topic Re: EAP Chaining ? in Network Access Control

EAP Chaining ?

EdouardZorrilla0939 — Fri, 30 Jul 2021 04:24:57 GMT

Greetings,

I have deployed machine and user authentication, and there is something unexpected.

When the user, who has signed in to W10, tries to connect the computer, the access is denied because the machine has not authenticated first.

Can the W10 supplicant send the machine and user authentication when the user has already logged in to W10 ?

Thanks,

Edouard.

Re: EAP Chaining ?

balaji.bandi — Fri, 30 Jul 2021 09:49:55 GMT

In general Deployment, Device authenticate with Certificate installed already, and user authenticated with giiving user and password(based on the AD or any other form to get in to network), Once it authenticated it not required again and again, Until device moved or different network.

Can the W10 supplicant send the machine and user authentication when the user has already logged in to W10 ?

not sure we undersand this quesiton correctly, can you explain this, if the user already logged in why he need to send that information again ?

based on the first login user conencted port on the switch and dACL already populated right ?

or do i miss understood your requirement ?

good reference :

https://www.ise-support.com/2020/05/29/using-teap-for-eap-chaining/

Re: EAP Chaining ?

Mike.Cifelli — Fri, 30 Jul 2021 11:45:48 GMT

In regard to eap-chaining, ISE 2.7 and Windows 10 build 2004 (May 2020) and later added support for the industry standard TEAP. Prior to this eap-chaining required the use of the Cisco proprietary EAP-FAST, and in order to use EAP-FAST you needed to use the AnyConnect NAM module. Remember that eap-chaining grants you the ability to chain user and machine authentications together. Now with TEAP you can use the native supplicant but you need ISE 2.7 or later as well as the specific Win10 OS. Take a look at the following for examples & a better understanding of eap-chaining/supplicant usage:

TEAP for Windows 10 using Group Policy and ISE TEAP Configuration - Cisco Community

Understanding EAP-FAST and Chaining implementations on AnyConnect NAM and ISE - Cisco

HTH!

Re: EAP Chaining ?

EdouardZorrilla0939 — Fri, 30 Jul 2021 14:53:55 GMT

Hi Bakaji,

Thanks for replying.

Everything works when the user initiate the computer at office, (1) machine gets authenticated first and then, (2) user gets authenticated.

The scenario when it fails is:

MAR timeout is 8 hours in ISE.

User comes from home and computer is locked, then unlocks. Then user cannot access the wireless network unless user log off so machine can be authenticated.

My question is, can the machine and the user be authenticated when the user already initiated a session in the computer at home.

Thanks,

Edouard.

Re: EAP Chaining ?

EdouardZorrilla0939 — Fri, 30 Jul 2021 14:58:17 GMT

Hi Mike,

Thanks for replying.

Please let me read the documentation you share and maybe I can find the answer there.

Regards,

Edouard.

Re: EAP Chaining ?

balaji.bandi — Fri, 30 Jul 2021 15:31:44 GMT

My question is, can the machine and the user be authenticated when the user already initiated a session in the computer at home.

no it wont be work this way, because the Port conencted is changed, and IP address going to change here. (there is some tweaks required to be done Windows side)

@Mike.Cifelli given you good resouces to resolve this issue, still issue let us know.