EAP authentication

Similar Messages

• Open and Network-EAP authentication - difference in security?

  As far as security goes, and assuming Radius authentication wil actually authenticate and allow users access to the wireless network (or not), it there any difference (once again, as far as security goes), between Open Authentication and Network-EAP as described below?
  In any EAP/802.1x-based authentication method, you may question what the differences are between Network-EAP and Open authentication with EAP. These items refer to values in the Authentication Algorithm field in the headers of management and association packets. Most manufacturers of wireless clients set this field at the value 0 (Open authentication), and then signal their desire to do EAP authentication later in the association process. Cisco sets the value differently, from the start of association with the Network EAP flag.

  1. Join process - comparable to connecting a cable in the wired network world. Usually "OPEN".2. Authentication - this verifies the client is who they claim they are because they possess a certificate (EAP-TLS), know the password or a PSK.3. Encryption with TKIP or AES - this is about protecting data as it is transmitted through the air AFTER authentication.
  You are correct.
  What confuses me when attempting to configure the Aironet I'm working with is the difference in terminology with the familiar choices I had in Linksys access points, something like this:- WEP- WPA- WPA-Enterprise- WPA2- WPA2-EnterpriseI thought WPA-Enterprise has to do with Radius and indeed I was able to create a test network in which a Windows XP laptop could connect via a Linksys access point, authenticating with EAP-TLS, with WPA-Enterprise selected on the AP. The Windows 2008 server was both a certificate authority, a radius (NPS) server and a domain controller.With the Aironet, I'm not sure what the equivalent choices should be, because, if you look at the link in my last post, there is a larger selection: WEP 40 bit, WEP 128 bit, TKIP, AES, combinations of what precedes and no reference to WPA or WPA2. I'm guessing TKIP = WPA and AES = WPA2.And while I can select "EAP" in the Express Security Setup tab, I cannot see where I would opt for EAP-TLS rather than PEAP or EAP-TTLS and so forth.I'm going to take a look at your blog now and see if that doesn't enlighten me further.
  You are on track my friend keep the thinking going .... you are very close!
  Some more foundation for you ...
  WPA   -  Is PSK with TKIP
  WPA2 -  Is PSK with AES
  WPA Enterprsie -  EAP- ??? with TKIP
  WAP2 Enterprsie - EAP - ??? with AES
  ??? = Your selected EAP type
  Now, why dont you have to configure EAP type on the AP? Great question, lets break this down.
  1. The AP or WLC for that matter doesnt care what EAP type you use . Why you ask?
  When you configure 802.1X, there are 2 virtual ports . These are virtual and you do nothing to configure these. Once you connect to an AP and EAP starts, the ap BLOCKS ALL TRAFFIC except for EAPOL  traffic. This is the ONLY traffic allowed past the until the AP / WLC receives a RADIUS SUCCESS. Once the AP/WLC sees this radius success it then switches virtually over to the controlled port and allows ALL your traffic to pass.
  2. With that being said, your client is only passing traffic through the ap and wlc. The ap / wlc doesnt care what EAP you are using. Your client is talking directly to the radius server at that point. The AP/WLC at this point is only a pass through, nothing more.
  Does that help ?
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

• 802.1x authentucation only on Virtaul machine. i want to by pass EAP authentication on Host machine

  i want to do EAP authentication (802.1x) authentication by the client installed on Virtual machine. i want to by pass EAP authentication(802.1x) on Host machine, because i wanted to test it on the client in VM not on the host machine. for wifi it works fine because i can have a USB wifi NIC which connects to VM directly and the authentication goes fine as host machine NIC does not come into the picture at all.
  but in Case of wired VM NIC has to go via Host NIC.

