ISE 1.2.1 AD machine authent fails

We put ISE into bypass mode due to the 2012 R2 issue and after upgrading to 1.2.1 in ISE, and taking it out of bypass. i am seeing machines fail due to either "supplicant stopped responding" or it fails saying not found in Identity Stores. The only thing that fixes it is an auth open on the port. at first they would report the MAC as the username instead of the Machine name. Now i see them reporting the machine name correctly but with a fail message of "supplicant stopped responding". TAC has said its a local machine problem or GPO but nothing has changed on either one of those, the only change was ISE. I did as he suggested, stop/started wired auto config, no change, also downloaded some hotfixes from MS for various EAP issues, no change.
What ever info you need, let me know. i know this is a huge area to try to troubleshoot.

Will need some more info:
1. What type of authentication are you performing? (EAP-PEAP, EAP-TLS, etc?)
2. Can you post screen shots with the supplicant's configuration
3. Screen shots of the failed authentication detailed screen
4. Screen shot or export of your authentication/authorization rules
5. What is the status of ISE's connection to AD? I have seen it go to joined but disconnected after upgrade
Thank you for rating helpful posts!

Similar Messages

  • ACS Machine Authentication Fails Every 30 Days

    Running ACS5.2, Windows XP Pro, Window Server 2003 and Cisco Anyconnect Client. When the machine name password changes between the PC and the AD server the ACS will error out with "24485 Machine authentication against Active Directory has failed because of wrong password"
    TAC has been working with us on this and sees the error in the logs but does not have an answer on with to do to solve this. It has the same problem with Wireless Zero.
    Once the PC is rebooted the error goes away for 30 days. We are in a hospital setting so this is a not just a minor problem

    So it looks like this is the offical Microsoft answer:
    Hello Tom,
    I had a discussion with an escalation resource on this case and updated him on what we found so far, From what  I understand this is a known issue when the client is using PEAP with computer authentication only  and the workarounds to this problem are the 2 solutions lined up in that article that I sent you.
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;904943
    Regards
    Krishna

  • Machine Authentication by AD

    I'm trying to implement Machine Authentication with PEAP in ACS 5.1. The Machine should get autenticated from AD and then user authentication. We don't want to use certificate for authentication. I only selected PEAP EAP-MS-CHAPv2 protocol in Allowed Protocol.
    I can authenticate by user but not by machine. We have 2008 AD. Is there any settings or any grouping i have to do on AD side or in ACS.
    If someone can give us some suggestion or documentation then it will really help us solve the problem.
    Thanks for your help.

    The ideal solution to avoid non-domain machines is to put Machine Access Restriction on the ACS. Where in the user has to pass machine authentication and user authentication from the same machine to be allowed access to the network, else if the machine authentication fails (for iphones or non-domain machine) and only user authentication passes-- ACS will deny the user connection.
    Here is the details of this feature:
    http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1053213
    Snip:
    "ACS machine access restriction (MAR) features use AD to map machine authentication to user authentication and authorization, and sets a the maximal time allowed between machine authentication and an authentication of a user from the same machine. Most commonly, MAR fails authentication of users whose host machine does not successfully authenticate or if the time between machine and user authentication is greater than the specified aging time. You can add MAR as a condition in authentication and authorization rules as required."
    Hope that helps!
    Regards,
    ~JG
    Do rate helpful posts

  • 802.1x PEAP Machine Authentication with MS Active Directory

    802.1x PEAP Machine and User Authentication with MS Active Directory:
    I have a simple pilot-text environment, with
    - Microsoft XP Client,
    - Cisco 2960 Switch,
    - ACS Solution Engine (4.1.4)
    - MS Active Directory on Win 2003 Server
    The Remote Agent (at 4.1.4) is on the same server as the MS AD.
    User Authentication works correctly, but Machine Authentication fails.
    Failed machine authenticaton is reported in the "Failed Attempts" log of the ACS SE.
    The Remote Agent shows an error:
    See Attachment.
    Without Port-Security the XP workstation is able to log on to the domain.
    Many thanks for any indication.
    Regards,
    Stephan Imhof

    Is host/TestClientMan.Test.local the name of the machine? What does the AAA tell for you the reason it fails?

