topic Re: Unable to use EAP-FAST with Windows10. in Network Access Control

Unable to use EAP-FAST with Windows10.

pbesset — Mon, 01 Apr 2019 09:28:45 GMT

Hi,

I recently set up a Cisco ISE 2.4 install for my company. We are using Cisco Anyconnect 4.7 (with NAM component) on WIndows10.

PEAP(EAP-MSCHAPv2) and EAP-TLS are working well but if I try to use EAP-FAST(EAP-MSCHAPv2) it fails. I tried with User Auth only and with Eap-Chaining but both failed. I keep having the following error message:

"12116 Client sent Result TLV indicating failure"

Did you allready meet this issue ?

Regards.

Re: Unable to use EAP-FAST with Windows10.

Mike.Cifelli — Fri, 29 Mar 2019 12:49:38 GMT

Did you properly configure your configuration.xml file that is used with NAM using the NAM profile editor? Are you using PACs? If not, double check that your general EAP-FAST settings in ISE allow pac-less session resume (Administration->Settings->Protocols->EAP-FAST->EAP-FAST Settings. Can you run a few debug commands on your NAD for the host you are testing and share as well?
debug aaa authentication
debug radius authentication

Re: Unable to use EAP-FAST with Windows10.

pbesset — Fri, 29 Mar 2019 13:33:39 GMT

Hi Mike,

I used the NAM profile editor and made this configuration, I use PACs:

The EAP-FAST configuration is the following (I enabled "pac-less resume" but I do not think I need it):

The logs from the NAD are not very handy, here is the switch output:

Mar 29 14:26:20 GMT: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (XXXX.XXXX.XXXX) with reason (Cred Fail) on Interface Gi1/0/2 AuditSessionID 10FEFE0A00000114C9A1077E
Mar 29 14:26:27 GMT: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (XXXX.XXXX.XXXX) with reason (Cred Fail) on Interface Gi1/0/2 AuditSessionID 10FEFE0A00000114C9A1077E
Mar 29 14:26:35 GMT: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (XXXX.XXXX.XXXX) with reason (Cred Fail) on Interface Gi1/0/2 AuditSessionID 10FEFE0A00000114C9A1077E
Mar 29 14:26:35 GMT: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (XXXX.XXXX.XXXX) on Interface GigabitEthernet1/0/2 AuditSessionID 10FEFE0A00000114C9A1077E. Failure reason: Authc fail. Authc failure reason: Cred Fail.

Regards.

Re: Unable to use EAP-FAST with Windows10.

Mike.Cifelli — Fri, 29 Mar 2019 14:18:09 GMT

Since you are using PACs you are correct. You do not need the pac-less session resume. Can you share your ISE authentication policy and allowed protocols profile being used there. If you goal is to enable fast reconnect then enable fast reconnect in your configuration.xml and test again.

Re: Unable to use EAP-FAST with Windows10.

pbesset — Fri, 29 Mar 2019 15:50:20 GMT

Mike,

Here is my authentication policy:

The allowed protocols profile is pretty simple too:

I tried with Fast-Reconnect enabled but the issue remains the same.

My final goal is to use Eap-Chaining but since user authentication is failing using EAP-Fast I debug step by step so I disabled EAP Chaining for the moment.

I am running ISE 2.4 so I will update to 2.4 Patch6 because it seems that the following bugs could be my issue:

Regards.

Re: Unable to use EAP-FAST with Windows10.

Mike.Cifelli — Fri, 29 Mar 2019 16:21:31 GMT

Can you share the radius live log detailed steps? Good luck with the upgrade.

Re: Unable to use EAP-FAST with Windows10.

hslai — Sat, 30 Mar 2019 21:54:23 GMT

CSCvm03681 most likely. See

Field Notice: FN - 70357 - Identity Services Engine and AnyConnect Secure Mobility Client 4.7 Fail to Authenticate When Using EAP-FAST with TLS 1.2 - Software Upgrade Recommended - Cisco

The other bug is for network devices (e.g. a Cisco IOS switch) to retrieve TrustSec policies from ISE.

Re: Unable to use EAP-FAST with Windows10.

pbesset — Mon, 01 Apr 2019 09:27:31 GMT

Hi Mike, Hslai,

After upgrading to 2.4 Patch 6, EAP-Fast and EAP-Chaining are now working well.

Thank you for your help.

Regards.