ISE, Windows 7, Machine AuthZ

I'm running into an issue that has me dead in the water on the completion of a roll out of ISE for Wireless.  The enterprise has two SSIDs, one internal, and one open, which is essentially an internet-only conduit.  No internal resources (other than DHCP and DNS) are available.  We moved this from a legacy SSID to using ISE several months ago. Very simple, no BYOD, no device registration, just Sponsor Portal for external laptops, and AD user authentication for employees smartphones.  Work Great.
The second task was to take a legacy internal SSID and convert it to ISE 1.2.  My thoughts on how to do this, as based upon previous experience, the SISE courseware, the "Cisco ISE BYOD and Secure Unified Access" text (which I recommend), and that of a couple of consultants, was to use 802.1X to enforce machine and user authentication.  Seems pretty straight forward.
Of course, I need to implement this in such a way that it is completely transparent to the users.  The legacy SSID is controlled via AD Group Policy, so it seemed a simple matter of modifying GP such that the new SSID kicks in at a higher priority.  Users will see both, AD will suggest the new one, and life goes on.
That's exactly how it is supposed to work, and as far as I can tell, for any/all cold starting laptops, that exactly what happens.
See coldstart.png.
Until some user decides to close his or her laptop and sleep/hibernation sets in.
In an overnight situation, upon waking up, the laptop proceeds to perform a user authZ but no machine AuthZ.  Because there is no machine authZ, the machine fails to get internal access, which is a problem.  In the log I see this step:
24423  ISE has not been able to confirm previous successful machine authentication for user in Active Directory
In talking with TAC, they are pushing me to use NAM as the supplicant, as opposed to the Native Windows 7 supplicant.  While I have AnyConnect installed on every laptop, I don't at present have NAM configured, and that breaks my "completely transparent to users" directive.
I'm also working with Microsoft, and while they've yet to confirm that Windows 7 is just too stupid to understand the situation the laptop is in, I suspect them to tell me this soon, as we're running out of things to try on the client.
I am aware of the Reauthentication timer that exists under the appropriate Authe\orization Profile, and that number seems to max out at ~18 hours (16 bit).
At present, the I've set the Reauth timer in the policy results at 1800 seconds.  I could probably set it to be a longer time, but weekends will mess up that as a good solution.
Regarding Authentication, my Default Network Policy in ISE, I'm allowing PEAP and EAP-FAST.  PEAP is preferred.  PACs are being utilized.  See Defaultaccess.png, Defaultaccess2.png
So, I can't believe I'm the only person having this issue.  Telling users to not suspend their machines is not an option.  So, I have to ask...  Anybody else been able to use 802.1X, ISE, Windows 7 such that it works with sleep/hibernate?

You are not the only one. Performing true machine and user authentication (EAP-TEAP) is currently not supported by any native supplicants out there. If you notice, the Windows 7 supplicant settings allow you to define "user, machine, or user or machine" but not "Machine and User" This is the reason Cisco was pushing you the NAM client. You can check the Cisco deployment guide for EAP-TEAP (aka EAP-Chaining here):
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
In addition, a draft RFC for TEAP was already posted:
http://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01
Just tell your MS and Apple reps about it and demand for it to be supported in future releases and patches. :)
I don't know enough about your environment but I am suspecting that you are using MAR (Machine access restriction). If you are using MAR, there is a timer, that is set under the "AD" integration tab. Once that timer expires ISE removes the machine's mac address from the database, thus preventing the machine to come on the network until it performs another machine authentication. Unfortunately, that type of machine authentication only happens during a reboot or during a log off/log in. There are other limitations associated with MAR (see link below) and I personally don't like nor recommend it:
http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html
With all of that being said I see the following options for you:
1. Bump the MAR timer to 168 hrs (1 week) and instruct users that they have to reboot their machines first thing on Mondays.
2. Set the Windows supplicants to only perform PEAP machine authentications. This is different than MAR as the actual AD machine credentials are used. You won't be able to perform user auth but at least you will only be allowing corp assets on the network. 
3. Implement the Cisco NAM client and perform EAP-TEAP
Hope this helps!
Thank you for rating helpful posts!

