Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5075
Views
10
Helpful
6
Replies

ISE not confirmed locally previous successful machine authentication

Go to solution
naoki_Japan
Spotlight
Spotlight

‎09-15-2021 09:12 PM

I see the logs like below on ISE .

I turn on machine authentication, and AD is correctly working with ISE using PEAP.

however, as shown, the machine authentication can not be processed.

so the attribute "Network access> WasMahineAuthenticated " is meaningless.

could you tell me how can I handle this issue?

 

24715ISE has not confirmed locally previous successful machine authentication for user in Active Directory

 

2 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to naoki_Japan

‎09-16-2021 09:27 AM

If you are trying to do PEAP with machine authentication then your supplicant needs to be set to perform computer authentication. If you are trying to do machine+user authentication then MAR is one way to do it but not ideal as it comes with many challenges:

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

Thank you for rating helpful posts!

View solution in original post

6 Replies 6

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎09-15-2021 10:07 PM

The "WasMachineAuthenticated" attribute deals with MAR (Machine Access Restriction). What exactly are you trying to accomplish and how is your supplicant configured?

Thank you for rating helpful posts!

0 Helpful

Go to solution
naoki_Japan
Spotlight
Spotlight
In response to nspasov

‎09-15-2021 10:37 PM

Thank you for reaction.

I am trying to configure PEAP with machine authentication.

it is what I want that when an employee boot the PC, the PC name registered in AD is checked ,and then, if it is successfully proceeded,

, he is asked to enter the user name and password, and finally ISE checks the username and password via AD and give the network access to the employee.

 

The supplicant PC is set up with dot1.X using username

Also, the switch, Authenticator , is configured to authenticate user with the order, dot1x and mab.

 

 

I have confirmed that the user authentication is dealt successfully, but it seems the machine authentication process is not active although I set up ISE to do so. 

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to naoki_Japan

‎09-16-2021 09:27 AM

If you are trying to do PEAP with machine authentication then your supplicant needs to be set to perform computer authentication. If you are trying to do machine+user authentication then MAR is one way to do it but not ideal as it comes with many challenges:

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

Thank you for rating helpful posts!

Go to solution
naoki_Japan
Spotlight
Spotlight
In response to nspasov

‎09-16-2021 07:53 PM

I re-confirmed the setting of devices and found out that my AD was not treated as root CA in the client PC.

After Certification of AD was installed in client pc as root ca, this problem was solved.

 

 

thank you for your help at the bottom of heart.

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to naoki_Japan

‎09-17-2021 09:24 AM

Awesome! Glad your issue was resolved

0 Helpful

Go to solution
naoki_Japan
Spotlight
Spotlight
In response to nspasov

‎09-18-2021 08:01 PM

thank you for your kind support!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card