  Hello,
  I managed to do that with a VM and a host, both authenticating in wired, behind a phone. The host would receive an ACL limiting its traffic to just internet and the VM could access the internal network. (do not ask to discuss the use case).
  The considerations were that :
  both host and VM would need to be on the same dynamically assigned VLAN, as 2960/3750 do not support two DATA domain hosts in different vlans (3850 apparently supports or will support it), so I had to have 802.1X both on host and in VM.
  the VSwitch in VMworkstation had to be in bridge mode.
  authentication mode multiauth had to be enabled in the interface in order to cope with multiple authenticated sessions behind the same interface.
  What is exactly your question?
  Gustavo

• Disable EAP Authentication for Web-Auth on WLC

  Hello Everyone
  We Use a Special Radius Server who is implemented according to RFC 2865.  But now we get Errors that the Radius Server cant handle the Attribut Typ 80.
  For that i now this Attribut has to do with EAP Authentication, which is a newer addition according to RFC 2869.
  How can i configure the WLC to disable EAP Authentication?
  Thank you in advance
  Chris Kaiser

  EAP authentication is defined on the SSID... So if your using radius to authenticate WebAuth users, then you need to make sure that you use open authentication with WebAuth. Don't specify any layer 2 encryption methods and the WLC will not send EAP request to the radius server.
  Sent from Cisco Technical Support iPhone App

• Sleeping iOS Device, Waking Up After Roam & EAP Authentication

  Has anyone here (Scott Fella, maybe?) experienced an iOS device waking up from sleep and completing a successful EAP authentication?
  All the Cisco recommended WLC tweaks discussed on these forums (load balancing off, lower data rates disabled, etc.) have been implemented.  The WLAN is very well designed with proper SNR, channel separation, etc.  Still, iOS devices will wake up having roamed to a new AP and take 20 seconds or more to authenticate.  This is in a retail environment with customers staring, waiting.  20 seconds can be a long time with a customer staring at you.  Non iOS devices do not have the issue.  iOS devices on an open SSID do not have an issue, so I'm questioning EAP timing and wonder if anyone here can chime in with suggestions.
  Any insight appreciated.

  It should be done within seconds. Could you give us the output of the following commands?
  Show sysinfo
  Show wlan x
  Debug mac x from an client waking up?

• Cisco ISE multiple EAP authentication methods question

  With Cisco ISE can you have various clients each using different EAP methods, such as PEAP for Windows machines, MD5 for legacy and TLS for others?
  My current efforts seem to fail as if a device gets a request from the ISE for an EAP method it doesnt understand it just times out.
  Thanks in advance.

  Multiple EAP Methods work fine. If your Clients are being crap you could try forcing then to use a specific set of Allowed Authentication Method by creating more specific Authentication rules.
  Sent from Cisco Technical Support iPad App

• ISE EAP Authentication fails

  I've integrated a new ISE deployment, After a while I start getting the following error below, for wired users, it randomly fails on different users  
  The NAD I use is WS-C3650-48PD with the following 03.03.03SE cat3k_caa-universalk9 version, 
  All was working properly for one month, all of a sudden it has started to report such error   
  I tried to optimize the timers , but it's still the same
  Also when I do clear authentication on the same user who has failed the authentication passed
  Please advice
  Event
  5400 Authentication failed
  Failure Reason
  12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
  Resolution
  Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
  Root cause
  Session was not found on this PSN. Possible unexpected NAD behavior. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.

  IOS-XE has been very problematic. The version of code that you are running is not that old but I would recommend that you upgrade it. I have heard very positive feedback for v.3.7.0 but it is fairly new so if you want to be safe I would suggest running the 3.3.5.
  Thank you for rating helpful posts!

• Need help in configuring Cisco AP to support EAP authentication

  Hello all,
  in desperation after trying for more than 3 weeks, I am trying in this way to get a solution to my following problem.
  I am trying to build up as 802.1x scenario using 802.11b infrastructure (RADIUS server, Cisco 1100 Aironet AP, Cisco PCMCIA WLAN card with Xsupplicant software, the complete OS is Linux). I am trying to use EAP-MD5 authentication. It seems that the things are funtioning in standalone mode.
  The client wants to authenticate to access WLAN. It sends EAPoL start packet and gets a request from AP for user identity. Good. Then the user sends his identity with EAP packet. The Cisco AP is forwarding the request to RDAIUS server as specified in many documents. It is also Good. RADIUS server is sending a request for challenge (Password). Upto this point things are gooing fine.
  Now the Cisco AP is not sending this challenge to the
  Xsupplicant, it is just ignoring it. Can any one help me in this point. If needed I can also send the configuration file of the AP.
  I would be very thankful, if I could solve this Problem with your support.
  Thanking you in advance,
  Felix

