ISE and machine authentication

Similar Messages

• 802.1x Wireless - Enforce user AND machine authentication

  I am using ACS v5.6 and I'd like to confirm that it is not possible to enforce both user and machine authentication against AD before allowing wireless access to Windows 7 clients, using PEAP/MSCHAPv2 and the built-in 802.1x supplicant.
  The only workaround seems to involve MAR (Machine Access Restrictions), which has pretty significant drawbacks.
  I'd rather not have to deploy user and machine certificates.
  All I want to do is allow access to the wireless network only if the device and the user are in AD.
  It's such a simple scenario that I must be missing something.
  Any suggestions are welcome. Thanks in advance for your comments.
  Lucas

  In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.
  Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.

• ACS 5.4 and machine authentication

  Hi,
  I am installing ACS 5.4 for WiFI user and using EAP-TLS/ certificate based authentication.
  I have Authorization profile created as shown in attachement.
  Under authorization profile i have selcted "Was Machine Authenticated=True"Condition.
  Somehow clients are not able to connect. When I looked at logs on ACS it shows that the requests are not matching this rule bu default rule.
  As soon as I disable this condition, user gets connected
  I have already selected "Enable Machine Authentication" under AD & "Process host Lookup" in allowed protocol.
  Any Suggesions?
  Regards,
  Shivaji

  Shivaji,
  The purpose of the "wasmachineauthenticated" attribute is for user authentication, this is your typical "chicken or the egg" scenario since machine authentication needs to be performed without this attribute for successful authentication.
  When successful machine authentication occurs there is a MAR cache within ACS uses to track the mac address of the device. In your case you are forcing ACS to look for a "WasMachineAuthenticated" during the initial machine authentication which will not succeed.
  In my experience it is best to set this in environments where users' can only authenticate through registered workstations (typically machines that are joined to AD), so when a user attempts to use their 802.1x credentials on a smart phone or non-registered asset, they get denied since the device does not have machine credentials to join the network.
  I hope this bring some clarification to Edward's recommendation.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• EAP-TLS User and machine authentication question

  Hello,
  i have a question regarding EAP TLS authentication in a wireless environment. We use Cisco AnyConnect NAM client and an ACS 5.1 to do EAP-TLS authentification. The Laptop and the user can be successfully authenticated using a certificate from our internal CA. i can also check the in our corporate AD if the user and machine are member of a certain group and based on the membership a can grant access to the network.
  i can see in the ACS when the laptops after a reboot logs on to the network, but i don't see a log when the laptop comes back from hibernate mode, i guess this is normal because the laptop sends only the autentication equest after rebooting.
  What i'd like to achive is, when a user logs on the it should always be checked if the machine was authenticated prior the user can get access to the network. Is there a way to do this with EAP-TLS and a LDAP connection to Active Directory.
  thanks in advanced
  alex

  Sounds like you rather want to use PEAP/MSChapV2

• OS-X - 802.1x and machine authentication

  Hi all
  I have a customer with a large installed base of MacBooks Pro running MAC OS-X, connected via WLAN to a centralized Cisco WLC 5508. He also has installed a Cisco ACS 5.x as RADIUS server and Open LDAP as directory services.
  The customer wants to do machine authentication based on cthe lients MAC addresses, which means that the ACS 5.x has to check the clients MAC address against the LDAP.
  Obviously MACs are not able to send "host/" to differentiate between client- and user-authentication, which by the way works perfect.
  - Does anybody have made the same experiences ?
  - Has anyone managed to get this running ?
  - Can anyone provide me config examples, hint or tipps ?
  Everything is very much appreciated since this is an urgent request.
  Many thanks in advance
  Best regards
  Roman

  Hi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
  Glad you found resolution with a later version of the OS.
  Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400

• Ise and switch authentication and privilege level

  Hi Guys,
  I'm working on an eval on vmware. I have got everything working for wlan authentication and I’m working on shell authentication for switches. On the ACS you have the possibility to give the user privilege level on the switch. You can do this with shell profiles in ACS.
  Is there a way to get this done in ISE? I was thinking to make a result policy elements but I can't find a shell profile or privilege attributes like in ACS.
  For the record, switch authentication is working with Active Directory. I only need to know how to give the right return attribute.
  I appreciate any help!
  Sander

  @Sander,
  You were in the right area. 
  Policy->Results->Authorization->Authorization Profiles.
  Create AuthZ profile for Access-Accept and Under the Advanced Attributes Settings you can use:
  Cisco:cisco-av-pair = shell:priv-lvl=15
  or whatever privilege level you want to assign.
  On your AuthZ rule, match the conditions and apply the created profile.

