https://community.cisco.com/t5/network-access-control/teap-and-ise-machine-and-user-certificate-authentication/m-p/4416437#M567789 <P>At the same time I have to distinguish between the statuses:<BR />1) MACHINE PASS, when user didn't attempt to authenticate, and grand access,</P><P>2) and Machine Pass but a User fails, so the access should not be granted.<BR />For both cases the <U>eap&nbsp;chaining</U>&nbsp;status will be <U>User failed and machine succeeded</U>.</P> Thu, 10 Jun 2021 21:42:13 GMT fedor.solovev 2021-06-10T21:42:13Z https://community.cisco.com/t5/network-access-control/teap-and-ise-machine-and-user-certificate-authentication/m-p/4415685#M567760 <P>Hello guys.<BR /><BR />Have anyone already configured TEAP with ISE ?<BR />There is an issue with authorization matching because of the anonymous Radius Name.</P><P>Can we match Username from Overview or Authentication Details of the request ?</P><P>Or maybe there is a Registry key on Windows to make Windows to send /host as Radius User Name ?</P><P>Any other suggestions are appreciated.</P><P>&nbsp;</P><P>Here is a description.</P><P>This is ISE 3.0 and a&nbsp;switch 3750 and Windows 10 with TEAP configured.<BR /><BR />1) TEAP sends <STRONG><U>anonymous</U> </STRONG>as Other Attributes -&gt; Radius Username for both machine and user authentication all the time,</P><P>but Windows "Enable identity privacy" it is not configured.<BR />2) For the "Machine only" authoriZation&nbsp;the well known filter <EM><U>Radius User-Name == starting as /host</U></EM> doesn't work because the host doesn't send it in the request.<BR />3) If configure the AuthZ rule to match <U><EM>User-Name == starting as "anonymous"</EM></U>, it matches for user authentication/authorization as well.<BR /><BR />These is a piece of the logs for the machine authentication:<BR /><BR />Overview</P><TABLE border="0"><TBODY><TR><TD>Event</TD><TD>5200 Authentication succeeded</TD></TR><TR><TD>Username</TD><TD>anonymous,host/HOST.DOMAIN.com</TD></TR></TBODY></TABLE><H3>Authentication Details</H3><TABLE border="0"><TBODY><TR><TD>Source Timestamp</TD><TD>2021-06-09 12:49:28.762</TD></TR><TR><TD>Received Timestamp</TD><TD>2021-06-09 12:49:28.762</TD></TR><TR><TD>Policy Server</TD><TD>ise</TD></TR><TR><TD>Event</TD><TD>5200 Authentication succeeded</TD></TR><TR><TD>Username</TD><TD>anonymous,host/HOST.DOMAIN.com</TD></TR></TBODY></TABLE><P>Other Attributes</P><TABLE border="0"><TBODY><TR><TD>RADIUS Username</TD><TD>anonymous</TD></TR></TBODY></TABLE><P><BR />Windows 10 configuration:</P><P>.<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2021-06-09 13-34-56 3.45.20.14 - Remote Desktop Connection.png" style="width: 377px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/122389i04F275D15C63D6F6/image-size/large?v=v2&amp;px=999" role="button" title="2021-06-09 13-34-56 3.45.20.14 - Remote Desktop Connection.png" alt="2021-06-09 13-34-56 3.45.20.14 - Remote Desktop Connection.png" /></span><BR />.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 09 Jun 2021 18:51:39 GMT https://community.cisco.com/t5/network-access-control/teap-and-ise-machine-and-user-certificate-authentication/m-p/4415685#M567760 fedor.solovev 2021-06-09T18:51:39Z https://community.cisco.com/t5/network-access-control/teap-and-ise-machine-and-user-certificate-authentication/m-p/4415918#M567766 <P>&nbsp;</P> <P>&nbsp;- FYI :&nbsp;<A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html#:~:text=Navigate%20to%20ISE%20%3E%20Policy%20%3E%20Policy,to%20the%20Identity%20Source%20Sequence" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html#:~:text=Navigate%20to%20ISE%20%3E%20Policy%20%3E%20Policy,to%20the%20Identity%20Source%20Sequence</A>.</P> <P>&nbsp;M.