View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0049 - ISE 1.1 User and Machine Authentication with EAP Chaining (Part 2)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>

The video demonstrate how Cisco ISE EAP Chaining can solve caveats on user and machine authentication inherent to Windows native supplicant. In part 1 of this video, we will steps through necessary authentication and authorization policies configurations to support EAP Chaining for both wired and wireless. In part 2, we will go through configuration on NAM Profile Editor to create a .xml file that will be used by the NAM module to gain network access. The video ends with wired and wireless testing and seeing how EAP Chaining appears in authentication log on Cisco ISE.

Topic:
  • AnyConnect Secure Mobility 3.x (NAM Module)
  • NAM Profile Editor
  • User and Machine Authentication with MSCHAPv2 inside EAP-FAST
  • Policy Element Condition
    • Authorization (Compound Condition)
  • Policy Element Result
    • Authentication (Allowed Protocol)
    • Authorization (Downloadable ACL)
    • Authorization (Authorization Profile)
  • Authentication Policy
  • Authorization Policy
Note:
  • With automatic provision of PAC, EAP-TLS is used to build a secured tunnel to transport PAC
  • PAC is used by both endpoints to construct an EAP-FAST outer tunnel
  • The actual authentication occurs in the inner authentication method, which can be any protocols
  • EAP chaining allows multiple rounds of authentication to be carried out back-to-back within the same EAP session
Pros
  • User can switch seamlessly between wired and wireless as both user/machine authentication take place together at connection attempt.
  • No longer relies on machine authentication at Windows login, hence eliminates hassles for user to occasionally having to log off
  • No longer uses machine authentication cache on ISE, hence eliminates cache expire problem
Cons
  • Additional software needs to be installed on user computers

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new Cisco technologies.

14 comments

Thanks for the videos, excellent resources i must confess. You had mentioned that "Network Access Manager Profile Editor" can be deployed via package. Can you please explain how? it will be interesting to know how to automate deployment for AnyConnect Secure Mobility Client and Network Access Manager Profile Editor for mass deployment. Was wondering if this can be done via AD group policy??

Looking forward to more of your security videos. Do have any plans to make a video on Client SSL VPN?

Thanks

You don't really need to deploy NAM profile editor to your users. You only use it to create a .xml config file. Then you have two options.

1. Manual - Put the .xml file under the Profiles/nam folder that you find under directory extracted from the .iso pre-deploy package. You can then package it back together and send to your user with instruction to install the Anyconnect and NAM. NAM will come up with all the profiles.

2. Automatic - Use your Software Management System (SMS) to deploy NAM from .msi file per Cisco doc below and then place the .xml file in an appropriate folder. The specific procedures depend on the SMS product you use.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnec...

Client SSL VPN is on our list but might take another while before we get to that.

Hope this helps and thank you for your support


If you find our website helpful, please help support us by sharing our links, recommend website to friends, like our Facebook, Subscribe our YouTube channel, follow us on Twitter

 

Hi

I did this lab yesterday identically to you. I have a windows 8 machine and had the anyconnect 3.0 supplicant installed. When I connected the cable to the switch, anyconnect prompted me for a username and password. If I enter my domain credentials, authentication fails because:

2248 Machine authentication against active directory has failed because of wrong password

After repeating the process a couple of times I had the same result. This morning, I repeated it again, this time removing Anyconnect 3.0 and installing 3.1. After I did this the authentication succeeded. I spent a bit of time connecting/disconnecting wired and wireless (both using EAP-FAST) and it was all working pretty smoothly. Anyconnect never asked me for username and password as in your LAB, which is what I would expect

This afternoon after not touching anything, I went back to the laptop, which had gone to sleep. After starting it again, I had the issue I had initially I saw in that Anyconnect was asking me for a username and password again and authentication was failing for the LAN connection. The authentication via the WLAN would now appear to only attempt PEAP, and I would not see an EAP-FAST attempt in ISE at all.

