Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2480
Views
6
Helpful
3
Replies

windows 10 trying to do machine auth thru ise

Go to solution
Meuserid1979
Level 1
Level 1

‎12-08-2020 11:23 PM

Hi experts, im not really sure how to title this discussion. the scenario is this:

 

wireless network is on 802.1x authentication thru ise (version 2.7). 

 

windows10 <--->cisco AP<--->WLC <--> Cisco ise

 

AD is integrated to ise. users are authenticating thru a lists of AD OUs. 

 

authC - AD usernames/password are being checked against those selected OUs populated on ise

 

authZ - is either permit access or dynamic vlan assignement

 

on windows 10 wireless properties , "user or computer authentication" is the selected option. 

machine authentication is disabled on ISE. But on ise logs, some windows are trying to do machine authentication first then after a while the user authentication will be done and user will get connected.

 

is that windows10 machine behaviour or there is some settings on ise that can be changed so that the laptops will stop doing the machine authentication? thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎12-09-2020 12:10 AM

Hi,

when you boot the machine it will try to login using machine authentication
(before the user login). The same thing when you logoff from your machine,
it will try machine authentication to stay connected as there is no user
details in the credentials store (lsass.exe).

This is normal pattern with windows clients whether using native supplicant
or anyconnect supplicant. If you disable machine authm you will start
getting issues like machine not connected to network at boot with password
changed. The user will attempt new password but it will accept cached
password only as it can't see AD.

***** please remember to rate useful posts

View solution in original post

3 Replies 3

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎12-09-2020 12:10 AM

Hi,

when you boot the machine it will try to login using machine authentication
(before the user login). The same thing when you logoff from your machine,
it will try machine authentication to stay connected as there is no user
details in the credentials store (lsass.exe).

This is normal pattern with windows clients whether using native supplicant
or anyconnect supplicant. If you disable machine authm you will start
getting issues like machine not connected to network at boot with password
changed. The user will attempt new password but it will accept cached
password only as it can't see AD.

***** please remember to rate useful posts

Go to solution
Meuserid1979
Level 1
Level 1
In response to Mohammed al Baqari

‎12-09-2020 02:07 AM

thanks . appreciate the reply. 

0 Helpful

Go to solution
Meuserid1979
Level 1
Level 1
In response to Meuserid1979

‎12-09-2020 07:09 PM

do ise have a mechanism to reject an authentication request (for a period of time) after a laptop keeps failing to authenticate? 

then once the duration is finished ise will allow laptop for a new auth request. 

0 Helpful
Customers Also Viewed These Support Documents