</P> Thu, 10 Jun 2021 06:50:51 GMT https://community.cisco.com/t5/network-access-control/teap-and-ise-machine-and-user-certificate-authentication/m-p/4415918#M567766 Mark Elsen 2021-06-10T06:50:51Z https://community.cisco.com/t5/network-access-control/teap-and-ise-machine-and-user-certificate-authentication/m-p/4416117#M567772 <P>I have not run into this issue when testing TEAP.&nbsp; That anonymous identity you see in live logs means that there was only machine auth.&nbsp;&nbsp;</P> <P>See if this helps/sheds light:&nbsp;<A href="https://www.ise-support.com/2020/05/29/using-teap-for-eap-chaining/" target="_blank">Using TEAP for EAP Chaining – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)</A></P> <P>&nbsp;</P> Thu, 10 Jun 2021 13:15:41 GMT https://community.cisco.com/t5/network-access-control/teap-and-ise-machine-and-user-certificate-authentication/m-p/4416117#M567772 Mike.Cifelli 2021-06-10T13:15:41Z https://community.cisco.com/t5/network-access-control/teap-and-ise-machine-and-user-certificate-authentication/m-p/4416359#M567777 <P>Hello Marce.<BR />Thank you for the link. It is not like I posted this thread after googling for 5 minutes only <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span></P><P><BR />Regarding the guide:<BR />AuthN<BR />1)There are no explicit requirements for the certificate authentication.</P><P>They don't show us what is included in the "cert_profile" as well.<BR />I am going to check CN for a machine certificate and SAN for user certificate by creating 2 separated rules. It is not working correctly.<BR />On the windows machine I am not checking "Enable identity privacy" checkbox but it still uses <U>Radius User-Name</U> = ANONYMOUS for both machine and user requests.<BR />AuthZ<BR />2) For these policies - I would prefer these rules to be more specific then it is configured in the guide.<BR />For that reason I am trying explicitly distinguish Machine vs User authentication by checking /host portion of the name.<BR />This is the way it works for NAM, for example.<BR /><BR /></P> Thu, 10 Jun 2021 19:21:36 GMT https://community.cisco.com/t5/network-access-control/teap-and-ise-machine-and-user-certificate-authentication/m-p/4416359#M567777 fedor.solovev 2021-06-10T19:21:36Z https://community.cisco.com/t5/network-access-control/teap-and-ise-machine-and-user-certificate-authentication/m-p/4416377#M567780 <P>Hello Mike !<BR />Thank you for your reply. I red this guide as well.<BR /><BR />The point is I am not configuring anonymous on TEAP, so I am expecting Radius User Name to contain /host portion of it the way it works for EAP-FAST.<BR />I am very positive that for User Authentication this fiend remains the same.<BR />Other field in the logs are changing, though.</P><P>Such as:&nbsp;<STRONG>Username&nbsp;</STRONG>USERNAME,host/HOSTNAME.DOMAIN.com</P><P>The request has user portion /host domain portion in the request.<BR />Again we don't see what is it in SecDemo_AD_CAP certificate profile for AuthN.<BR />The policy in the guide doesn't check a certificate portion like CN or SAN.</P> Thu, 10 Jun 2021 19:57:25 GMT https://community.cisco.com/t5/network-access-control/teap-and-ise-machine-and-user-certificate-authentication/m-p/4416377#M567780 fedor.solovev 2021-06-10T19:57:25Z https://community.cisco.com/t5/network-access-control/teap-and-ise-machine-and-user-certificate-authentication/m-p/4416437#M567789 <P>At the same time I have to distinguish between the statuses:<BR />1) MACHINE PASS, when user didn't attempt to authenticate, and grand access,</P><P>2) and Machine Pass but a User fails, so the access should not be granted.<BR />For both cases the <U>eap&nbsp;chaining</U>&nbsp;status will be <U>User failed and machine succeeded</U>.</P> Thu, 10 Jun 2021 21:42:13 GMT https://community.cisco.com/t5/network-access-control/teap-and-ise-machine-and-user-certificate-authentication/m-p/4416437#M567789 fedor.solovev 2021-06-10T21:42:13Z