Is this any anyconnect issue? an ISE issue? a windows 8 issue or an AD issue? (presume not AD as I can connect the laptop to a PSK WLAN and can get onto the domain). Any pointers would be very helpful. I suppose I can eliminate the switch and WLC as both worked, and now both fail. Here is the failure output from ISE for wired

Logged At:

June 4,2013 3:56:18.354 PM

Occurred At:

June 4,2013 3:56:18.354 PM

Server:

ISE01-LON3

Authentication Method:

dot1x

EAP Authentication Method :

EAP-MSCHAPv2

EAP Tunnel Method :

EAP-FAST

Username:

lanuser,host/LON-IS5061

RADIUS Username :

anonymous

Calling Station ID:

00:1E:68:8B:F4:2C

Framed IP Address:

Use Case:

Eap Chaining

Network Device:

IS-ACCESS36-01-MAN1

Network Device Groups:

Device Type#All Device Types#Wired Access Switches,Location#All Locations#Man1

NAS IP Address:

10.192.1.4

NAS Identifier:

NAS Port:

50006

NAS Port ID:

GigabitEthernet0/6

NAS Port Type:

Ethernet

Allowed Protocol:

EAP-FAST

Service Type:

Framed

Identity Store:

AD1,AD1

Authorization Profiles:

DenyAccess

Active Directory Domain:

tcx.prv

Identity Group:

Profiled:Microsoft-Workstation

Allowed Protocol Selection Matched Rule:

LAN-USER-MACHINE

Identity Policy Matched Rule:

Default

Selected Identity Stores:

AD1,Internal Users,AD1,Internal Users

Authorization Policy Matched Rule:

SGA Security Group:

AAA Session ID:

ISE01-LON3/159726141/461

Audit Session ID:

0AC00104000003D84D7FA07B

Tunnel Details:

Cisco-AVPairs:

service-type=Framed
audit-session-id=0AC00104000003D84D7FA07B

Other Attributes:

ConfigVersionId=10,Device Port=1645,DestinationPort=1645,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1546,State=37CPMSessionID=0AC00104000003D84D7FA07B;34SessionID=ISE01-LON3/159726141/461;,EAP-Key-Name=,DetailedInfo=Invalid username or password specified, Retry is allowed,NACRadiusUserName=deanh,CPMSessionID=0AC00104000003D84D7FA07B,EndPointMACAddress=00-1E-68-8B-F4-2C,EndPointMatchedProfile=Microsoft-Workstation,EapChainingResult=User succeeded and machine failed,HostIdentityGroup=Endpoint Identity Groups:Profiled:Microsoft-Workstation,Device Type=Device Type#All Device Types#Wired Access Switches,Location=Location#All Locations#Man1,Model Name=3560,Software Version=15.0,Device IP Address=10.192.1.4,Called-Station-ID=00:14:A9:B2:47:86

Posture Status:

EPS Status:

Steps

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

Evaluating Service Selection Policy

15048 Queried PIP

15048 Queried PIP

15048 Queried PIP

15048 Queried PIP

15048 Queried PIP

15048 Queried PIP

15004 Matched rule

11507 Extracted EAP-Response/Identity

12100 Prepared EAP-Request proposing EAP-FAST with challenge

12625 Valid EAP-Key-Name attribute received

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12102 Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated

12800 Extracted first TLS record; TLS handshake started

12805 Extracted TLS ClientHello message

12806 Prepared TLS ServerHello message

12807 Prepared TLS Certificate message

12809 Prepared TLS CertificateRequest message

12105 Prepared EAP-Request with another EAP-FAST challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

12105 Prepared EAP-Request with another EAP-FAST challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

12105 Prepared EAP-Request with another EAP-FAST challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

12811 Extracted TLS Certificate message containing client certificate

12812 Extracted TLS ClientKeyExchange message

12804 Extracted TLS Finished message

12801 Prepared TLS ChangeCipherSpec message

12802 Prepared TLS Finished message

12816 TLS handshake succeeded

12207 Client certificate was requested but not received during tunnel establishment. Will renegotiate and request client certificate inside the tunnel.

