https://community.cisco.com/t5/network-access-control/ise-support-for-machine-certificate-plus-user-authentication/m-p/4195606#M564229 <P>I found the following that was posted here many years ago.</P> <P>Is this post still valid? Is EAP Chaining with AnyConnect client the only way to accomplish this?</P> <P>OR has something changed in ISE to support 2 authentications from one device?</P> <P>Cut from previous post.</P> <P>I don't believe that this is possible and it is due to the limitations of the native windows supplicant where can do either one of the following:</P> <P>1. User authentication</P> <P>2. Machine authentication</P> <P>3. Machine or user authentication</P> <P>Machine+User authentication can only be accomplished with EAP-Chaining which is only supported by AnyConnect.</P> Wed, 09 Dec 2020 01:20:38 GMT tiryan 2020-12-09T01:20:38Z https://community.cisco.com/t5/network-access-control/ise-support-for-machine-certificate-plus-user-authentication/m-p/4195606#M564229 <P>I found the following that was posted here many years ago.</P> <P>Is this post still valid? Is EAP Chaining with AnyConnect client the only way to accomplish this?</P> <P>OR has something changed in ISE to support 2 authentications from one device?</P> <P>Cut from previous post.</P> <P>I don't believe that this is possible and it is due to the limitations of the native windows supplicant where can do either one of the following:</P> <P>1. User authentication</P> <P>2. Machine authentication</P> <P>3. Machine or user authentication</P> <P>Machine+User authentication can only be accomplished with EAP-Chaining which is only supported by AnyConnect.</P> Wed, 09 Dec 2020 01:20:38 GMT https://community.cisco.com/t5/network-access-control/ise-support-for-machine-certificate-plus-user-authentication/m-p/4195606#M564229 tiryan 2020-12-09T01:20:38Z https://community.cisco.com/t5/network-access-control/ise-support-for-machine-certificate-plus-user-authentication/m-p/4195613#M564232 <P>ISE 2.7 release also provided the option for EAP-TEAP as an alternative to EAP-Chaining with NAM. As of today, only Windows supports EAP-TEAP, and of that only the Windows 10 2004+ (May 2020 release) 2H builds or newer.&nbsp;</P> <P><A href="https://community.cisco.com/t5/security-documents/teap-for-windows-10-using-group-policy-and-ise-teap/ta-p/4134289" target="_blank">https://community.cisco.com/t5/security-documents/teap-for-windows-10-using-group-policy-and-ise-teap/ta-p/4134289</A></P> <P>&nbsp;</P> <P>There were a couple open bugs in 2.7 for TEAP, but I believe patch 3 was going to address them.&nbsp;</P> Wed, 09 Dec 2020 01:51:28 GMT https://community.cisco.com/t5/network-access-control/ise-support-for-machine-certificate-plus-user-authentication/m-p/4195613#M564232 Damien Miller 2020-12-09T01:51:28Z https://community.cisco.com/t5/network-access-control/ise-support-for-machine-certificate-plus-user-authentication/m-p/4195655#M564234 <P>In addition to the excellent answer from Damien, you can also do EAP+CWA chaining where machines that successfully authenticate with machine certificates are punted through the Central Web Authentication flow for user based authentication.&nbsp;</P> <P><EM>Thank you rating helpful posts!</EM></P> Wed, 09 Dec 2020 05:37:12 GMT https://community.cisco.com/t5/network-access-control/ise-support-for-machine-certificate-plus-user-authentication/m-p/4195655#M564234 nspasov 2020-12-09T05:37:12Z https://community.cisco.com/t5/network-access-control/ise-support-for-machine-certificate-plus-user-authentication/m-p/4195928#M564246 <P>Thank you to both of you for the quick responses.&nbsp; Do you know what version of ISE is needed to support the EAP+CWA chaining?&nbsp;</P> <P>&nbsp;</P> Wed, 09 Dec 2020 14:46:35 GMT https://community.cisco.com/t5/network-access-control/ise-support-for-machine-certificate-plus-user-authentication/m-p/4195928#M564246 tiryan 2020-12-09T14:46:35Z https://community.cisco.com/t5/network-access-control/ise-support-for-machine-certificate-plus-user-authentication/m-p/4196103#M564255 <P>I really don't recall but this has been supported for a while...probably since ISE 2.0 days.&nbsp;</P> <P><EM>Thank you rating helpful posts!</EM></P> Wed, 09 Dec 2020 17:20:26 GMT https://community.cisco.com/t5/network-access-control/ise-support-for-machine-certificate-plus-user-authentication/m-p/4196103#M564255 nspasov 2020-12-09T17:20:26Z