Similar Messages

  • I am trying to remote into a Windows Server 2003 from a Windows 7 machine and having issues

    I am trying to remote into a Windows Server 2003 from a Windows 7 machine.  It says "The terminal server has exceeded the maximum number of allowed connections".
    My first stop in trying to solve this problem was here:
    [URL="http://www.howtogeek.com/howto/windows/command-line-hack-for-terminal-server-has-exceeded-the-maximum-number-of-allowed-connections/"]howtogeek.com[/URL]
    And it says:
    [I]
    [INDENT]This problem happens because Windows only allows two remote terminal services connections when you are in administrative mode, and you’ve either got two people already on that server, or more likely, you’ve got a disconnected session that still thinks
    it is active.
    The problem with this error is that you have to actually get on the server console to fix the problem if the server isn’t in a domain. ([B]If you are in a domain, then just open Terminal Services Manager and log off or disconnect the sessions[/B])[/INDENT][/I]
    So it seems to suggest that all I have to do really is to run the  Terminal Services Manager but I cannot find it.
    This web site from mssqltips.com [URL="http://www.mssqltips.com/sqlservertip/1981/remote-desktop-error-terminal-server-has-exceeded-the-maximum-number-of-allowed-connections/"](click here)[/URL] says all I need to do is first execute "mstsc /
    admin" from the command line.  But, when I do that, I get a message when I try to remote to the server, that says this: "To log on to this remote console session, you must have administrative permissions on this computer".
    So, what now?  What do you suggest?

    Hi Bobby,
    Yes, it is by design. By default, Windows Server only accepts two concurrent administrative sessions (Administrative Mode). It means that only two administrators can work on the server at
    the same time.
    If you would like more concurrent sessions, you need to purchase RDS CALs, install Terminal Services related server roles with proper configurations on the server.
    Remote Desktop for Administration (server 2003)
    http://technet.microsoft.com/en-us/library/cc785186(v=ws.10).aspx
    What Is Terminal Services?
    http://technet.microsoft.com/en-us/library/cc782486(v=ws.10).aspx
    Terminal Services Configuration
    http://technet.microsoft.com/en-us/library/cc787078(v=ws.10).aspx
    Purchase client access licenses
    http://technet.microsoft.com/en-us/library/3660ac5a-7468-48d3-b7e8-5529de8fb6c5
    Thanks.
    Jeremy Wu
    TechNet Community Support

  • I'm in the trial period for Creative Cloud - I have about 19 days to go on Photoshop CC on my iMac.  Can I use the same CC trial on a second machine?  Specifically on a Windows 7 machine?

    I'm in the trial period for Creative Cloud - I have about 19 days to go on Photoshop CC on my iMac.  Can I use the same CC trial on a second machine?  Specifically on a Windows 7 machine?

    Nothing personal to you or Rajshee, but this is exactly why I absolutely despise these "community forums" (not just Adobe but any company).  I called the Tech Support phone line today after digging and digging for a phone number, and they told me the exact opposite, and they did it a lot faster than it was possible to get a forum response.  (That's really not personal, because you can't control that, but it's a fact.)
    Their answer: As long as I'm signed in with the same ID, I can try, say, Photoshop CC on my iMac at home and also try Acrobat Pro CC on my Windows 7 machine at work.  Same account, same login, one trial.
    This makes complete sense to me as I'm financially on the hook (potentially) for the same package.  If I give away my login to someone else, which I wouldn't do, I'm still on the hook.  This is why the cloud approach to software is such genius and I applaud it.
    BTW, 99% of the "community forum" wrong answers come on Microsoft sites, so don't feel bad. 

  • Windows Vista Machine Can No Longer Connect to Mac Following Upgrade

    Before: Windows Vista machine with 6 drive letters mapped to the 6 hard drives in my Mac Pro running 10.5.8.
    After: Mac Pro upgraded to 10.6. Now the Vista machine cannot connect to any of the drive letters, nor can it open the Mac Pro by browsing -- the Mac Pro shows up, but cannot be opened. A second Windows machine also cannot open any shares on the Mac Pro.
    I have checked all of the settings in Network on the Mac Pro and they look fine. Does anyone have any ideas for things to check?