12226 Started renegotiated TLS handshake

12105 Prepared EAP-Request with another EAP-FAST challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

12805 Extracted TLS ClientHello message

12806 Prepared TLS ServerHello message

12807 Prepared TLS Certificate message

12809 Prepared TLS CertificateRequest message

12105 Prepared EAP-Request with another EAP-FAST challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

12105 Prepared EAP-Request with another EAP-FAST challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

12105 Prepared EAP-Request with another EAP-FAST challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

12811 Extracted TLS Certificate message containing client certificate

12812 Extracted TLS ClientKeyExchange message

12804 Extracted TLS Finished message

12801 Prepared TLS ChangeCipherSpec message

12802 Prepared TLS Finished message

12226 Started renegotiated TLS handshake

12205 Client certificate was requested but not received inside the tunnel. Will continue with inner method.

12149 EAP-FAST built authenticated tunnel for purpose of PAC provisioning

12105 Prepared EAP-Request with another EAP-FAST challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

12209 Starting EAP chaining

12218 Selected identity type 'User'

12125 EAP-FAST inner method started

11521 Prepared EAP-Request/Identity for inner EAP method

12105 Prepared EAP-Request with another EAP-FAST challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

12212 Identity type provided by client is equal to requested

11522 Extracted EAP-Response/Identity for inner EAP method

11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge

12105 Prepared EAP-Request with another EAP-FAST challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated

Evaluating Identity Policy

15006 Matched Default Rule

15013 Selected Identity Store - AD1

24430 Authenticating user against Active Directory

24402 User authentication against Active Directory succeeded

22037 Authentication Passed

11824 EAP-MSCHAP authentication attempt passed

12105 Prepared EAP-Request with another EAP-FAST challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response

11814 Inner EAP-MSCHAP authentication succeeded

11519 Prepared EAP-Success for inner EAP method

12128 EAP-FAST inner method finished successfully

12105 Prepared EAP-Request with another EAP-FAST challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

12126 EAP-FAST cryptobinding verification passed

12200 Approved EAP-FAST client Tunnel PAC request

12219 Selected identity type 'Machine'

12125 EAP-FAST inner method started

11521 Prepared EAP-Request/Identity for inner EAP method

12105 Prepared EAP-Request with another EAP-FAST challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

12212 Identity type provided by client is equal to requested

11522 Extracted EAP-Response/Identity for inner EAP method

11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge

12105 Prepared EAP-Request with another EAP-FAST challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated

Evaluating Identity Policy

15006 Matched Default Rule

15013 Selected Identity Store - AD1

24431 Authenticating machine against Active Directory

24485 Machine authentication against Active Directory has failed because of wrong password

22057 The advanced option that is configured for a failed authentication request is used

22061 The 'Reject' advanced option is configured in case of a failed authentication request

11823 EAP-MSCHAP authentication attempt failed

12105 Prepared EAP-Request with another EAP-FAST challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response

11815 Inner EAP-MSCHAP authentication failed

11520 Prepared EAP-Failure for inner EAP method

12117 EAP-FAST inner method finished with failure

22028 Authentication failed and the advanced options are ignored

12105 Prepared EAP-Request with another EAP-FAST challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

Evaluating Authorization Policy

15004 Matched rule

15016 Selected Authorization Profile - DenyAccess

15039 Rejected per authorization profile

12855 PAC was not sent due to authorization failure

12105 Prepared EAP-Request with another EAP-FAST challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

11514 Unexpectedly received empty TLS message; treating as a rejection by the client

12512 Treat the unexpected TLS acknowledge message as a rejection from the client

11504 Prepared EAP-Failure

11003 Returned RADIUS Access-Reject

Thanks

apparently, this is due to a security limitation in windows 8. I applied the microsoft fix, and it started working.