  • PEAP : Machine authentication doesn't work

    Hello,
    I'm trying to set up machine authentication and at this time I have some problems.
    I have the following configuration:
    - the users laptop are running WinXP
    - the AP is a 1232
    - ACS 3.3.2
    - external database (Win2000 Active Directory) authentication
    I set up PEAP and it works well when a user is authenticated. However when I enable machine authentication on the ACS and also on the user laptop, it doesn't work. In the ACS logs I can see that the user has not authenticated due to the machine access restriction.
    On the Active Directory I changed the Dial In config. for the computers to allow access.
    Is there anything else that has to be modified in order to perform machine authentication?
    Hope someone will be able to help me.
    Thanks in advance.
    Alex

    Hi Alex
    I have had a similar issue, I found that my PEAP users were fine but Machine authentication failed at the SSL handshake. I.E the machine didn't know where the local certificate was. In the meantime to get the policies working I unchecked the "validate server certificate" on the client. And that works, I would assume that the certificate needs to be in a specific default location for the machine authentication to use it, though thats just a guess.
    I am spending the day to get this working and I'll post what I find out.
    Regards
    Colin

  • ISE 1.2 - 24492 Machine authentication against AD has failed

    Currently experiencing a machine authentication problem between ISE 1.2 patch 2 and a customer AD installation.
    AuthZ policy is set to match agains /Users/Domain Computers and /Users Domain Users.  User authentication works, machine auth doesnt.
    Machine authentication box is ticked.
    If you try to disable an AD machine, or try a machine not in the domain you get the appropriate different response in the ISE logs which sugests it has the right access into AD to check this info.
    This happens on all computers, both WinXP and Win7 corporate builds.
    I know its not an ISE policy configuration as I have resorted to testing the same ISE against a vanilla lab AD environment with the same AD domain name (just by changing the DNS servers ISE uses) and the computer lookup works!
    Anybody got any ideas?
    thanks.

    24492
    External-Active-Directory
    Machine   authentication against Active Directory has failed
    Machine   authentication against Active Directory has failed.
    Error
    Please check NTP is in sync or not  ISE

