https://community.cisco.com/t5/network-access-control/eap-chaining-with-internal-id-stores/m-p/3692264#M508058 <P>This is not a supported setup as EAP-Chaining is for Windows environment ATM. Remember that machine authentication requires domain joined machine to function properly, which is not possible with ISE internal database. You&nbsp;may be able to fake machine authentication using machine certificate to bypass domain join requirement and make it work, but still not an orthodox setup.</P> <P>Can you provide why you are looking for such setup?</P> Tue, 21 Aug 2018 15:19:35 GMT howon 2018-08-21T15:19:35Z https://community.cisco.com/t5/network-access-control/eap-chaining-with-internal-id-stores/m-p/3692107#M508057 <P>Hello Friends!</P> <P>&nbsp;</P> <P>Today I tryed to implement EAP-chaining, but without certificate and AD integration.</P> <P>I didn`t find any information about it. All existig info regards of AD integration, and machine cert validation.</P> <P>&nbsp;</P> <P>Is it possible to do machine authentication using Internal Devices same way that we do User auth with Internal User store?</P> <P>As result a have this</P> <TABLE class="content_table" border="0"> <TBODY> <TR> <TD width="33%">SelectedAuthenticationIdentityStores</TD> <TD width="67%">Internal Users</TD> </TR> <TR> <TD width="33%">SelectedAuthenticationIdentityStores</TD> <TD width="67%"><STRONG>Internal Endpoints</STRONG></TD> </TR> <TR> <TD width="33%">SelectedAuthenticationIdentityStores</TD> <TD width="67%">All_AD_Join_Points</TD> </TR> <TR> <TD width="33%">SelectedAuthenticationIdentityStores</TD> <TD width="67%">Guest Users</TD> </TR> </TBODY> </TABLE> <TABLE class="content_table" border="0"> <TBODY> <TR> <TD width="33%">EapChainingResult</TD> <TD width="67%">User succeeded and <STRONG>machine failed</STRONG></TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <TABLE class="content_table_steps" border="0" cellpadding="3"> <TBODY> <TR class=""> <TD>&nbsp;</TD> <TD>12219</TD> <TD>Selected identity type 'Machine'</TD> </TR> <TR class=""> <TD>&nbsp;</TD> <TD>12125</TD> <TD>EAP-FAST inner method started</TD> </TR> <TR class=""> <TD>&nbsp;</TD> <TD>11521</TD> <TD>Prepared EAP-Request/Identity for inner EAP method</TD> </TR> <TR class=""> <TD>&nbsp;</TD> <TD>12105</TD> <TD>Prepared EAP-Request with another EAP-FAST challenge</TD> </TR> <TR class="content_table_steps_highlight"> <TD>&nbsp;</TD> <TD>11006</TD> <TD>Returned RADIUS Access-Challenge</TD> </TR> <TR class=""> <TD>&nbsp;</TD> <TD>11001</TD> <TD>Received RADIUS Access-Request</TD> </TR> <TR class=""> <TD>&nbsp;</TD> <TD>11018</TD> <TD>RADIUS is re-using an existing session</TD> </TR> <TR class=""> <TD>&nbsp;</TD> <TD>12104</TD> <TD>Extracted EAP-Response containing EAP-FAST challenge-response</TD> </TR> <TR class=""> <TD>&nbsp;</TD> <TD>12213</TD> <TD>Identity type provided by client is not equal to requested type</TD> </TR> <TR class=""> <TD>&nbsp;</TD> <TD>12216</TD> <TD>Identity type provided by client was already used for authentication</TD> </TR> <TR class=""> <TD>&nbsp;</TD> <TD>12967</TD> <TD>Sent EAP Intermediate Result TLV indicating failure</TD> </TR> <TR class=""> <TD>&nbsp;</TD> <TD>12105</TD> <TD>Prepared EAP-Request with another EAP-FAST challenge</TD> </TR> <TR class=""> <TD>&nbsp;</TD> <TD>11006</TD> <TD>Returned RADIUS Access-Challenge</TD> </TR> <TR class=""> <TD>&nbsp;</TD> <TD>11001</TD> <TD>Received RADIUS Access-Request</TD> </TR> <TR class=""> <TD>&nbsp;</TD> <TD>11018</TD> <TD>RADIUS is re-using an existing session</TD> </TR> <TR class=""> <TD>&nbsp;</TD> <TD>12104</TD> <TD>Extracted EAP-Response containing EAP-FAST challenge-response</TD> </TR> <TR class=""> <TD>&nbsp;</TD> <TD>24715</TD> <TD>ISE has not confirmed locally previous successful machine authentication for user in Active Directory</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>A don`t understand what I`m doing wrong.&nbsp;</P> <P>&nbsp;</P> <P>Thanks in advance,</P> <P>Tom</P> Tue, 21 Aug 2018 11:48:59 GMT https://community.cisco.com/t5/network-access-control/eap-chaining-with-internal-id-stores/m-p/3692107#M508057 tommy182 2018-08-21T11:48:59Z https://community.cisco.com/t5/network-access-control/eap-chaining-with-internal-id-stores/m-p/3692264#M508058 <P>This is not a supported setup as EAP-Chaining is for Windows environment ATM. Remember that machine authentication requires domain joined machine to function properly, which is not possible with ISE internal database. You&nbsp;may be able to fake machine authentication using machine certificate to bypass domain join requirement and make it work, but still not an orthodox setup.</P> <P>Can you provide why you are looking for such setup?</P> Tue, 21 Aug 2018 15:19:35 GMT https://community.cisco.com/t5/network-access-control/eap-chaining-with-internal-id-stores/m-p/3692264#M508058 howon 2018-08-21T15:19:35Z https://community.cisco.com/t5/network-access-control/eap-chaining-with-internal-id-stores/m-p/3692285#M508059 <P>Thanks for your reference.</P> <P>Actually there is no real reason to do this, I was only doing this because of temporary disabled CA role in our DC.</P> <P>&nbsp;</P> <P>Again, thanks, It looks like I didn`t complete realize how chaining works(and generated this strange topic:)).</P> <P>&nbsp;</P> <P>Regards,</P> <P>Tom</P> Tue, 21 Aug 2018 15:41:51 GMT https://community.cisco.com/t5/network-access-control/eap-chaining-with-internal-id-stores/m-p/3692285#M508059 tommy182 2018-08-21T15:41:51Z