For Network Access Manager, machine authentication using machine password will not work on Windows 8 / Server 2012 unless a registry fix described in Microsoft KB 2743127 (http://support.microsoft.com/kb/2743127) is applied to the client desktop. This fix includes adding a DWORD value LsaAllowReturningUnencryptedSecrets to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa registry key and setting this value to 1. This change permits Local Security Authority (LSA) to provide clients like Cisco Network Access Manager with the Machine password. It is related to the increased default security settings in Windows 8 / Server 2012. Machine authentication using Machine certificate does not require this change and will work the same as it worked with pre-Windows 8 operating systems.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnec...

It was strange you mentioned that you were able to get it to work somewhat before it stopped working. You would think from what you described shouldn't have worked at all. But it is good to know it is a documented caveat. Thank you for sharing.

Yes, it is very strange. I tried for a day to get it to work, with no luck. The next morning it worked, but then stopped with me making no changes to ISE or win8. I raised the issue with a Cisco engineer through my sales channel, who pointed me in the direction on the win8 fix. After applying the registry fix, it has worked ever since, again with me not changing anything on ISE or win8. I have no idea why it worked for that short period either without that fix in place.

When using NAM I initially get both to pass but something on the backend changes that and NAM is prompting me for creds even though singlesign on is enabled. Any thoughts?

Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new sessionF
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Radius.Service-Type
15048 Queried PIP - Radius.NAS-Port-Type
15004 Matched rule - EXAMPLE-EAP-TLS
11507 Extracted EAP-Response/Identity
12100 Prepared EAP-Request proposing EAP-FAST with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12102 Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
12800 Extracted first TLS record; TLS handshake started
12175 Received Tunnel PAC
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12804 Extracted TLS Finished message
12816 TLS handshake succeeded
12132 EAP-FAST built PAC-based tunnel for purpose of authentication
12209 Starting EAP chaining
12210 Received User Authorization PAC
12211 Received Machine Authorization PAC
12218 Selected identity type 'User'
15041 Evaluating Identity Policy
15006 Matched Default Rule
22072 Selected identity source sequence - EXAMPLE_IDS
15013 Selected Identity Source - EXAMPLE
24432 Looking up user in Active Directory - EXAMPLE
24326 Searching subject object by UPN - USER1@internal.EXAMPLE.net
24328 Subject object not found in a cache
24330 Lookup SID By Name request succeeded
24332 Lookup Object By SID request succeeded
24336 Subject object cached
24351 Account validation succeeded
24420 User's Attributes retrieval from Active Directory succeeded - EXAMPLE
22037 Authentication Passed
12124 EAP-FAST inner method skipped
12219 Selected identity type 'Machine'
15041 Evaluating Identity Policy
15004 Matched rule - Default
15006 Matched Default Rule
22072 Selected identity source sequence - EXAMPLE_IDS
15013 Selected Identity Source - EXAMPLE
24433 Looking up machine in Active Directory - EXAMPLE
24326 Searching subject object by UPN - C0001-USER1$@internal.EXAMPLE.net
24327 Subject object found in a cache
24329 Subject cache entry expired
24330 Lookup SID By Name request succeeded
24332 Lookup Object By SID request succeeded
24336 Subject object cached
24351 Account validation succeeded
24439 Machine Attributes retrieval from Active Directory succeeded - EXAMPLE
22037 Authentication Passed
12124 EAP-FAST inner method skipped
12964 Sent EAP Result TLV indicating success
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12106 EAP-FAST authentication phase finished successfully
11503 Prepared EAP-Success
15036 Evaluating Authorization Policy
15048 Queried PIP - Radius.Service-Type
15048 Queried PIP - Radius.NAS-Port-Type
15048 Queried PIP - Network Access.EapTunnel
24432 Looking up user in Active Directory - EXAMPLE
24325 Resolving identity - USER1
24313 Search for matching accounts at join point - internal.EXAMPLE.net
24319 Single matching account found in forest - EXAMPLE.net
24323 Identity resolution detected single matching account
24355 LDAP fetch succeeded - internal.EXAMPLE.net
24416 User's Groups retrieval from Active Directory succeeded - EXAMPLE
24433 Looking up machine in Active Directory - EXAMPLE
24325 Resolving identity - host/C0001-USER1
24313 Search for matching accounts at join point - internal.EXAMPLE.net
24319 Single matching account found in forest - EXAMPLE.net
24323 Identity resolution detected single matching account
24355 LDAP fetch succeeded - internal.EXAMPLE.net
24435 Machine Groups retrieval from Active Directory succeeded - EXAMPLE
15048 Queried PIP - EXAMPLE.ExternalGroups
15004 Matched rule - WIRED_MACH_EAP-TLS
15016 Selected Authorization Profile - D_INTERNET_ONLY
11022 Added the dACL specified in the Authorization Profile
11002 Returned RADIUS Access-Accept