• ISE 1.1 - 24492 Machine authentication against AD has failed

  We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
  Authentication Summary
  Logged At:
  March 11,2015 7:00:13.374 AM
  RADIUS Status:
  RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
  NAS Failure:
  Username:
  [email protected]
  MAC/IP Address:
  00:26:82:F1:E6:32
  Network Device:
  WLC : 192.168.1.225 :  
  Allowed Protocol:
  TDS-PEAP-TLS
  Identity Store:
  AD1
  Authorization Profiles:
  SGA Security Group:
  Authentication Protocol :
  EAP-TLS
   Authentication Result
  RadiusPacketType=Drop
   AuthenticationResult=Error
   Related Events
   Authentication Details
  Logged At:
  March 11,2015 7:00:13.374 AM
  Occurred At:
  March 11,2015 7:00:13.374 AM
  Server:
  ISE-TDS
  Authentication Method:
  dot1x
  EAP Authentication Method :
  EAP-TLS
  EAP Tunnel Method :
  Username:
  [email protected]
  RADIUS Username :
  host/LENOVO-PC.tdsouth.com
  Calling Station ID:
  00:26:82:F1:E6:32
  Framed IP Address:
  Use Case:
  Network Device:
  WLC
  Network Device Groups:
  Device Type#All Device Types,Location#All Locations
  NAS IP Address:
  192.168.1.225
  NAS Identifier:
  WLC-TDS
  NAS Port:
  4
  NAS Port ID:
  NAS Port Type:
  Wireless - IEEE 802.11
  Allowed Protocol:
  TDS-PEAP-TLS
  Service Type:
  Framed
  Identity Store:
  AD1
  Authorization Profiles:
  Active Directory Domain:
  tdsouth.com
  Identity Group:
  Allowed Protocol Selection Matched Rule:
  TDS-WLAN-DOT1X-EAP-TLS
  Identity Policy Matched Rule:
  Default
  Selected Identity Stores:
  Authorization Policy Matched Rule:
  SGA Security Group:
  AAA Session ID:
  ISE-TDS/215430381/40
  Audit Session ID:
  c0a801e10000007f54ffe828
  Tunnel Details:
  Cisco-AVPairs:
  audit-session-id=c0a801e10000007f54ffe828
  Other Attributes:
  ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
  Posture Status:
  EPS Status:
   Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
  12800  Extracted first TLS record; TLS handshake started
  12805  Extracted TLS ClientHello message
  12806  Prepared TLS ServerHello message
  12807  Prepared TLS Certificate message
  12809  Prepared TLS CertificateRequest message
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12571  ISE will continue to CRL verification if it is configured for specific CA
  12571  ISE will continue to CRL verification if it is configured for specific CA
  12811  Extracted TLS Certificate message containing client certificate
  12812  Extracted TLS ClientKeyExchange message
  12813  Extracted TLS CertificateVerify message
  12804  Extracted TLS Finished message
  12801  Prepared TLS ChangeCipherSpec message
  12802  Prepared TLS Finished message
  12816  TLS handshake succeeded
  12509  EAP-TLS full handshake finished successfully
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  Evaluating Identity Policy
  15006  Matched Default Rule
  24433  Looking up machine/host in Active Directory - [email protected]
  24492  Machine authentication against Active Directory has failed
  22059  The advanced option that is configured for process failure is used
  22062  The 'Drop' advanced option is configured in case of a failed authentication request
  But the user can authenticated by EAP-TLS
  AAA Protocol > RADIUS Authentication Detail
  RADIUS Audit Session ID : 
  c0a801e10000007f54ffe828
  AAA session ID : 
  ISE-TDS/215430381/59
  Date : 
  March     11,2015
  Generated on March 11, 2015 2:48:43 PM ICT
  Actions
  Troubleshoot Authentication 
  View Diagnostic MessagesAudit Network Device Configuration 
  View Network Device Configuration 
  View Server Configuration Changes
  Authentication Summary
  Logged At:
  March 11,2015 7:27:32.475 AM
  RADIUS Status:
  Authentication succeeded
  NAS Failure:
  Username:
  [email protected]
  MAC/IP Address:
  00:26:82:F1:E6:32
  Network Device:
  WLC : 192.168.1.225 :  
  Allowed Protocol:
  TDS-PEAP-TLS
  Identity Store:
  AD1
  Authorization Profiles:
  TDS-WLAN-PERMIT-ALL
  SGA Security Group:
  Authentication Protocol :
  EAP-TLS
   Authentication Result
  [email protected]
   State=ReauthSession:c0a801e10000007f54ffe828
   Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
   Termination-Action=RADIUS-Request
   cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
   MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
   MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
   Airespace-Wlan-Id=1
   Related Events
   Authentication Details
  Logged At:
  March 11,2015 7:27:32.475 AM
  Occurred At:
  March 11,2015 7:27:32.474 AM
  Server:
  ISE-TDS
  Authentication Method:
  dot1x
  EAP Authentication Method :
  EAP-TLS
  EAP Tunnel Method :
  Username:
  [email protected]
  RADIUS Username :
  [email protected]
  Calling Station ID:
  00:26:82:F1:E6:32
  Framed IP Address:
  Use Case:
  Network Device:
  WLC
  Network Device Groups:
  Device Type#All Device Types,Location#All Locations
  NAS IP Address:
  192.168.1.225
  NAS Identifier:
  WLC-TDS
  NAS Port:
  4
  NAS Port ID:
  NAS Port Type:
  Wireless - IEEE 802.11
  Allowed Protocol:

