Showing results for 
Search instead for 
Did you mean: 

Cisco Community Designated VIP Class of 2020


new user on an exisiting device

so we have partly rolled out dot1x,  but we have an issue where a user logs onto a device that they haven't previously,  and it wont authenticate the user,and drops off network.


if an existing user logs back on, its fine.


we find that the user doesn't download the cert from AD  and so they fail authentication.


what am i doing wrong?  or is this expected behavior 


we running ise 2.6, windows 10 1809


cert authentication


thanks in advance

Hall of Fame Master

Re: new user on an exisiting device

Are you using EAP-TLS, because a valid machine certificate should be part of the domain join, not a user certificate. PEAP would just use the users login info, but I don’t think that is what you are doing. Machine authentication is like PEAP but points to a computer OU and that should work no matter whom logs in. Look at the cert that is being pushed to the device and verify that it is a machine certificate not a user.
*** Please rate helpful posts ***

Re: new user on an exisiting device

machine authentication always works, because as you say, gets added when machines joins Ad,  but when a new user rocks up to a laptop it fails after they log in, as they never logged in before and so  there is no cert and then fails.


Re: new user on an exisiting device

I believe you need to add Machine Authentication policy also which should have ACL define to allow communication between the machine and the AD.


New user dont have cached account in the computer and computer need to communicate with the AD Server. Without Machine authentication policy, when user logged out, machine will keep getting authentication failed and getting deny only policy which is restricting your computer communication with AD for new user.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here