Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE EAP-Chaining with machine, certificate and domain credentials

Good morning,

A customer wants to do the following for their corporate wireless users (all clients will be customer assets):

Corp. wireless to authenticate with 2-factor authentication:

  • •1. Certificate
  • •2. Machine auth thru AD
  • •3. Domain creds

When client authenticates, they want to match on 2 out of the 3 conditions before allowing access.

Clients are Windows laptops and corporate iPhones.

Certs can be issued thru GPO and MDM for iPhones

Client supplicant on laptops is native Windows - which I understand is a compatibility issue from this thread:

My first question is: can this be done?

Second question: how would i implement this from an AuthC/AuthZ perspective?

Thanks in advance,


New Member

ISE EAP-Chaining with machine, certificate and domain credential

You can do this configuring anyconnect with NAM modules on endpoints! But I don't make sense configure some clients with certificate and others with domains credentials...

For your information, I'm actually configuring EAP-Chaining on ISE 1.2 and i'm gotting some problems. The first one I got with windows 8, for some reason windows was sending wrong information about the machine password but I solved the problem installing a KB on windows 8 machines ( The second one I got with windows 7 that are sending information correctly about domain but wrong information about user credentials, on ISE logs I can see that windows 7 are sending user "anonymous" + machine name on the first longin... after windows 7 start if I remove the cable and connect again the authentication and authorization happen correctly. I still invastigate the root cause and if there is a KB to solve the problem as I did with windows 8.

Good luck and keep in touch.

New Member

Hi Rodrigo,

Hi Rodrigo,

how did you solve problem where windows 7 is sending user "anonymous" on login? I have exactly the same problem, my ISE shows that credentials are actually anonymous!


New Member

ISE EAP-Chaining with machine, certificate and domain credential

Kindly go through the link may help you.

New Member

ISE EAP-Chaining with machine, certificate and domain credential

Thank you for the replies.

Going back to the customer, and they don't want to load any extra clients on their machines, so I have to work within the restrictions of the WIndows native supplicant.

Given that limitation, how can I authenticate/authorize against: machine auth in AD, user creds in AD, and a client cert (EAP-TLS).  The result should be: if the client passes all 3, then they are allowed on the network.

thanks in advance

New Member

ISE EAP-Chaining with machine, certificate and domain credential


With Windows laptops, this shouldn't be a problem.

As I see it, 1 and 2 are the same thing; Machine Auth uses the machine certificate to authenticate. And to link the computer certificate against the proper computer in AD, you can go in to Administration -> External Identity Sources ->

Certificate Authentication Profile -> and check the box that says:

Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory. Then you must make a rule that matches something in your AD or in your certificate.

And to link the User against the Computer, you can add a rule that contains this:

Network Access:WasMachineAuthenticated Equals True.

Not sure how this will play out on mobile devices, though.

New Member



I know that this is a old thread but I'm dealing with an issue that a thought that you can help solving out.

I've deployed ISE 2.0 and I've create a policy to match the machine and user certificate but for some reason the computer certificate is being validated and the user certificate not.

and I'm receiving the following error:

Failure Reason

22056 Subject not found in the applicable identity store(s)


Check whether the subject is present in any one of the chosen identity stores. Note that some identity stores may have been skipped due to identity resoultion settings or if they do not support the current authentication protocol.

Root cause

Subject not found in the applicable identity store(s).


My client machine is Windows 7(with anyconnect installed) and I've an internal root CA.



New Member

I don't see how this would

I don't see how this would work with windows devices.  The native supplicant only authenticates with either the user or the machine.

Also, how would you setup the native supplicant to perform certificate based authentication for the machine and user based authentication for the user?  As far as I know you can't do PEAP-MSCHAPv2 & EAP-TLS at the same time with the native windows supplicant.