as authentication fo the machine and for the user but idid a TCP dump on the ISE but not getting any information from the "loggin that the Anyconnect is supposed to be doing" i dont know if you guys have fund the same trouble with anyconnect?

investigating i foundso recommendation to use TEAP without NAM because it wasnt working ethier but i dont know if they (client) would be able to disable the NAM. on the PCs.

investigating i ended up with the followinf that you need to do a register LsaAllowReturningUnencryptedSecrets, for eap-fast to work and

Microsoft support has informed that making this change will effectively make a hole in protecting the credentials.

Stated, :"kindly be informed that create and change registry key LsaAllowReturningUnencryptedSecrets to 1 will opens a hole in credential protection to allow application compatibility so applications (and yes attackers) can extract device secrets in clear text. This behavior is by design and improves protection of the LSA secret. Therefore we need to make it clear that they are opening a credential theft vector. Organizations concerned about credential theft attacks also known as pass-the-hash attacks, should understand that deploying this registry key makes it easy for attackers to steal the domain-joined device's clear-text password. "

this is in a LINK https://community.cisco.com/t5/vpn/windows-10-machine-authentication-with-anyconnect-nam/td-p/3462166

so is it true?

Greg Gibbs · ‎07-15-2025

Yes, that is true but the same could be said of using MSCHAPv2 as it uses NTLMv1 which is just as vulnerable to pass-the-hash attacks.

Credential Guard is enabled by default on newer versions of Windows 11 and must be disabled to use MSCHAPv2.
https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues

If you're concerned about credential theft attacks, you should be using non-credential based authentication methods like EAP-TLS (as an inner or outer method). Microsoft has the same recommendation as stated in the link above.

vivarock12 · ‎07-15-2025

so @Greg Gibbs the recomendation or best practice would be to use TEAP or EAP-FAST with certificates rigth?

Greg Gibbs · ‎07-15-2025

Yes, you would need to use certificate-based authentication.

If you want to use EAP Chaining, you would need to use TEAP(EAP-TLS) [with the Windows native supplicant] or EAP-FAST(EAP-TLS) [with NAM]

MHM Cisco World · ‎07-16-2025

this is TEAP Authc method

TEAP use two Auth
outer tunnel Authc use ISE cert only to authc
inner authc use
A- EAP-TLS (machine AND/OR user cert)
B-EAP-MSCHAPv2 (username/password)

the config ot TEAP for both TEAP(EAP-TLS) and TEAP(EAP-MSCHAPv2) is same in WLC select WAP2 or WPA3 enterprise with 802.1x

in ISE the differnt come

allow protocol
you need to allow EAP-MSCHAPv2 AND/OR EAP-TLS

Authz policy

You need differnt authz policy
one for machine and user cert authc successed (chain)
other for user cert authc successed