  • ISE 1.1 - 24492 Machine authentication against AD has failed

    We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
    Authentication Summary
    Logged At:
    March 11,2015 7:00:13.374 AM
    RADIUS Status:
    RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
    NAS Failure:
    Username:
    [email protected]
    MAC/IP Address:
    00:26:82:F1:E6:32
    Network Device:
    WLC : 192.168.1.225 :  
    Allowed Protocol:
    TDS-PEAP-TLS
    Identity Store:
    AD1
    Authorization Profiles:
    SGA Security Group:
    Authentication Protocol :
    EAP-TLS
     Authentication Result
    RadiusPacketType=Drop
     AuthenticationResult=Error
     Related Events
     Authentication Details
    Logged At:
    March 11,2015 7:00:13.374 AM
    Occurred At:
    March 11,2015 7:00:13.374 AM
    Server:
    ISE-TDS
    Authentication Method:
    dot1x
    EAP Authentication Method :
    EAP-TLS
    EAP Tunnel Method :
    Username:
    [email protected]
    RADIUS Username :
    host/LENOVO-PC.tdsouth.com
    Calling Station ID:
    00:26:82:F1:E6:32
    Framed IP Address:
    Use Case:
    Network Device:
    WLC
    Network Device Groups:
    Device Type#All Device Types,Location#All Locations
    NAS IP Address:
    192.168.1.225
    NAS Identifier:
    WLC-TDS
    NAS Port:
    4
    NAS Port ID:
    NAS Port Type:
    Wireless - IEEE 802.11
    Allowed Protocol:
    TDS-PEAP-TLS
    Service Type:
    Framed
    Identity Store:
    AD1
    Authorization Profiles:
    Active Directory Domain:
    tdsouth.com
    Identity Group:
    Allowed Protocol Selection Matched Rule:
    TDS-WLAN-DOT1X-EAP-TLS
    Identity Policy Matched Rule:
    Default
    Selected Identity Stores:
    Authorization Policy Matched Rule:
    SGA Security Group:
    AAA Session ID:
    ISE-TDS/215430381/40
    Audit Session ID:
    c0a801e10000007f54ffe828
    Tunnel Details:
    Cisco-AVPairs:
    audit-session-id=c0a801e10000007f54ffe828
    Other Attributes:
    ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
    Posture Status:
    EPS Status:
     Steps
    11001  Received RADIUS Access-Request
    11017  RADIUS created a new session
    Evaluating Service Selection Policy
    15048  Queried PIP
    15048  Queried PIP
    15048  Queried PIP
    15048  Queried PIP
    15004  Matched rule
    11507  Extracted EAP-Response/Identity
    12500  Prepared EAP-Request proposing EAP-TLS with challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
    12800  Extracted first TLS record; TLS handshake started
    12805  Extracted TLS ClientHello message
    12806  Prepared TLS ServerHello message
    12807  Prepared TLS Certificate message
    12809  Prepared TLS CertificateRequest message
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12571  ISE will continue to CRL verification if it is configured for specific CA
    12571  ISE will continue to CRL verification if it is configured for specific CA
    12811  Extracted TLS Certificate message containing client certificate
    12812  Extracted TLS ClientKeyExchange message
    12813  Extracted TLS CertificateVerify message
    12804  Extracted TLS Finished message
    12801  Prepared TLS ChangeCipherSpec message
    12802  Prepared TLS Finished message
    12816  TLS handshake succeeded
    12509  EAP-TLS full handshake finished successfully
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    Evaluating Identity Policy
    15006  Matched Default Rule
    24433  Looking up machine/host in Active Directory - [email protected]
    24492  Machine authentication against Active Directory has failed
    22059  The advanced option that is configured for process failure is used
    22062  The 'Drop' advanced option is configured in case of a failed authentication request
    But the user can authenticated by EAP-TLS
    AAA Protocol > RADIUS Authentication Detail
    RADIUS Audit Session ID : 
    c0a801e10000007f54ffe828
    AAA session ID : 
    ISE-TDS/215430381/59
    Date : 
    March     11,2015
    Generated on March 11, 2015 2:48:43 PM ICT
    Actions
    Troubleshoot Authentication 
    View Diagnostic MessagesAudit Network Device Configuration 
    View Network Device Configuration 
    View Server Configuration Changes
    Authentication Summary
    Logged At:
    March 11,2015 7:27:32.475 AM
    RADIUS Status:
    Authentication succeeded
    NAS Failure:
    Username:
    [email protected]
    MAC/IP Address:
    00:26:82:F1:E6:32
    Network Device:
    WLC : 192.168.1.225 :  
    Allowed Protocol:
    TDS-PEAP-TLS
    Identity Store:
    AD1
    Authorization Profiles:
    TDS-WLAN-PERMIT-ALL
    SGA Security Group:
    Authentication Protocol :
    EAP-TLS
     Authentication Result
    [email protected]
     State=ReauthSession:c0a801e10000007f54ffe828
     Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
     Termination-Action=RADIUS-Request
     cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
     MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
     MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
     Airespace-Wlan-Id=1
     Related Events
     Authentication Details
    Logged At:
    March 11,2015 7:27:32.475 AM
    Occurred At:
    March 11,2015 7:27:32.474 AM
    Server:
    ISE-TDS
    Authentication Method:
    dot1x
    EAP Authentication Method :
    EAP-TLS
    EAP Tunnel Method :
    Username:
    [email protected]
    RADIUS Username :
    [email protected]
    Calling Station ID:
    00:26:82:F1:E6:32
    Framed IP Address:
    Use Case:
    Network Device:
    WLC
    Network Device Groups:
    Device Type#All Device Types,Location#All Locations
    NAS IP Address:
    192.168.1.225
    NAS Identifier:
    WLC-TDS
    NAS Port:
    4
    NAS Port ID:
    NAS Port Type:
    Wireless - IEEE 802.11
    Allowed Protocol:

