Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
195
Views
3
Helpful
7
Replies

User and Machine Authentication

vivarock12
Level 1
Level 1

‎07-10-2025 03:52 PM - edited ‎07-10-2025 04:16 PM

Hello

Am having troubles getting my WIFI to work with machine authentication and user authentication i keept trying to reauthenticate every time im not really sure why it doing it at the machine authentication part, but it get that correct.

this is whats happening:
i created a new SSID on a classic WLC to do the test:

this is the SSID configuration:

vivarock12_0-1752185163595.png

vivarock12_1-1752185202316.png

vivarock12_2-1752185228818.png

vivarock12_3-1752185253120.png

the AP SW port config

vivarock12_4-1752185353976.png

im using the same VLAN for users and management, for the testing.

This is the configturation of the ISE

vivarock12_5-1752186022741.png

vivarock12_1-1752189203293.png

the thing is the machine auhthentication and users logs like it work but it wont assing the user its IP ADDRESS.

vivarock12_2-1752189321445.png

i try the same policy just with the ssid in other ruel and it worked like a charm

vivarock12_3-1752189387970.png

any idea what it migth be the problem?

 

0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎07-10-2025 11:05 PM

@vivarock12 are you using EAP Chaining (EAP-FAST or TEAP) or using MAR (no one recommends using MAR anyway)? If not using using EAP Chaining "Network Access WasMachineAuthenticated" will not work.

I would recommend using TEAP over EAP-FAST https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html

 

0 Helpful

vivarock12
Level 1
Level 1
In response to Rob Ingram

‎07-11-2025 06:34 AM - edited ‎07-11-2025 06:43 AM

Hello Rob,

Thanks for the help as always, but i was trying to doit with MAR using PEAP aparently so ill try with TEAP one question do a need a user CERT for it?

Thanks for the help.

0 Helpful

Rob Ingram
VIP
VIP
In response to vivarock12

‎07-11-2025 06:53 AM - edited ‎07-11-2025 06:58 AM

@vivarock12 

If using WPA2 enterprise then that implies you are using PEAP/MSCHAPv2 or EAP-TLS and in both instances certificates are used. PEAP/MSCHAPv2 validates the server ceritificate (ISE's EAP certificate) and EAP-TLS validates the client and server certificate.

If you want to use TEAP, then you can mix and match PEAP/MSCHAPv2 and EAP-TLS for user and machine authentication, TEAP will just combine the authentications together. So you could use certificate authentication for computer and PEAP/MSCHAPv2 for user, or use certificate for user aswell - you'd obviously have to distribute user certificates.

You do not need to use WPA3, EAP Chaining will work with WPA2 enterprise.

MHM Cisco World
VIP
VIP

‎07-11-2025 02:27 AM

You use enterprise wpa2 so there is no check for cert. For this type of l2 authc

Unless I miss something 

For ISE i will check and reply later 

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎07-11-2025 02:43 AM

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213919-configure-802-1x-authentication-on-catal.html

this how you config ISE for wpa2 enterpise 
the username-password internal in ISE is check only there is no need for cert

MHM

vivarock12
Level 1
Level 1
In response to MHM Cisco World

‎07-11-2025 06:34 AM

i was using WPA2 so do you recommend to use wpa3?

0 Helpful

MHM Cisco World
VIP
VIP
In response to vivarock12

‎07-11-2025 06:37 AM

Hmm 

It is wireless cases

Some wifi client support wpa3 abd other support wpa2' I will check the mix mode (using both in single SSID)

MHM

Customers Also Viewed These Support Documents