  Hello,
  I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
  Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network.

• ISE machine authentication timeout

  Hi all,
  We have a ISE infrastructure and we have enabled user and machine authentication through EAP-TLS.
  Everything is working fine except that every 1 hour user must log off and login again because machine authentication has, I think, expired!
  As you can imagine this is unacceptable. I saw that the machine restriction age is only 1 hour and changed it to 8 hours.
  My question is if machine restarts at 7 hours past first successful authentication will the timer reset or after an hour will be kicked and have to log off and in again?
  How have you bypassed the timeout of mar cache?
  My ISE version is 1.2 with 2 patches installed
  Thank you
  Sent from Cisco Technical Support iPad App

  Hi
  Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional means of controlling authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine authentication of the computer used to access the Cisco ISE network. For every successful machine authentication, Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of a successful machine authentication.
  Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the "Time to Live" parameter in the Active Directory Settings page expires. Once the parameter has expired, Cisco ISE deletes it from its cache.
  When a user authenticates from an end-user client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that requests authentication in the following ways:
  • If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a successful authorization is assigned.
  • If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for a successful user authentication without machine authentication is assigned.

• Apple macosx machine authentication with ISE using EAP-TLS

  Hello,
  On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
  With windows machines all is working well. We are using computer authentication only.
  Now the problem is that we wish to do the same with MAC OSX machines.
  We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
  in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
  When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
  The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
  Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
  Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
  Thanks
  Gustavo Novais

  Additional information from the above question.
  I have the following setup;
  ACS 3.2(3) built 11 appliance
  -Cisco AP1200 wireless access point
  -Novell NDS to be used as an external database
  -Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
  -Windows XP SP2 Client
  My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
  Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
  When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
  Please help...
  Thanks

• ISE machine authentication - only plug in to the network after booting

  Hi experts.
  I have recently deployed ISE with machine authentication. 
  However, when the machine is already plugged in to the switch before booting, the machine does not authenticate automatically. It isn't until I log on, using a local computer account, that 802.1X authentication occurs. Using wireshark, I have verified again that this authentication is MACHINE authentication, not user-authentication.
  Is there a way to solve this problem, other than having my users unplug their computer and only plug in to the network after booting?
  Eric

  Hi Vattulu,
    The method of machine access restriction will be used, because there is no a plan to use anyconnect NAM on the client environment, since the prerequisite for EAP-chaining is to use anyconnect.
  Regards,
  Eric

• Is it possible to do machine and user authentication in same Authorization profile?

  Hi,
  I want to know is it possible to do machine authenticaiton and user authentication happen at the same time? Some thing like this...
  Condition
  IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
  Permissions
  then Vlan x
  Basically i am trying to check a machine is part of domain and user is valid only then he should be able to have full access.
  Any help will be of great value.

