https://community.cisco.com/t5/network-access-control/teap-eap-tls-issue-with-user-authentication/m-p/5319425#M597717 <P>We configured EAP chaining for TEAP and enabled certificate-based authentication for both user and machine.</P><P>Below are some key points:</P><UL><LI>ISE 3.3p7</LI><LI>Win 11</LI><LI>TEAP and EAP chaining protocols are enabled</LI><LI>We followed this <A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html#toc-hId-1877227078" target="_self">doc</A></LI><LI>Below is AuthZ policy set, and actions are permit all for both (for the sake of testing only)<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2025-08-11 104258.png" style="width: 976px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/250015iC8B9F7E1FA4F49AE/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2025-08-11 104258.png" alt="Screenshot 2025-08-11 104258.png" /></span></LI><LI>Here is the live logs result<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nw.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/250026i378A6497BFA86A88/image-size/large?v=v2&amp;px=999" role="button" title="nw.PNG" alt="nw.PNG" /></span></LI><LI>Here is the adapter auth settings</LI><LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image (2).png" style="width: 374px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/250018i141411B9906C7652/image-size/large?v=v2&amp;px=999" role="button" title="image (2).png" alt="image (2).png" /></span></LI><LI>Correct root cert is selected in both auth methods</LI><LI>User and machine cert enrollment is also working fine</LI></UL><P><STRONG>Issue:</STRONG> The machine gets successfully authenticated on wired connection and hit the correct policy but when the user log in, it hits the default ACCESS_REJECT policy.</P><P>Live logs results:</P><P>During machine auth =&nbsp;</P><TABLE border="0"><TBODY><TR><TD>EapChainingResult</TD><TD>User failed and machine succeeded</TD></TR></TBODY></TABLE><P>During user auth =&nbsp;</P><TABLE border="0"><TBODY><TR><TD>EapChainingResult</TD><TD>User succeeded and machine failed</TD></TR></TBODY></TABLE><P>We are not able to achieve&nbsp;User and machine succeeded result.</P><P>Any leads will be helpful!</P> Mon, 11 Aug 2025 08:19:54 GMT abdullaS 2025-08-11T08:19:54Z https://community.cisco.com/t5/network-access-control/teap-eap-tls-issue-with-user-authentication/m-p/5319425#M597717 <P>We configured EAP chaining for TEAP and enabled certificate-based authentication for both user and machine.</P><P>Below are some key points:</P><UL><LI>ISE 3.3p7</LI><LI>Win 11</LI><LI>TEAP and EAP chaining protocols are enabled</LI><LI>We followed this <A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html#toc-hId-1877227078" target="_self">doc</A></LI><LI>Below is AuthZ policy set, and actions are permit all for both (for the sake of testing only)<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2025-08-11 104258.png" style="width: 976px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/250015iC8B9F7E1FA4F49AE/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2025-08-11 104258.png" alt="Screenshot 2025-08-11 104258.png" /></span></LI><LI>Here is the live logs result<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nw.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/250026i378A6497BFA86A88/image-size/large?v=v2&amp;px=999" role="button" title="nw.PNG" alt="nw.PNG" /></span></LI><LI>Here is the adapter auth settings</LI><LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image (2).png" style="width: 374px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/250018i141411B9906C7652/image-size/large?v=v2&amp;px=999" role="button" title="image (2).png" alt="image (2).png" /></span></LI><LI>Correct root cert is selected in both auth methods</LI><LI>User and machine cert enrollment is also working fine</LI></UL><P><STRONG>Issue:</STRONG> The machine gets successfully authenticated on wired connection and hit the correct policy but when the user log in, it hits the default ACCESS_REJECT policy.</P><P>Live logs results:</P><P>During machine auth =&nbsp;</P><TABLE border="0"><TBODY><TR><TD>EapChainingResult</TD><TD>User failed and machine succeeded</TD></TR></TBODY></TABLE><P>During user auth =&nbsp;</P><TABLE border="0"><TBODY><TR><TD>EapChainingResult</TD><TD>User succeeded and machine failed</TD></TR></TBODY></TABLE><P>We are not able to achieve&nbsp;User and machine succeeded result.</P><P>Any leads will be helpful!</P> Mon, 11 Aug 2025 08:19:54 GMT https://community.cisco.com/t5/network-access-control/teap-eap-tls-issue-with-user-authentication/m-p/5319425#M597717 abdullaS 2025-08-11T08:19:54Z https://community.cisco.com/t5/network-access-control/teap-eap-tls-issue-with-user-authentication/m-p/5319436#M597720 <P>Do you have such authorization policy for both suceeded?</P> Mon, 11 Aug 2025 08:52:16 GMT https://community.cisco.com/t5/network-access-control/teap-eap-tls-issue-with-user-authentication/m-p/5319436#M597720 JPavonM 2025-08-11T08:52:16Z https://community.cisco.com/t5/network-access-control/teap-eap-tls-issue-with-user-authentication/m-p/5319438#M597721 <P>only change the order of Authz&nbsp;<BR />1- both success&nbsp;<BR />2- user failed and machine success&nbsp;<BR /><BR />this order is write in doc you share and this what I know how you config chain&nbsp;<BR /><BR /><BR />MHM</P> Mon, 11 Aug 2025 09:02:37 GMT https://community.cisco.com/t5/network-access-control/teap-eap-tls-issue-with-user-authentication/m-p/5319438#M597721 MHM Cisco World 2025-08-11T09:02:37Z https://community.cisco.com/t5/network-access-control/teap-eap-tls-issue-with-user-authentication/m-p/5319442#M597724 <P>Yes this one.. but i cannot see eap chain result of both succeeded in the live logs when user login</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2025-08-11 120246.png" style="width: 812px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/250030iD58B11EEB684E6FD/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2025-08-11 120246.png" alt="Screenshot 2025-08-11 120246.png" /></span></P> Mon, 11 Aug 2025 09:05:33 GMT https://community.cisco.com/t5/network-access-control/teap-eap-tls-issue-with-user-authentication/m-p/5319442#M597724 abdullaS 2025-08-11T09:05:33Z https://community.cisco.com/t5/network-access-control/teap-eap-tls-issue-with-user-authentication/m-p/5319520#M597728 <P>Update:</P><P>This issue was resolved. There were some mismatch attributes in SAN of the user cert after making some changings the issue was resolved.</P> Mon, 11 Aug 2025 12:10:41 GMT https://community.cisco.com/t5/network-access-control/teap-eap-tls-issue-with-user-authentication/m-p/5319520#M597728 abdullaS 2025-08-11T12:10:41Z