  As per the RFC for RADIUS, a RADIUS Server receiving an Access-Request with a Message- Authenticator Attribute present MUST calculate the correct value of the Message-Authenticator and silently discard the packet if it does not match the value sent. A RADIUS Client receiving an Access-Accept, Access-Reject or Access-Challenge with a Message-Authenticator Attribute present MUST calculate the correct value of the Message-Authenticator and silently discard the packet if it does not match the value sent.

• Initial configuration of ACS 5.1 for EAP authentication for Wireless clients

  Hi,
  I have set-up with below devices :
  Wireless LAN controller 5508
  LAP 3302i
  and ACS 5.1
  since i am new in ACS 5.1 configuration , I need so information to go ahead to configure ACS 5.1.
  which EAP method to use for wireless client authentication ? what is the best practice ?
  I have gone through some cisco documents and it shows that best practice is to configure PEAP but for the same , I need to install certificate in ACS server as well in client PC. is that so ?
  I have no clear picture for this certificate ?
  from where i can get this certificate or do i need to purchase this certificate separately from cisco. how to install it in ACS server ?
  I will be obliged to get atleast initial configuration for ACS 5.1 to enable the EAP method,
  I need GUI based initial configuration for ACS 5.1
  This mentioned ACS 5.1 is installed on ACS 1121 hardware appliance.

  Hi,
  which EAP method to use for wireless client authentication ? what is the best practice ?
  -> I would advise the most widely spread EAP method, which has the best ratio security/easy to deploy: PEAP with MSCHAPv2, which is available by default by all windows machines.
  I  have gone through some cisco documents and it shows that best practice  is to configure PEAP but for the same , I need to install certificate in  ACS server as well in client PC. is that so ?
  -> You will always need to install a server certificate, however, there is no need for client certificate because the authentication is based on the MSCHAP credentials exchange, not certificate based. The only requirement on the client regarding certificates is the following.
  If you want to validate the server certificate, you have to install the server certificate under the trusted CAs of the clients.
  If you do not require to trust the server certificate, you can simply disable the option of server certificate validation.
  I have no clear picture for this certificate ?
  from  where i can get this certificate or do i need to purchase this  certificate separately from cisco. how to install it in ACS server ?
  -> The server certificate can be a simple self signed certificate that you generate and install on the ACS GUI.
  Please feel free to follow this step-by-step guide on
  PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server:
  http://www.cisco.com/en/US/partner/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml or in pdf
  http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• EAP authentication MS IAS RADIUS across Subnets without DC

  I have 2 sites set up using MS IAS 2003 RADIUS server and Cisco 1230 APs. Both site that I have configured have MS DCs local and both sites perform USER and HOST based authentication. I have attempted to set up a third site, but this site is unique b/c it does not have a DC local. At this site the authentication apears to be timing out even though I set all timeouts to the highest intervals.
  I need the PC to be authenticated at the Windows login screen, then I need the usercredentials passed to a DC, then I need them to be allowed access to the Network. THe device is requiring a local cached user to gain access then it is authenticating and assigning an IP. However, I need this all to happen at the loginscreen prior to loggin in b/c I do not allow local cached profiles.
  I had this simmilar problem at a nother site and adjusting the timeouts corrected that but a DC was also local.
  Any ideas are appreciated

  hello, try to create a "realm" in IAS Config.
  At the IAS root click on Properties, choose realm and create for example "abc" = "yourdomain\"
  after that in VPN client when prompt for username :
  exemple: if your usernae is Jerry write as username
  abcJerry and it will be translated like
  yourdomain\jerry
  hope it can helps you.
  have a happy new year
  ollivier imbert