  Hi,
  IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
  - Not possible
  As user and machine authentication occur at different contexts.
  ACS cannot verify the both at the same time.
  Using MAR, you can, though club the both together and achieve:
  "machine is part of domain and user is valid only then he should be able to have full access"
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978
  Tips for configuring MAR:
  1) Set the client to perform user or computer authentication.
  2) Create two rules in authorization, one for user and and one for machine (identity them by using group membership on AD).
  3) Enable MAR under the AD configuration page on ACS and set the aging time.
  4) In the user rule, customize and use the condition "Was machine authenticated" and set it to true.
  Rate if useful

• Machine authentication with Windows 7

  Version: ISE 1.2p12
  Hello,
  I'm doing user and machine authentication with ISE.
  I use a first authorization rule to authenticate the machine against the AD. If it's part computers of the domain.
  Then I use an authorization rule to check if the user's group in AD with the credential he used to open the session + "Network Access:WasMachineAuthenticated = True"
  Things seems to be working and I see my switch port is "Authz Success" but shortly after the Windows 7 machine is behaving like 802.1X authentication fails. The little computer on the bottom right has a cross on it.
  If I disable and enable again the network card of that windows machine it works.
  Does any one of you have an idea about this problem ? something to tweak on Windows 7 like timers...
  Thank you

  Hi Mika. My comments below:
  a) You told me that MAR ("Network Access:WasMachineAuthenticated = True") has some drawbacks. When hibernation is used it can cause problems since the MAC address could have been removed from the cache when the user un-hibernate its computer. Then why not increasing the MAR cache to a value of 7 days then ? Regarding the roaming between wire and wireless it's a problem indeed.
  NS: I don't believe that the MAR cache would be affected by a machine hibernating or going to sleep. There are some dot1x related bug fixes that Massimo outlined in his first pos that you should look into. But yes, you can increase the MAR timer to a value that fits your environent
  b) You suggest to use one authorization rule for the device which should be part of the AD and one authorization rule for the user with the extra result "IdentityAccessRestricted = False". By the was, are we really talking about authorization rules here ? I will try this but it's difficult for me to imagine how it would really work.
  NS: Perhaps there is some confusion here but let me try to explain this again. The "IdentityAccessRestricted" is a check that can be done against a machine or a user account in AD. It is an optional attribute and you don't have to have it. I use it so I can prevent terminated users from gaining access to the network by simply disabling their AD account. Again, that account can be either for a "user" or for a "machine"
  z) One question I was asking myself for a long time. All of us want to do machine+user authentication but Windows write Machine OR User Authentication. This "OR" is very confusing.
  NS: At the moment, the only way you can accomplish a true machine+user authentication is to use the Cisco AnyConnect supplicant. The process is also known as "EAP-Chaining" and/or "EAP-TEAP." In fact there is an official RFC (RFC 7170 - See link below). Now the question is when and if Microsoft, Apple, Linux, etc will start supporting it:
  https://tools.ietf.org/html/rfc7170
  Thank you for rating helpful posts!

• Enforce AnyConnect client to do machine authentication when user is logged on

  Hi All,
  I want to use AnyConnect as a supplicant to our corporate WLAN and also use Machine Authentication feature on ACS 5.3.
  Is there a way how to enforce AnyConnect client to do machine authentication when user is logged on? Sometimes can happen, when user just hybernate the computer and do not log off and log on. If they don't do this in some period, then they are not allowed to use WLAN.
  Thanks for your help.
  Regards
  Karel

  The problem appears to be if a user hibernate or ACS is reloaded and machine authentication  timer expired and user need to logout and wait or reboot the machine. After that it authenticates and then user can login again.  Anyconnect 3.1 will allow eap chainging and should be able to address that problem.

• ISE 1.3 Why are Windows endpoints defaulting to 802.1x machine authentication in wireless profile and not User or User&Computer

  We are running ISE 1.3 tied to AD with WLC 7.6.130.0.  Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP.  We are just running PEAP.  We have a mix of IOS, Android, and Windows 7/8 devices.  IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue.  Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication.  This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only.  This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity.  The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication?  I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list.  Neither have helped.  I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
  Thank you for any help or ideas,

  When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile.  In that profile, 802.1x computer authentication option is chosen by windows.  That has to be changed to computer or user for the machine to function correctly on the network.
  On 1.2, this behavior was different.  The Windows device would auto select user authentication by default.  At other customer sites, windows devices auto select user authentication.  This of course needs  to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with.

• Machine and User authentication with ISE 1.2.1

  Hi ,
  Can any one tell me in machine authentication what access need to be enable DACL for machine logon?
  Can we enable the access on port level ? direct to tcp/udp or ip level what is the best practice.
  Thanks 
  Pranav

  is this what you are looking for EAP Chaining which uses a machine certificate or a machine username / password locked to the device through the Microsoft domain enrollment process. When the device boots, it is authenticated to the network using 802.1X. When the user logs onto the device, the session information from the machine authentication and the user credentials are sent up to the network as part of the same user authentication. The combination of the two indicates that the device belongs to the corporation and the user is an employee.
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf