On a recent ISE implementation I came across an issue with EAP-Chaining. Here is the setup:
Anyconnect NAM is configured with a profile that does EAP-Chaining. You can find the details of the configuration here:
Once ISE is configured and a connection attempt is made the following message is seen in the detailed report:
This issue has to do with how windows deals with the machine credentials. LSA doesn’t allow clients to have the machine password. A modification to the registry allows LSA to provide Cisco Anyconnect NAM to have the machine password. To apply the fix perform the following:
- Navigate in Regedit to
- Add a new DWORD(32-bit) Value.
- Type LsaAllowReturningUnencryptedSecrets, and then press Enter.
- Right-click LsaAllowReturningUnencryptedSecrets, click Modify….
- Type 1 in the Value data box, and then click OK.
After this the user and machine should authenticate.
You can find more info at https://tools.cisco.com/bugsearch/bug/CSCuc13862 (Requires CCO Login).