    I was able to see the other Windows XP computer and begin to connect. I was then presented with a login screen. I tried using the usual user name and password - no luck. I then formatted the user name as as follows:
    user name: computer name\user name
    password: as normal
    And it worked. Specifically in my case:
    user: cwy-pln2152\administrator
    password: planning
    This is what worked for me your mileage may vary.

  • TS1363 Updated to iTunes to latest version 11.1.4.62 on my Windows 8 machine.  iTunes no longer recognizes my 5th Gen Ipod.  It does however recognize my 80gb Ipod Video.  I've uninstalled and reinstalled iTunes as directed (twice) & rebooted pc. no luck.

    I just updated iTunes to the 11.1.4.62 (as the pop up directed me to) on my Windows 8 machine. As a result iTunes will no longer recognize my 5th generation Ipod Nano (yes two).   I receive a pop up saying "Ipod has been detected but could not be identified properly"   I've followed the recommendations seveal times: a) disconnected and reconnected. b) rebooted computer c) unistalled and reinstalled iTunes d) tried different cables e) tried different USB porst f) rebooted Ipod.... the window keeps popping up like a middle finger (you get the point)
    iTUnes WILL however,  recognize my 4th gen Nano and my 80gb Video (classic) without problem
    Needless to say, I'm frustrated and ticked off over all of this wasted time.
    Anyone solved this issue yet?
    Any good suggestions?
    Please advise
    Kindest regards,

    c) unistalled and reinstalled iTunes
    Doublechecking. Have you also tried a complete uninstall of both iTunes and all the other related software components and then a reinstall? If not, try the instructions from the following document:
    Removing and reinstalling iTunes and other software components for Windows Vista, Windows 7, or Windows 8

  • Printing from Windows 8 to a shared printer on a Windows 7 machine

    WE have a a user that has a laser printer on A windows 7 machine that others in the office can access EXCEPT the one person on a Windows 8 machine. We have tried everything, but cannot get her to print to this printer. Says it cannot be found. What does
    Windows 8 need to see a printer on a Win 7 workstation. She does have access to network printers and her own.
    Thanks.

    We have the same kind of problem but a bit different.
    Dell Printer (used for years shared on a network) was moved to our Windows 7 machine plugged in via USB.  We only use a plain workgroup with no Domain as we also have Macs on the network.
    I have Macs using shared printer, a Windows XP using the shared printer, and even Windows 7 under Parallels on the Macs using the shared printer no problem.
    I had the lone Windows 8 laptop using the shared printer but then it just stopped working.  So I deleted it and now when I try to add it is want credentials and none work.  It will not connect to the shared printer on the Windows 7 machine.
    I have Windows 7 (which also has a couple shared drives that do work) set for No Homegroup and No Password for sharing - pretty much open as we are behind a Cisco Firewall to the outside.  No firewalls on the pcs.
    Not sure where to go from here...

  • How do I disable the hardware acceleration in Flash player on a Windows XP machine remotely?

    How do I disable the hardware acceleration in Flash player on a Windows XP machine remotely?
    I have a few hundred computers running Adobe Flash Player.
    The operation system is Windows XP.
    They are Compaq 6005 desktop PC’s, with an inbuilt ATI radeon HD 4200 video card.
    We have a persistent issue where viewing a flash video (e.g. something on youtube) causes the video card driver to crash.  You are left with no video signal to the monitor.  Audio continues and the computer still responds to commands. This only happens when watching flash video.
    We have tried:
    Updating flash plugin (numerous versions)
    Updating the video card drivers (we have tried the last three video card driver versions, including the HP drivers and ATI drivers)
    Updating the browsers (this problem happens with IE8/9 and Firefox10/11/12)
    There seems to be two ways to work round this issue.  One is to disable the video acceleration in the ‘troubleshoot’ section in the advanced part of the display settings area in windows.  The other way is to start a flash video, right click, go to ‘settings’ and untick the box marked ‘Enable Hardware Acceleration’.
    Doing either of these things allows the user to view flash videos with no apparent issues.
    Is there a way to disable the hardware acceleration in Flash without visiting the PC?  Perhaps an undocumented option in the mms.cfg file? I understand that you can use an option to skip the video card check, and so force hardware acceleration on, can you do the opposite?
    Thanks in advance
    Daniel.