• EAP Authentication Configuration for EAP-FAST and PEAP

  Hi Everyone,
  I pretty much got EAP working, however using LEAP 
  When I get to EAP-FAST and PEAP, I just can't seem to get it to work
  What am I missing, I do know that EAP-FAST and PEAP involve certificates. However, how do i set them up on the client side?
  Hope you guys can help me on this, stuck on this part xD

  EAP is a complicated subject for sure. But it shouldn't be really once you know the foundation. 
  EAP-PEAP can use server side and client side and EAP-FAST can as well. It all depends how its deployed. 
  Generally speaking, most deployments of PEAP use server side only and EAP-FAST uses PACS only.
  The cert that you install on the radius server for PEAP is passed to the wireless supplicant and is used by the supplicant to hash the logon and password from the user. This hash is passed back to the radius server who has the private key who can decode the hash and pass the user ID and password  back to AD for example. 
  Hope this helps .. 

• EAP Authentication Failing (External DB account restriction)

  Hi,
  I am using ACS 3.0 as my Access Server configured for LEAP authentication,Everything was working fine till 2 days back, All my wireless clients ver getting authenticated,
  But suddenly they have stopped doing so, On checking the logs it says "External DB account restriction"
  I am using Windows Group Mapping, Dont know why suddenly it has started behaving like this, Have made no changes on the user profiles/permissions from either ACS or windows servers.
  Any clue...suggestions..
  Thanks
  Maneesh

  I'm having the same problem and it is quite frustrating... It should not be this difficult.
  I've tried both IAS and ACS and I can not get either one of them to work. I'm sure it has something to do with certificates... I just don't know what I'm doing wrong, but I'm going to beat the stuffing out my server if I see "External DB account Restriction" one more time!
  currently i'm trying to get ACS 3.2.1(trial) on Win2k SP3 to work and time and time again no matter how I try to install the certificate I create (following instructions in chapter 10 of the User Guide) I keep getting that infernal error. If someone out there could post SPECIFIC instructions about how they got their installation to work it would be GREATLY appreciated.
  Ben

• EAP with MAC Authentication

  Quick question on EAP with MAC auth....
  Documentation shows that if you enable EAP with MAC, clients that do not support EAP authentication, will then be able to use MAC. Is it possible to enforce that clients use both EAP and MAC? I don't want to create a security hole by allowing clients to skip the EAP and only use MAC.
  Here is the text from http://www.cisco.com that supports above. Is this true, or am I just being paranoid?
  You can set up the access point to authenticate client devices using a combination of MAC-based and EAP authentication. When you enable this feature, client devices that associate to the access point using 802.11 open authentication first attempt MAC authentication; if MAC authentication succeeds, the client device joins the network. If MAC authentication fails, the access point waits for the client device to attempt EAP authentication

  I have this exact same question on a 1242 AP running c1240-k9w7-mx.123-8.JA2
  I was told that it is possible on this version of IOS to select the with EAP or MAC Authentication, but I have had no success in doing so.
  On a windows XP SP2 clients with the WPS-IE update installed, I disabled encryption and have open authentication selected. Nonetheless, the client continues to ask for credentials to connect to the network (I also deleted the registry Keys that store these 802.1x credentials.
  Does anyone have an answer that we can use?

