Symptom

Machine Authentication fails on several clients from time to time. Problem occurs from time to time, in the ISE report we can see "22056 Subject not found in the applicable identity store(s)" and "5411 No response received during 120 seconds on last EAP message sent to the client" as the reason for failure.

Conditions

Due to a disjoint namespace problem, machine authentication on 802.1x over a AD Server may fail if the SPN being used by the suplicant contains a DNS suffix which does not exist on the Domain Controller Group List. 802.1x machine suplicant sending full qualify hostname during authentication process inclusing a DNS suffix which does not exist on the Domain Controller Groups list.

Workaround

none

Further Problem Description