    Hello,
    I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
    Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network.

  • Cisco ISE Machine failed machine authentication

    Hi, last week we migrated to ISE 1.2 Patch 7 and since then we are having trouble with our corporate SSID.
    We have a rule that says :
    1) User is domain user.
    2) Machine is authenticated.
    But for some reason that I can't figure out some machine(I would say around 200/1000) can't seem to authenticate.
    This is the message I found in the "steps"
    24423     ISE has not been able to confirm previous successful machine authentication for user in Active Directory
    I was wondering if I could force something on the controller or on ISE directly.
    EDIT : In the operation > Authentication I can see that some host/MachineName are getting authenticated.
    Would I be able to force this as a step in my other rule.

    Hi shertica, and thank you for the explanation. I started working with ISE a month ago and still getting familiarized but I think the problem is the relationship between the Machine and the user because I can't find any Host/MachineName fail in the last 24 hour and I can't seem to have any log further than that.
    Failure Reason
    15039 Rejected per authorization profile
    Resolution
    Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
    Steps
    11001
    Received RADIUS Access-Request
    11017
    RADIUS created a new session
    15049
    Evaluating Policy Group
    15008
    Evaluating Service Selection Policy
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule
    11507
    Extracted EAP-Response/Identity
    12300
    Prepared EAP-Request proposing PEAP with challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12302
    Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
    12318
    Successfully negotiated PEAP version 0
    12800
    Extracted first TLS record; TLS handshake started
    12805
    Extracted TLS ClientHello message
    12806
    Prepared TLS ServerHello message
    12807
    Prepared TLS Certificate message
    12810
    Prepared TLS ServerDone message
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12318
    Successfully negotiated PEAP version 0
    12812
    Extracted TLS ClientKeyExchange message
    12804
    Extracted TLS Finished message
    12801
    Prepared TLS ChangeCipherSpec message
    12802
    Prepared TLS Finished message
    12816
    TLS handshake succeeded
    12310
    PEAP full handshake finished successfully
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12313
    PEAP inner method started
    11521
    Prepared EAP-Request/Identity for inner EAP method
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    11522
    Extracted EAP-Response/Identity for inner EAP method
    11806
    Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    11808
    Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
    15041
    Evaluating Identity Policy
    15006
    Matched Default Rule
    15013
    Selected Identity Source - IdentityStore_AD_liadom01
    24430
    Authenticating user against Active Directory
    24402
    User authentication against Active Directory succeeded
    22037
    Authentication Passed
    11824
    EAP-MSCHAP authentication attempt passed
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    11810
    Extracted EAP-Response for inner method containing MSCHAP challenge-response
    11814
    Inner EAP-MSCHAP authentication succeeded
    11519
    Prepared EAP-Success for inner EAP method
    12314
    PEAP inner method finished successfully
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    24423
    ISE has not been able to confirm previous successful machine authentication for user in Active Directory
    15036
    Evaluating Authorization Policy
    24432
    Looking up user in Active Directory - LIADOM01\lidoex
    24416
    User's Groups retrieval from Active Directory succeeded
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule - AuthZBlock_DOT1X
    15016
    Selected Authorization Profile - DenyAccess
    15039
    Rejected per authorization profile
    12306
    PEAP authentication succeeded
    11503
    Prepared EAP-Success
    11003
    Returned RADIUS Access-Reject
    Edit : I found a couple of these :
    Event
    5400 Authentication failed
    Failure Reason
    24485 Machine authentication against Active Directory has failed because of wrong password
    Resolution
    Check if the machine is present in the Active Directory domain and if it is spelled correctly. Also check whether machine authentication is configured properly on the supplicant.
    Root cause
    Machine authentication against Active Directory has failed because of wrong password.
    Username
    host/MachineName
    I also have an alarming number of : Misconfigured Supplicant Detected(3714)

