802.1x Computer Authentication

Question

Hello,
We have 802.1x environment configured with Cisco ISE server and Windows 10 clients Using DoD SHB build. The 802.1x on Widnows 10 workstations is configured via GPO and set to do Computer only authentication with Microsoft: Protected EAP (PEAP) (Secured password (EAP-MSCHAP v2). It was working just fine with our Windows 10 version 1709 workstations but Windows 10 version 1909 workstations are getting authentication failure.

From the ISE server we are seeing: "5411 Supplicant stopped responding to ISE" error and one of the last step I see in the log is "12937 Supplicant stopped responding to ISE after sending it the first inner EAP-MSCHAPv2 message (Step latency=120001 ms)

In Windows 10 Wired-AutoConfig Eventlog, we see
Event ID: 15514
Wired 802.1X Authentication failed.
Reason: 0x50005
Reason Text: There was in internal authentication error.
Error Code: 0x80070285

Any help would be appreciated.
Thank you

Answer 1

Hi Sung,

Glad to hear that the workaround has been found. You could accept the reply as answer if you want to to end this thread up. If there is anything else we can do for you, please feel free to post in the forum.

Best Regards,
Sunny

----------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi,

Thanks for posting in Q&A platform.

Based on provided information, my understanding is the issue is related wired network access issue. Please correct me if my understanding is wrong.

Regarding the error "There was in internal authentication error", this is a general authentication error and may be caused by different and multiple environment and/or configuration issues. Since the EAP method is EAP-MSCHAPv2, please make sur that the username and password was inserted correctly.

And as the NPS server is a Cisco ISE server and we're not familiar with the configuration of Cisco ISE server, I would suggest you contact Cisco Community for further help:
https://community.cisco.com/t5/network-access-control/bd-p/discussions-network-access-control

Here is a similar thread for your reference, please kindly check if it is helpful to you:
https://community.cisco.com/t5/network-access-control/5411-supplicant-stopped-responding-to-ise-quot-use-eap-tls-for/td-p/4084578

Best Regards,
Sunny

----------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

Sunny,
Thank you for your reply. Your comment about the username and password triggered a thought. We check the 1909 workstations and it turned out Credential Guard was enabled. Apparently, it was baked into the SHB image. After disabling the Credential Guard and secure boot, 802.1x authentication started work with MSCHAPv2. I thought disabling the Credential Guard alone would do it but it required Secure Boot to be disabled, also. We will be moving to certificate based 802.1x shortly but in the meantime, we now know the cause and way around it.

Thank you,
Sung

Answer 4

Thank you for your help!