https://community.cisco.com/t5/network-access-control/dual-authentication-without-eap-chaining-eap-fastv2-using-ise/m-p/3567108#M518009 <HTML><HEAD></HEAD><BODY><P>The network gear doesn’t matter. Either is supports dot1x or it doesn’t. There is no temporary agent that does EAP chaining. Its part of the anyconnect NAM (which is a persistent supplicant). There is also the TEAP standard that we are asking Microsoft and Apple to implement in their supplicants. Please have your customer request this through them.</P><P></P><P>What about doing Machine &amp; User Auth with Microsoft native supplicant using MAR caching? Keep in mind this doesn't work with Fast USER Switching (known microsoft issue of only authenticating the first user on dot1x and not supplicant)</P><P>&nbsp; </P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/200388-Understanding-Machine-Access-Restriction.html">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/200388-Understanding-Machine-Access-Restriction.html</A></P><P></P><P><A href="https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html">https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html</A></P><P></P><P></P><P>Some partners <A href="https://community.cisco.com/docs/DOC-5661">berbee</A> like do advocate machine auth only i believe and then you can do what is called CWA chaining. </P></BODY></HTML> Wed, 07 Feb 2018 16:16:33 GMT Jason Kunst 2018-02-07T16:16:33Z https://community.cisco.com/t5/network-access-control/dual-authentication-without-eap-chaining-eap-fastv2-using-ise/m-p/3567107#M518007 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I am looking to deploy a Meraki switch and AP network but the client wants to be able to authenticate both machine and user (equivalent to EAP Chaining).&nbsp;&nbsp; We are looking to deploy ISE 2.2 or 2.3 as the authentication server.&nbsp; The client does not want to deploy any additional software to their machines but would accept a temporary agent if necessary.&nbsp;&nbsp; Are there any suggestions on how this can be achieved in a Meraki environment.....</P></BODY></HTML> Wed, 07 Feb 2018 15:57:00 GMT https://community.cisco.com/t5/network-access-control/dual-authentication-without-eap-chaining-eap-fastv2-using-ise/m-p/3567107#M518007 c.newcombe 2018-02-07T15:57:00Z https://community.cisco.com/t5/network-access-control/dual-authentication-without-eap-chaining-eap-fastv2-using-ise/m-p/3567108#M518009 <HTML><HEAD></HEAD><BODY><P>The network gear doesn’t matter. Either is supports dot1x or it doesn’t. There is no temporary agent that does EAP chaining. Its part of the anyconnect NAM (which is a persistent supplicant). There is also the TEAP standard that we are asking Microsoft and Apple to implement in their supplicants. Please have your customer request this through them.</P><P></P><P>What about doing Machine &amp; User Auth with Microsoft native supplicant using MAR caching? Keep in mind this doesn't work with Fast USER Switching (known microsoft issue of only authenticating the first user on dot1x and not supplicant)</P><P>&nbsp; </P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/200388-Understanding-Machine-Access-Restriction.html">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/200388-Understanding-Machine-Access-Restriction.html</A></P><P></P><P><A href="https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html">https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html</A></P><P></P><P></P><P>Some partners <A href="https://community.cisco.com/docs/DOC-5661">berbee</A> like do advocate machine auth only i believe and then you can do what is called CWA chaining. </P></BODY></HTML> Wed, 07 Feb 2018 16:16:33 GMT https://community.cisco.com/t5/network-access-control/dual-authentication-without-eap-chaining-eap-fastv2-using-ise/m-p/3567108#M518009 Jason Kunst 2018-02-07T16:16:33Z