• Problem with EAP and RADIUS

  Hi *,
    I have the following problem with RADIUS and EAP authentication.
  Radius server sends an "Access-Accept" packet to my AP, but the station does not authenticate.
  I've tried with different encryption configuration and with different authentication methods under "dot11 essid", but nothing changes...
  What could it be?
  Debug piece and configuration follows:
  *Jan 25 14:23:34.795: RADIUS/ENCODE(00000012): acct_session_id: 17*Jan 25 14:23:34.795: RADIUS(00000012): sending*Jan 25 14:23:34.799: RADIUS:   4E 47 56 7A 78 65 4A 4F 55 31 47 40 77 6C 61 6E  [NGVzxeJOU1G@wlan]*Jan 25 14:23:34.799: RADIUS:   2E 6D 6E 63 30 30 31 2E 6D 63 63 30 30 31 2E 33  [.mnc001.mcc001.3]*Jan 25 14:23:34.799: RADIUS:   67 70 70 6E 65 74 77 6F 72 6B 2E 6F 72 67        [gppnetwork.org]*Jan 25 14:23:34.799: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]*Jan 25 14:23:34.799: RADIUS:  NAS-Port            [5]   6   265                       *Jan 25 14:23:34.799: RADIUS:  NAS-Port-Id         [87]  5   "265"*Jan 25 14:23:34.799: RADIUS:  NAS-IP-Address      [4]   6   192.168.173.2             *Jan 25 14:23:34.811: RADIUS/DECODE: EAP-Message fragments, 20, total 20 bytes*Jan 25 14:23:34.831: RADIUS/ENCODE(00000012):Orig. component type = DOT11*Jan 25 14:23:34.831: RADIUS:  AAA Unsupported Attr: ssid              [265] 8   *Jan 25 14:23:34.831: RADIUS:   57 69 66 69 45 41                                [WifiEA]*Jan 25 14:23:34.831: RADIUS:  AAA Unsupported Attr: interface         [157] 3   *Jan 25 14:23:34.831: RADIUS:   32                                               [2]*Jan 25 14:23:34.831: RADIUS(00000012): Config NAS IP: 192.168.173.2*Jan 25 14:23:34.831: RADIUS/ENCODE(00000012): acct_session_id: 17*Jan 25 14:23:34.835: RADIUS(00000012): sending*Jan 25 14:23:34.835: RADIUS:   10 01 00 01 07 05 00 00 D9 37 C3 D9 79 3E 33 EA  [?????????7??y>3?]*Jan 25 14:23:34.835: RADIUS:   F3 7D 73 43 BF BA D0 6A                          [?}sC???j]*Jan 25 14:23:34.835: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]*Jan 25 14:23:34.835: RADIUS:  NAS-Port            [5]   6   265                       *Jan 25 14:23:34.835: RADIUS:  NAS-Port-Id         [87]  5   "265"*Jan 25 14:23:34.835: RADIUS:  NAS-IP-Address      [4]   6   192.168.173.2             *Jan 25 14:23:35.035: RADIUS: Received from id 1645/64 192.168.177.158:1812, Access-Challenge, len 304*Jan 25 14:23:35.039: RADIUS:   46 10 78 5F 5F B0 CB 6C 0B 05 00 00 DA C3 BF 28  [F?x__??l???????(]*Jan 25 14:23:35.039: RADIUS:   E0 18 2B 95 97 C2 0A D7 40 53 FE 62              [??+?????