Symptom
Certificate based machine authentication failing if the binary comparison enabled under Certificate Authentication profile and certificate is not mapped to the machine account. Authentication request looks for machine account in AD, however once binary comparison fails and 'Continue' advanced option is selected, ISE is sending the query as user account name instead of machine account.
24432 Looking up user in Active Directory - testlab ---------------------------------------> Looking for user instead of Machine account
Conditions
1. Certificate Authentication Profile have option: "Always perform binary comparison enabled."
2. The machine certificate is not added to the computer account in the Active Directory- log: Client certificate does not match AD account certificate - xxxx$@xx.com
3. Authentication policy have option, if auth fail equal Continue, if User not found equal Continue.
4. Authorization condition matching EAP-TLS and External Groups equal Domain Computers.
5. ISE 2.3 patch 5 or ISE 2.6 Patch 2.
Workaround
Do one of the following:
1. Disable the binary comparison option in the certificate auth profile or
2. Add the machine certificate into the computer account in the AD.
Further Problem Description
