When utilizing EAP chaining on Cisco ISE 1.3, it is important to note that Windows 8 and above operating systems encounter authentication issues. Specifically, these operating systems are unable to authenticate to ISE 1.3 and fail to perform computer name lookups in the Active Directory. This limitation affects the authentication process and can lead to authentication failures or errors in the Active Directory lookup functionality.
The reason behind the issue is that Windows ISE does not send the computer name during the authentication process. This absence of computer name information causes the EAP chaining to fail, ultimately leading to denial of network access. This scenario occurs specifically when Cisco AnyConnect is communicating with ISE over EAP. As a result, the authentication flow is disrupted, preventing successful network access for Windows 8 and above operating systems.
Microsoft has addressed this issue by providing a registry fix that resolves the problem when applied. It is crucial to always back up the Registry before making any changes. To export the registry keys, you can refer to the following link for detailed instructions: https://support.microsoft.com/en-us/kb/322756.
In case the article becomes obsolete, here is the specific key that needs to be added:
Registry path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Add a new DWORD key named “LsaAllowReturningUnencryptedSecrets” with a value of 1. This addition allows the necessary functionality to resolve the issue related to Windows ISE not sending the computer name during EAP chaining, thereby ensuring successful network access when using Cisco AnyConnect.