Form the log provided, both user and machine seemed to pass. Is it not yielding the auth profile you want?

It gets an internet only result when it should get full access. This is similar to the video however the NAM is prompting for a username and password even though single signon is used. Im not sure why thats happening.

12124 EAP-FAST inner method skipped
Is this a concern?

Did the log shows both user and machine succeeded? What are the conditions for Full access and internet only access? Was this something that used to work and recently broke? You should not be prompted for credential unless they are wrong. Can you try to rebuild the wired profile? The inner method skipped log message does not sounds right but it clearly went through both user and computer authentication so it might not be relevant.

I figured out why. So ISE was acknowledging everything and from the ISE perspective all was good. The switch however showed a failed authz. This was because it had trouble implementing the DACL which happen to have a url redirect and a reauth of 1800 seconds and a subfeature of radius-request during reauth. I removed the url-redirect and it connected just fine.

EDIT
Some additional information
on switch: debug radius authenticataion, debug epm all
EPM output: EPM_SESS_ERR:No match for feature DOT1X
DOT1X had trouble applying the redirect and so it

*Mar 2 22:14:59 UTC: EPM_API:In function epm_parse_aaa_access_policies
*Mar 2 22:14:59 UTC: EPM_SESS_EVENT:URL-Redirect= https://www.EXAMPLE.com
*Mar 2 22:14:59 UTC: EPM_SESS_EVENT:CiscoDefined-ACL name= #ACSACL#-IP-DACL_USERMACH_FULLACCESS-564b6aef
*Mar 2 22:14:59 UTC: EPM_API:In function epm_remove_access_policies
*Mar 2 22:14:59 UTC: EPM_API:In function epm_process_policy_attributes
*Mar 2 22:14:59 UTC: EPM_SESS_ERR:No match for feature DOT1X
*Mar 2 22:14:59 UTC: EPM_SESS_ERR:No match for feature DOT1X
*Mar 2 22:14:59 UTC: EPM_API:In function epm_url_redirect_feature_free
*Mar 2 22:14:59 UTC: EPM_SESS_EVENT:Returning feature config for feature DOT1X
*Mar 2 22:14:59 UTC: EPM_SESS_EVENT:Returning feature config for feature DOT1X
*Mar 2 22:14:59 UTC: EPM_API:In function epm_acl_feature_free
*Mar 2 22:14:59 UTC: EPM_SESS_EVENT:Dequeue acl feature from list
*Mar 2 22:14:59 UTC: EPM_API:In function epm_notify_registered_clients
*Mar 2 22:14:59 UTC: EPM_SESS_EVENT:Notified NACL removal to Registered Clients

That makes sense and why we didn't see anything failed on ISE log. Thank you for sharing the resolution.

Hi
i installed anyconnect , made the configuration file using editor , configured the ISE version 2.2 with authentication and authorization policy , for dot1x
made two authz rules one for domain machine and the other for domain user
authentication is open under the SW port
always get the machine authentication failed and then because of the fail open , i passed this step and then get the user successfully authc and authz and the ise logs for the machine gives that machine authentication failed against active directory for wrong password
any advice
BR

Are you using PEAP or EAP-TLS or EAP-FAST? What OS? Windows 7,8 or 10?