    Hi.
    I have had over 200 views, and no suggestions as to how this could be fixed.
    I have also posted in the general flash forum, that thread has fewer views.
    If I should put this question in a different forum please let me know which one.
    If what I am asking is not possible is there a mechanism for escalating this issue or requesting a feature for the next version of flash?
    Thanks.

  • ICloud will not update on Window 7 machine

    For several months, iCloud updates will not install.  I get a 2343 error on my Windows 7 machine.  The iTunes updates work if I download and manually install.  This is not the case with iCloud.  I used the MS Fixit without success.  Can someone assist?

    Same problems here!

  • Measure performance of windows 8 machines using windows Performance Toolkit (WPR tool)

    I want to create performance baseline for windows 8 machines(like time to winlogon, time to desktop and total boot time etc.). For this I used windows performance toolkit - WPR tool to record or log performance data(using boot scenario) into log file(.etl). I
    opened generated ETL file using WPA(windows performance analyzer), in processes section, always I am able to see winlogon.exe and explorer.exe  time more than 2 minutes on different machines. when I did it for windows XP(using xperf) machine
    winlogon.exe always showing as less than 30  seconds.
    Can you please let me know, how I can get correct data for following tasks using WPR tool:
    1) Time to Winlogon(winlogon.exe)
    2) Time to Desktop(explorer.exe )
    3) Total Boot time
    4) Time to Outlook Start
    5) Time to Full Outlook Load

    Anyone have idea about how to get correct performance data for tasks using windows performance toolkit(WPRUI)?

  • IPad 2 cannot sync with Windows 7 machine but can sync with Mac Book Pro

    I connected the iPad to my Windows 7 machine straight out of the box and tried to register it for the first time. It showed up in the device list for the first 3 minutes and then disappeared altogether. Thinking this is just some small error, I started troubleshooting using this guide http://www.apple.com/support/ipad/assistant/itunes/
    http://support.apple.com/kb/HT2292
    after doing that 4-5 times, I still had not found a solution to the problem. I made sure that my computer had the Apple Mobile Device Drivers installed in it. After all my iPod can easily connect to iTunes, but not the iPad. There isn't a problem with the usb cable because I used the same cable on the iPod and it worked like a charm. The iPad gets recognized in the Device Manager as an Apple Product, but does not show up in iTunes at all. This problem has frustrated me quite alot. I also tried to use my friend's Windows 7 machine, but to no avail. It did not connect to his computer either. Finally as a last resort, I tried to connect it to a another friend's Mac Book Pro [iOS Snow Leopard], and like clockwork, it connected and showed up in his iTunes. This is what surprised and outraged me the most. After spending 5-6 hrs troubleshooting the connections on my Windows 7 machine, uninstalling and reinstalling applications, drivers and finally the OS itself, this iPad connects seemlessly to a Mac Book within 1 minute. I could synchronize data, songs and the like on the Mac Book, but I can't even get this iPad to show itself on a Windows 7 machine. I am truly at my wit's end with this problem. Could anyone please help me with it? I would surely be grateful.

    Here is my statdard reply, most of which you have already done. You may wish to try the others!
    Firstly, make sure that your device is not hidden (left hand pane). If it just reads device then toggle between SHOW and HIDE.
    Secondly, try all the other ports on your computer, even a number of times.
    Thirdly, if you have another computer try plugging your device into it without taking any action, give it a moment, remove it and try it back in your other computer again.
    Failing all that, see here - http://support.apple.com/kb/TS1538 for Windows and http://support.apple.com/kb/TS1591 for Macs
    And failing all that put the device into Recovery mode. See here and note the paragraph 'If you restore from a different computer.... ' down near the bottom of the page -
    http://www.apple.com/support/ipad/assistant/itunes/
    https://discussions.apple.com/message/17579027#17579027tr

  • Can someone tell me how to join my windows 8 machine to my osx mountain lion servers active directory?

    i have tried connecting my windows 8 machine to my mountain lion active directory every way possible and i get an error message saying something like this
    "an active directory domain controller (AD DC) could not be contacted"
    i only really want to do this to file share as when i and try to log in it maps the network drive but then doesnt let me access anything and i have tried to change permission multiple times server side.
    Thanks!

    okay thanks
    but the permissions seem to be fine i have the HD set as a share point and i can access anything apart from user files i can go into /users/username/applcations but documents desktop etc does not work ? I have attached a screenshot on how my permission are set out i even tried to make the drive guest accesable but still didnt work

  • How do I move my bookmarks from XP to my new Windows 7 machine?

