Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Windows 7 Supplicant Configuration - ISE PEAP w Machine Auth

Can anyone tell me the settings for the Windows 7 supplicant that works with ISE and PEAP using machine authentication?  I have an authorization profile that permits the user login only after machine 'WasAuthenticated'.  I have only found this to work by setting the Windows 7 supplicant up to use Single-Sign-On before Windows logon and to specify 'User or Machine' authentication.  Then I'm only successful if I have both wired and wireless connected/on and I perform a logoff/reboot.  Surely this isn't right.  What if a user logs on without any connection with cached credentials and then wants to use wireless?  Can't they just perform both machine and user auth over the wireless connection regardless of prior machine/auth states?  I used the videos from LABMINUTES to configure the policies, but I don't need the ACLs for the WLAN controller because these are autonomous APs.



Everyone's tags (3)
Hall of Fame Super Silver

Re: Windows 7 Supplicant Configuration - ISE PEAP w Machine Auth

Microsoft will send both and only cares if one passes. This is the same with radius. ACS and ISE allows you to check to see if the user was authenticated which happens initially on boot. After the initial machine auth, the windows machine will only send user creds. The was machine auth is a workaround to be able to do both. The issue is that when the timeout of the machine creds happen, the devices has to be rebooted. In Cisco Live 2012, they even suggested you don't do this due to not knowing when the cached credentials ACS or ISE will keep this info.

Sent from Cisco Technical Support iPhone App

*** Please rate helpful posts ***
New Member

Re: Windows 7 Supplicant Configuration - ISE PEAP w Machine Auth

Hi Scott.


Quick one. If Cisco suggests not to use 'was machine authenticated' within ISE, then how can we enforce policies in a case when I want to provide three different levels of access depending on

  1. Machine is Authenticated (access to DHCP/DNS/AD only)
  2. Machine and User are authenticated (or read it differently, AD user is using AD machine) - full access
  3. AD user credentials only - no access, as for example, I don't want users to put their creds on iPhone and get full access to the corporate network.

This works well, if 'was machine authenticated' is used within the policy. However, as you stated, this information expires over time (or, if user logs in using cached credentials at home, puts PC into standby and gets into the office - there will be no machine related session on ISE). Actually, in this last case I can present a redirect web page to them asking users to log off / log on to enforce the policies... but it doesn't seem like a good approach if during the day machine authentication state expires and user is forced to re-loging again.

CreatePlease login to create content