@S?b]*Jan 25 14:23:35.039: RADIUS(00000012): Received from id 1645/64*Jan 25 14:23:35.039: RADIUS/DECODE: EAP-Message fragments, 60+220, total 280 bytes*Jan 25 14:23:35.355: RADIUS/ENCODE(00000012):Orig. component type = DOT11*Jan 25 14:23:35.355: RADIUS:  AAA Unsupported Attr: ssid              [265] 8   *Jan 25 14:23:35.355: RADIUS:   57 69 66 69 45 41                                [WifiEA]*Jan 25 14:23:35.355: RADIUS:  AAA Unsupported Attr: interface         [157] 3   *Jan 25 14:23:35.359: RADIUS:   92 DA 5E 26 CF 40 01 22 7A 8E F5 C1              [??^&?@?"z???]*Jan 25 14:23:35.359: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]*Jan 25 14:23:35.359: RADIUS:  NAS-Port            [5]   6   265                       *Jan 25 14:23:35.359: RADIUS:  NAS-Port-Id         [87]  5   "265"*Jan 25 14:23:35.359: RADIUS:  NAS-IP-Address      [4]   6   192.168.173.2             *Jan 25 14:23:35.367: RADIUS: Received from id 1645/65 192.168.177.158:1812, Access-Accept, len 30*Jan 25 14:23:35.367: RADIUS:  authenticator 8C 2C 1B 97 82 BB 6C 7F - AA D3 4A AB CA 22 8B B7*Jan 25 14:23:35.367: RADIUS:  EAP-Message         [79]  10  *Jan 25 14:23:35.367: RADIUS:   03 01 00 04 00 00 00 00                          [????????]*Jan 25 14:23:35.371: RADIUS(00000012): Received from id 1645/65*Jan 25 14:23:35.371: RADIUS/DECODE: EAP-Message fragments, 8, total 8 bytes*Jan 25 14:23:35.671: %DOT11-7-AUTH_FAILED: Station d023.dbb8.d6a9 Authentication failed
  Config:
  aaa new-model!aaa group server radius rad_eap server-private 192.168.177.158 auth-port 1812 acct-port 1813 key 7 044803071D2448!aaa authentication login eap_methods group rad_eapaaa authorization exec default if-authenticated aaa authorization network default if-authenticated !         aaa session-id commonip name-server 192.168.177.45!                dot11 ssid WifiEAP1   vlan 10   authentication open eap eap_methods    authentication shared eap eap_methods   authentication key-management wpa optional   guest-mode!         bridge irb!         interface Dot11Radio0 no ip address no ip route-cache !        encryption vlan 10 mode ciphers aes-ccm tkip wep128 !        broadcast-key vlan 10 change 300 !        ssid WifiEAP1 !        antenna gain 0 station-role root!         interface Dot11Radio0.10 encapsulation dot1Q 10 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled!         interface GigabitEthernet0 ip address 192.168.173.3 255.255.255.0 no ip route-cache!         interface GigabitEthernet0.1 encapsulation dot1Q 10 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled!         interface BVI1 ip address 192.168.173.2 255.255.255.0 no ip route-cache!ip radius source-interface BVI1 bridge 1 route ip
  thanks so much!

