01-14-2020 07:22 AM - last edited on 02-24-2020 11:42 AM by Monica Lluis
so we have partly rolled out dot1x, but we have an issue where a user logs onto a device that they haven't previously, and it wont authenticate the user,and drops off network.
if an existing user logs back on, its fine.
we find that the user doesn't download the cert from AD and so they fail authentication.
what am i doing wrong? or is this expected behavior
we running ise 2.6, windows 10 1809
cert authentication
thanks in advance
01-14-2020 07:55 AM
01-14-2020 08:20 AM
machine authentication always works, because as you say, gets added when machines joins Ad, but when a new user rocks up to a laptop it fails after they log in, as they never logged in before and so there is no cert and then fails.
01-15-2020 06:56 PM
I believe you need to add Machine Authentication policy also which should have ACL define to allow communication between the machine and the AD.
New user dont have cached account in the computer and computer need to communicate with the AD Server. Without Machine authentication policy, when user logged out, machine will keep getting authentication failed and getting deny only policy which is restricting your computer communication with AD for new user.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide