Customers' Site implemented Cisco Identity Services Engine, Release 2.3.2
We are using GPO in order to use Wired-DOT1X,
Each computer enrolls the certificate from Microsoft CA server and uses the PEAP-EAP-TLS to authenticate machine and user.
We have an issue with some workstations (Windows 7) in our domain, some machines uses MSCHAPv2 instead of PEAP-EAP-TLS, although they receive the correct GPO,
and if we run "gpupdate /force"it will work again.. but will change but after a while..
why would the workstations loses it's defenitions?
How can we resolve that?
thanks a lot!
Have a look at this post. It is a list of 802.1X related hot-fixes for Windows. One of the hot-fixes is supposed to resolve behavior similar to what you are seeing.
I have seen the same issue happen for machine authentications at boot, when Windows attempts to use PEAP for auth first and then immediately retries with EAP-TLS. I never really put much effort in trying to fix the problem because the actual impact in our case was just cosmetic, that is ISE auth logs contain some failed PEAP auth entries, immediately followed by successful EAP-TLS ones.
Your scenario might be different though - exactly when do you see the failures, and is it only for machine auth or for user auth as well?
I guess it does not happen if you manually configure EAP-TLS on the client, without group policy?
Try moving a test client to a new OU, isolated from other policies. Then configure 802.1X settings in a new, separate policy and see if the issue happens again
Have you check if the profile is actually deployed into the Win 7 devices at least??. I have tested before and even though I do have the certificate properly installed on the laptop, if I removed the profile then it always tries PEAP. So once I configure back manually that profile (which was originally pushed using GPO) into the laptop, everything works as expected BUT the profile has to indicate something like the following. Important to mention that EAP-TLS is a 2-way authentication using certs so VALIDATE SERVER CERTIFICATE is a must.