802.1x Computer Authentication

SChang 66 Reputation points
2020-12-14T00:24:28.347+00:00

Hello,
We have 802.1x environment configured with Cisco ISE server and Windows 10 clients Using DoD SHB build. The 802.1x on Widnows 10 workstations is configured via GPO and set to do Computer only authentication with Microsoft: Protected EAP (PEAP) (Secured password (EAP-MSCHAP v2). It was working just fine with our Windows 10 version 1709 workstations but Windows 10 version 1909 workstations are getting authentication failure.

From the ISE server we are seeing: "5411 Supplicant stopped responding to ISE" error and one of the last step I see in the log is "12937 Supplicant stopped responding to ISE after sending it the first inner EAP-MSCHAPv2 message (Step latency=120001 ms)

In Windows 10 Wired-AutoConfig Eventlog, we see
Event ID: 15514
Wired 802.1X Authentication failed.
Reason: 0x50005
Reason Text: There was in internal authentication error.
Error Code: 0x80070285

Any help would be appreciated.
Thank you

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,266 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,745 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sunny Qi 10,896 Reputation points Microsoft Vendor
    2020-12-15T07:20:33.373+00:00

    Hi Sung,

    Glad to hear that the workaround has been found. You could accept the reply as answer if you want to to end this thread up. If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. SChang 66 Reputation points
    2020-12-15T05:52:22.23+00:00

    Sunny,
    Thank you for your reply. Your comment about the username and password triggered a thought. We check the 1909 workstations and it turned out Credential Guard was enabled. Apparently, it was baked into the SHB image. After disabling the Credential Guard and secure boot, 802.1x authentication started work with MSCHAPv2. I thought disabling the Credential Guard alone would do it but it required Secure Boot to be disabled, also. We will be moving to certificate based 802.1x shortly but in the meantime, we now know the cause and way around it.

    Thank you,
    Sung

    1 person found this answer helpful.

  2. Sunny Qi 10,896 Reputation points Microsoft Vendor
    2020-12-14T09:27:37.273+00:00

    Hi,

    Thanks for posting in Q&A platform.

    Based on provided information, my understanding is the issue is related wired network access issue. Please correct me if my understanding is wrong.

    Regarding the error "There was in internal authentication error", this is a general authentication error and may be caused by different and multiple environment and/or configuration issues. Since the EAP method is EAP-MSCHAPv2, please make sur that the username and password was inserted correctly.

    And as the NPS server is a Cisco ISE server and we're not familiar with the configuration of Cisco ISE server, I would suggest you contact Cisco Community for further help:
    https://community.cisco.com/t5/network-access-control/bd-p/discussions-network-access-control

    Here is a similar thread for your reference, please kindly check if it is helpful to you:
    https://community.cisco.com/t5/network-access-control/5411-supplicant-stopped-responding-to-ise-quot-use-eap-tls-for/td-p/4084578

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  3. SChang 66 Reputation points
    2020-12-18T00:00:38.5+00:00

    Thank you for your help!