topic Re: EAP Chaining Both Authz Rule Not Matching in Network Access Control

EAP Chaining Both Authz Rule Not Matching

MSJ1 — Mon, 01 Dec 2025 19:27:57 GMT

Hello Greg,

This looks interesting to me. For Authz rule it never matches the 1st rule. After device is booted and before user logged in i see at ISE EAP Chaining result is User Failed but Machine Succeeded & it matches the 2nd Authz rule and then when user logs in i see User Succeeded and Machine succeeded and matching the same Authz rule.

I should see 2 Authz match - Can you advise what I am missing ?

AuthZ Policy

Re: EAP Chaining Both Authz Rule Not Matching

Greg Gibbs — Mon, 01 Dec 2025 21:41:20 GMT

The policy looks pretty basic, so something is not matching in the top rule.

I would assume it's the user group match, but you can confirm that by removing that matching condition.

At that point, you would need to look at the detailed Live Logs to confirm that the User credential is being sent in UPN format, that ISE is using that credential for identity, and that the membership group ID matches what you see in Entra ID.

If all of the above is true, then you might need to open a TAC case to investigate further why the condition is not matching.

Re: EAP Chaining Both Authz Rule Not Matching

MSJ1 — Mon, 01 Dec 2025 22:32:55 GMT

@Greg Gibbs

When I disable rule 2 from the screenshot and as I said it does not match the rule 1 and it matches deny authz on that log I see

on PremisesUserPrincipalName is BLANK

But on same Auth Fail log I see "User Succeeded and Machine Succeeded"

in CAP for field - Use Identity From - I am using Certificate Attribute - Subject Common Name. From common name it should be able to read UPN.

Any more clue plz ?

Re: EAP Chaining Both Authz Rule Not Matching

MSJ1 — Mon, 01 Dec 2025 22:45:53 GMT

From the REST ID Entra ID Integration - I removed - User Attribute - onPremisesUserPrincipalName and added UserPrincipalName , now in the failed log I see UPN field but still not working

Re: EAP Chaining Both Authz Rule Not Matching

Greg Gibbs — Tue, 02 Dec 2025 21:33:13 GMT

There is nowhere near enough detail here to provide any meaningful assistance, nor is there any indication that the prior suggestions have been followed. See How to Ask the Community for Help.

Call TAC to investigate

Re: EAP Chaining Both Authz Rule Not Matching

MSJ1 — Thu, 04 Dec 2025 00:11:13 GMT

@Greg Gibbs after removing the Entra AD Group it matches user succeeded and machine succeeded policy when user logs in. Interesting is if I call an Old AD Group where the same user is it matches the user user succeeded and machine succeeded policy.

For some reason ISE is not able to lookup the user when a newly created Entra Group is called as part of user Authz rule.

Both working and non working Entra group I can add from REST ID Section >> User group and User Attribute is UPN.

in the debug log it shows - it is not able to fetch the non working group.

My understanding it matches this bug - https://bst.cisco.com/quickview/bug/CSCwd34467 , however here ise version is 3.5

Re: EAP Chaining Both Authz Rule Not Matching

Cristian Matei — Thu, 04 Dec 2025 09:48:31 GMT

Hi,

Your authorization policies matching criteria don't look right. Follow this document and if you still don't have it working afterwards, past print-screens of ISE Authentication Details for both machine and user/machine steps.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html

Thanks,

Cristian.

Re: EAP Chaining Both Authz Rule Not Matching

Greg Gibbs — Fri, 05 Dec 2025 00:46:21 GMT

"For some reason ISE is not able to lookup the user when a newly created Entra Group is called as part of user Authz rule."

This sounds more like some sort of role/permission issue on the group or something else on the Entra side. I use Entra only groups (as opposed to hybrid AD groups) all the time and have never seen this behaviour.

I would suggest confirming that these are Security Groups (not Microsoft 365 Groups), confirm if there is any difference in the assignment type (direct, dynamic, etc), and review the relevant logs on the Entra ID side.

You could try opening a TAC case, but considering you've already looked at the ISE debug logs, they may suggest you open a case with Microsoft to check the Entra side anyway.

Re: EAP Chaining Both Authz Rule Not Matching

MSJ1 — Mon, 09 Feb 2026 23:29:16 GMT

Unfortunately this issue is related to CSCws30603 ( ISE unable to fetch user group membership if user belongs to more than 20 groups ).

Is there time line can someone share when this bug will be resolved ? for version 3.5.

What are the workarounds if we cannot use Device/User GroupMembership due to this bug to use in AuthC and AuthC Profile ?