  Stefano: not sure if related but there is an unsupported attribute in the debugs:
  Jan 25 14:23:35.355: RADIUS:  AAA Unsupported Attr:
  *Jan 25 14:23:35.355: RADIUS:   57 69 66 69 45 41
  *Jan 25 14:23:35.355: RADIUS:  AAA Unsupported Attr: interface
  Try to eliminate any configured attributes on radius except those in IETF radius. Then try again.
  You may also chech by removing the shared eap as suggested above. Let us know if this works.
  Sent from Cisco Technical Support iPad App

• ISE 1.1 - 24492 Machine authentication against AD has failed

  We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
  Authentication Summary
  Logged At:
  March 11,2015 7:00:13.374 AM
  RADIUS Status:
  RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
  NAS Failure:
  Username:
  [email protected]
  MAC/IP Address:
  00:26:82:F1:E6:32
  Network Device:
  WLC : 192.168.1.225 :  
  Allowed Protocol:
  TDS-PEAP-TLS
  Identity Store:
  AD1
  Authorization Profiles:
  SGA Security Group:
  Authentication Protocol :
  EAP-TLS
   Authentication Result
  RadiusPacketType=Drop
   AuthenticationResult=Error
   Related Events
   Authentication Details
  Logged At:
  March 11,2015 7:00:13.374 AM
  Occurred At:
  March 11,2015 7:00:13.374 AM
  Server:
  ISE-TDS
  Authentication Method:
  dot1x
  EAP Authentication Method :
  EAP-TLS
  EAP Tunnel Method :
  Username:
  [email protected]
  RADIUS Username :
  host/LENOVO-PC.tdsouth.com
  Calling Station ID:
  00:26:82:F1:E6:32
  Framed IP Address:
  Use Case:
  Network Device:
  WLC
  Network Device Groups:
  Device Type#All Device Types,Location#All Locations
  NAS IP Address:
  192.168.1.225
  NAS Identifier:
  WLC-TDS
  NAS Port:
  4
  NAS Port ID:
  NAS Port Type:
  Wireless - IEEE 802.11
  Allowed Protocol:
  TDS-PEAP-TLS
  Service Type:
  Framed
  Identity Store:
  AD1
  Authorization Profiles:
  Active Directory Domain:
  tdsouth.com
  Identity Group:
  Allowed Protocol Selection Matched Rule:
  TDS-WLAN-DOT1X-EAP-TLS
  Identity Policy Matched Rule:
  Default
  Selected Identity Stores:
  Authorization Policy Matched Rule:
  SGA Security Group:
  AAA Session ID:
  ISE-TDS/215430381/40
  Audit Session ID:
  c0a801e10000007f54ffe828
  Tunnel Details:
  Cisco-AVPairs:
  audit-session-id=c0a801e10000007f54ffe828
  Other Attributes:
  ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
  Posture Status:
  EPS Status:
   Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
  12800  Extracted first TLS record; TLS handshake started
  12805  Extracted TLS ClientHello message
  12806  Prepared TLS ServerHello message
  12807  Prepared TLS Certificate message
  12809  Prepared TLS CertificateRequest message
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12571  ISE will continue to CRL verification if it is configured for specific CA
  12571  ISE will continue to CRL verification if it is configured for specific CA
  12811  Extracted TLS Certificate message containing client certificate
  12812  Extracted TLS ClientKeyExchange message
  12813  Extracted TLS CertificateVerify message
  12804  Extracted TLS Finished message
  12801  Prepared TLS ChangeCipherSpec message
  12802  Prepared TLS Finished message
  12816  TLS handshake succeeded
  12509  EAP-TLS full handshake finished successfully
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  Evaluating Identity Policy
  15006  Matched Default Rule
  24433  Looking up machine/host in Active Directory - [email protected]
  24492  Machine authentication against Active Directory has failed
  22059  The advanced option that is configured for process failure is used
  22062  The 'Drop' advanced option is configured in case of a failed authentication request
  But the user can authenticated by EAP-TLS
  AAA Protocol > RADIUS Authentication Detail
  RADIUS Audit Session ID : 
  c0a801e10000007f54ffe828
  AAA session ID : 
  ISE-TDS/215430381/59
  Date : 
  March     11,2015
  Generated on March 11, 2015 2:48:43 PM ICT
  Actions
  Troubleshoot Authentication 
  View Diagnostic MessagesAudit Network Device Configuration 
  View Network Device Configuration 
  View Server Configuration Changes
  Authentication Summary
  Logged At:
  March 11,2015 7:27:32.475 AM
  RADIUS Status:
  Authentication succeeded
  NAS Failure:
  Username:
  [email protected]
  MAC/IP Address:
  00:26:82:F1:E6:32
  Network Device:
  WLC : 192.168.1.225 :  
  Allowed Protocol:
  TDS-PEAP-TLS
  Identity Store:
  AD1
  Authorization Profiles:
  TDS-WLAN-PERMIT-ALL
  SGA Security Group:
  Authentication Protocol :
  EAP-TLS
   Authentication Result
  [email protected]
   State=ReauthSession:c0a801e10000007f54ffe828
   Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
   Termination-Action=RADIUS-Request
   cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
   MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
   MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
   Airespace-Wlan-Id=1
   Related Events
   Authentication Details
  Logged At:
  March 11,2015 7:27:32.475 AM
  Occurred At:
  March 11,2015 7:27:32.474 AM
  Server:
  ISE-TDS
  Authentication Method:
  dot1x
  EAP Authentication Method :
  EAP-TLS
  EAP Tunnel Method :
  Username:
  [email protected]
  RADIUS Username :
  [email protected]
  Calling Station ID:
  00:26:82:F1:E6:32
  Framed IP Address:
  Use Case:
  Network Device:
  WLC
  Network Device Groups:
  Device Type#All Device Types,Location#All Locations
  NAS IP Address:
  192.168.1.225
  NAS Identifier:
  WLC-TDS
  NAS Port:
  4
  NAS Port ID:
  NAS Port Type:
  Wireless - IEEE 802.11
  Allowed Protocol:

  Hello,
  I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
  Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network.