    I have a new Windows 7 machine (Firefox 3.6.12) and want to move my bookmarks from my old XP machine (Firefox 3.6.12). I've read the help pages but find it incomprehensible. I don't want my whole profile moved (not that I could figure out how to do that), just my bookmarks. PLEASE TELL ME HOW TO DO THAT IN SIMPLE INSTRUCTIONS.
    Thank you.

    If you just want the bookmarks you just need to back them up, copy the file to the new computer and import them from that file. The details are shown here - [[backing up and restoring bookmarks]].

  • Audio tag not working in safari 5.1.7 browser on windows 7 machine

    Hi,
    I have a query. I need to play mp3 sound in the safari 5.1.7 browser on windows 7 machine using javascript code.
    I have tried all the three tags(<audio> <embed> and <object>) for playing mp3 audio in the javascript function. But I am not able to play sound. I also doubt whether there is a change needs to be done in safari browser settings. Can anyone please guide me on playing mp3 sound.
    function playSound() {
        soundURL = "LoginSound.mp3";
        <audio autoplay=\"true\" ><source src=\""+soundURL+"\" type=\"audio/mpeg\"></audio>
        <embed id=emb1 src='"+soundURL+"' hidden=true autostart=true loop=false>
        <object data='"+soundURL+"' type='audio' src='"+soundURL+"' autoplay=true autostart=true>

    Hi,
    I have a query. I need to play mp3 sound in the safari 5.1.7 browser on windows 7 machine using javascript code.
    I have tried all the three tags(<audio> <embed> and <object>) for playing mp3 audio in the javascript function. But I am not able to play sound. I also doubt whether there is a change needs to be done in safari browser settings. Can anyone please guide me on playing mp3 sound.
    function playSound() {
        soundURL = "LoginSound.mp3";
        <audio autoplay=\"true\" ><source src=\""+soundURL+"\" type=\"audio/mpeg\"></audio>
        <embed id=emb1 src='"+soundURL+"' hidden=true autostart=true loop=false>
        <object data='"+soundURL+"' type='audio' src='"+soundURL+"' autoplay=true autostart=true>

  • Can I use a time capsule as a usb drive on a windows 7 machine?

    Can I use a time capsule as a usb drive on a windows 7 machine?

    No, but you can use it as an Ethernet or wireless drive.
    (60698)

  • How do I connect to Time Capsule from a Windows 8.1 machine which is on a Windows domain. I have been able to connect from a Windows 7 machine on a Windows domain to a Time Capsule. Airport utility is not displaying the Time Capsule Win8.1 machine

    How do I connect to Time Capsule from a Windows 8.1 machine which is on a Windows domain. I have been able to connect from a Windows 7 machine on a Windows domain to a Time Capsule. Airport utility is not displaying the Time Capsule Win8.1 machine.
    I have checked that the firmware has been updated to 7.6.4 . Similalrly the Win8.1 machine has been loaded with the update specified in another discussion.

    Firstly how are you connecting to the TC.. wireless or ethernet?
    Please open a command window and ping it.. ping by name and by IP address.
    If ping succeeds at least by IP it should work.
    In windows explorer type
    \\10.0.1.1 (or whatever the TC ip is.. that is the default).
    Having the airport utility for windows loaded can help the process. As it loads bonjour for windows.
    7.6.4 firmware on the TC is useless. It works better on 7.6.1
    If the ping does not succeed by either name or IP address yet you have internet through the TC, then your network is setup wrongly. You are have firewalls blocking local IP. Take down all the firewalls.

Maybe you are looking for