  • AD Machine Authentication with Cisco ISE problem

    Hi Experts,
    I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
    Authentication policy:
    Allowed protocol = PEAP & TLS
    Authorization Policy:
    Condition for computer to be checked in external identity store (AD) = Permit access
    Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
    All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
    Switchport configuration:
    ===============================================
    ip access-list extended ACL-DEFAULT
    remark Allow DHCP
    permit udp any eq bootpc any eq bootps
    remark Allow DNS
    permit udp any any eq domain
    permit ip any host (AD)
    permit icmp any any
    permit ip any host (ISE-1)
    permit ip any host  (ISE-2)
    permit udp any host (CUCM-1) eq tftp
    permit udp any host (CUCM-2)eq tftp
    deny ip any any
    ===============================================
    switchport config
    ===============================================
    Switchport Access vlan 10
    switchport mode access
    switchport voice vlan 20
    ip access-group ACL-DEFAULT in
    authentication open
    authentication event fail action next-method
    authentication event server dead action authorize vlan 1
    authentication event server alive action reinitialize
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    authentication timer inactivity 180
    authentication violation restrict
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 100
    ====================================================
    One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
    Your help will highly appreciated.
    Regards,

    You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab.  If your switch configuration is on auth failure continue to next method, then this makes sense.  The question is why is the user failing auth but the machine is passing, could be something in the policy.  Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched.  Easy way to check is remove that rule from your policy and see if the same thing happens.
    I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time.  The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
    I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining.  This is great because you can do two part authentication.  EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet.  I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy.

  • Cisco ISE authentication failed because client reject certificate

    Hi Experts,
    I am a newbie in ISE and having problem in my first step in authentication. Please help.
    I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
    Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
    I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
    Regards,
    Ratna

    Certificate-Based User Authentication via Supplicant Failing
    Symptoms or
    Issue
    User authentication is failing on the client machine, and the user is receiving a
    “RADIUS Access-Reject” form of message.
    Conditions (This issue occurs with authentication protocols that require certificate validation.)
    Possible Authentications report failure reasons:
    • “Authentication failed: 11514 Unexpectedly received empty TLS message;
    treating as a rejection by the client”
    • “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
    the client rejected the Cisco ISE local-certificate”
    Click the magnifying glass icon from Authentications to display the following output
    in the Authentication Report:
    • 12305 Prepared EAP-Request with another PEAP challenge
    • 11006 Returned RADIUS Access-Challenge
    • 11001 Received RADIUS Access-Request
    • 11018 RADIUS is reusing an existing session
    • 12304 Extracted EAP-Response containing PEAP challenge-response
    • 11514 Unexpectedly received empty TLS message; treating as a rejection by the
    client
    • 12512 Treat the unexpected TLS acknowledge message as a rejection from the
    client
    • 11504 Prepared EAP-Failure
    • 11003 Returned RADIUS Access-Reject
    • 11006 Returned RADIUS Access-Challenge
    • 11001 Received RADIUS Access-Request
    • 11018 RADIUS is re-using an existing session
    • 12104 Extracted EAP-Response containing EAP-FAST challenge-response
    • 12815 Extracted TLS Alert message
    • 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
    Cisco ISE local-certificate
    • 11504 Prepared EAP-Failure
    • 11003 Returned RADIUS Access-Reject
    Note This is an indication that the client does not have or does not trust the Cisco
    ISE certificates.
    Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
    The client machine is configured to validate the server certificate, but is not
    configured to trust the Cisco ISE certificate.
    Resolution The client machine must accept the Cisco ISE certificate to enable authentication.

