Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1071
Views
0
Helpful
3
Replies

new user on an exisiting device

steve.payne
Level 1
Level 1

‎01-14-2020 07:22 AM - last edited on ‎02-24-2020 11:42 AM by Level 9

so we have partly rolled out dot1x,  but we have an issue where a user logs onto a device that they haven't previously,  and it wont authenticate the user,and drops off network.

 

if an existing user logs back on, its fine.

 

we find that the user doesn't download the cert from AD  and so they fail authentication.

 

what am i doing wrong?  or is this expected behavior 

 

we running ise 2.6, windows 10 1809

 

cert authentication

 

thanks in advance

Labels:
0 Helpful
3 Replies 3

Scott Fella
Hall of Fame
Hall of Fame

‎01-14-2020 07:55 AM

Are you using EAP-TLS, because a valid machine certificate should be part of the domain join, not a user certificate. PEAP would just use the users login info, but I don’t think that is what you are doing. Machine authentication is like PEAP but points to a computer OU and that should work no matter whom logs in. Look at the cert that is being pushed to the device and verify that it is a machine certificate not a user.
-Scott
*** Please rate helpful posts ***
0 Helpful

steve.payne
Level 1
Level 1
In response to Scott Fella

‎01-14-2020 08:20 AM

machine authentication always works, because as you say, gets added when machines joins Ad,  but when a new user rocks up to a laptop it fails after they log in, as they never logged in before and so  there is no cert and then fails.

 

0 Helpful

Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎01-15-2020 06:56 PM

I believe you need to add Machine Authentication policy also which should have ACL define to allow communication between the machine and the AD.

 

New user dont have cached account in the computer and computer need to communicate with the AD Server. Without Machine authentication policy, when user logged out, machine will keep getting authentication failed and getting deny only policy which is restricting your computer communication with AD for new user.

0 Helpful
Customers Also Viewed These Support Documents