  • Apple macosx machine authentication with ISE using EAP-TLS

    Hello,
    On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
    With windows machines all is working well. We are using computer authentication only.
    Now the problem is that we wish to do the same with MAC OSX machines.
    We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
    in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
    When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
    The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
    Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
    Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
    Thanks
    Gustavo Novais

    Additional information from the above question.
    I have the following setup;
    ACS 3.2(3) built 11 appliance
    -Cisco AP1200 wireless access point
    -Novell NDS to be used as an external database
    -Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
    -Windows XP SP2 Client
    My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
    Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
    When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
    Please help...
    Thanks

  • ISE 1.3 Why are Windows endpoints defaulting to 802.1x machine authentication in wireless profile and not User or User&Computer

    We are running ISE 1.3 tied to AD with WLC 7.6.130.0.  Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP.  We are just running PEAP.  We have a mix of IOS, Android, and Windows 7/8 devices.  IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue.  Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication.  This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only.  This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity.  The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication?  I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list.  Neither have helped.  I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
    Thank you for any help or ideas,

    When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile.  In that profile, 802.1x computer authentication option is chosen by windows.  That has to be changed to computer or user for the machine to function correctly on the network.
    On 1.2, this behavior was different.  The Windows device would auto select user authentication by default.  At other customer sites, windows devices auto select user authentication.  This of course needs  to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with.

  • ISE 802.1x EAP-TLS machine and smart card authentication

    I suspect I know the answer to this, but thought that I would throw it out there anway...
    With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card  authentication simultaneously for wired/wireless clients (specifically  Windows 7/8, but Linux or OSX would also be good).  I can find plenty of  information regarding 802.1x machine authentication (EAP-TLS) and user  password authentication (PEAP), but none about dual EAP-TLS  authentication using certificates for machines and users at the same time.  I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end.  For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other.  Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.

    Hope this video link will help you
    http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls

  • Machine authentication is a little slow causing logon script to fail

    using:
    - Windows Zero with PEAP
    - Machine authentication only (AuthMode is set to 2 in the registry)
    - PCs are loginning it automatically, so it's a fast process
    It appears that machine authentication is a little slow. I can ping the PC's IP after the auto login happens. This cuses logon script to fail.
    If I hold shift to cancel auto-login, and wait for 10-20 seconds, the ping of the PC starts, and then if I login the logon script works.
    Does anyone know a solution to this issue? Maybe a way to introduce a delay for login window (msgina.dll) to appear, so that machine authentication has time to connect

    It's a common issue when authentication takes time.
    You can simply delay the logon scripts.
    This is an example of waiting for network to be up by pinging 10.10.10.10
    Only when network is up, then it will execute the script
    :CHECK
    @echo off
    echo Please wait....
    ping -n 1 -l 1 10.10.10.10
    if errorlevel 1 goto CHECK
    @echo on
    # Now the actual Logon script:
    net use L: \\fileserver\share
    Note: Modify the script in accordance with the network topology.
    Nicolas
    ===
    Don't forget to rate answers that you find useful

  • Only machine authentication in ISE

    Hello,
    I would like to know is it possible to have only machine authentication (No user auth at all) in ISE infrastructure. If yes then what credential need to be provide at the time of 802.1X auth login or there is no need to provide any credential and workstation automatically passed authentication process.
    Thanks in advanced

    Hi,
    Yes but you will need to use your normal login credentials and set every supplicant to do computer authentication only. Keep in mind most windows supplicant only do machine authentications at certain times.
    Keep in mind you can do machine and user auth and build policies such that only users on authenticated machines are granted access.
    Sent from Cisco Technical Support iPad App

Maybe you are looking for