cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

448
Views
1
Helpful
6
Replies
Highlighted
Beginner

Authentication Open on switch Vs EAP chaining with user and machine certificate

Hi Team,

I am deploying ISE 2.2 patch 6in production at one my customers and having a query regarding monitor mode and eap chaining.

Components used:

ISE 2.2 P6

AnyConnect NAM 4.5.x

Dot1x Authentication - user and machine certificate authentication

Switch Deployment - Monitor mode

EAP Chaining (certificate authentication) is working fine with following scenarios:

  • user and machine both succeeded: observed the expected behavior as per the policies configured in ISE.
  • user succeeded and machine failed: Machine certificate is not present on endpoint, only user certificate is present. However in this scenario the endpoint is getting access as per ISE policies.

But EAP chaining (certificate authentication) is not working with following scenario:

  • user failed and machine succeeded: In this scenario user certificate is not present in this endpoint. AnyConnect NAM is popping up a dialogue for selecting a user certificate, we are not able to select anything as there is no user certificate present on endpoint and hence we are not getting network access, even if switch port is in authentication open mode

Please let me know if this is the expected behavior of AnyConnect NAM.

Thanks in advance!

regards,

Sadashiv

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Authentication Open on switch Vs EAP chaining with user and machine certificate

Hi Sadashiv,

This is expected behavior for NAM.  If NAM cannot find a credential, username/password, or certificate we will prompt the user for this credential.  When no credential is provide we will not respond to the request from ISE and the connection will timeout.  In you case ISE is probably reporting Endpoint abandoned EAP session.... 

You may be able to use the port exception policy in NAM to help get around this.   I am not sure in this case if ISE is sending an authentication failure.  If it is you could allow access in NM after a failed auth, or you can also allow before any authentication is performed. 

Hope this helps,

Steve S.

6 REPLIES 6
VIP Engager

Re: Authentication Open on switch Vs EAP chaining with user and machine certificate

I usually don't do EAP chaining, but you should be able to setup a secondary wired profile that just does EAP-TLS Computer authentication.  If I am doing certificate authentication, I don't do EAP chaining and setup 3 NAM wired profiles:

Priority #1- User or Computer EAP-TLS

Priority #2- Computer EAP-TLS

Priority #3- no authentication

Priority #2 is there to handle the issue you are seeing, i.e. first time user logon to a machine and the user certificate hasn't autoenrolled yet.

Beginner

Re: Authentication Open on switch Vs EAP chaining with user and machine certificate

Hi Paul,

Thanks for your reply and workaround.

However, this workaround would not be feasible in our case. My original query is related to behavior of NAM if user certificate is not present on endpoint and switch is configured in authentication open mode.

From the test results, it looks like endpoint / user doesn't get network access if user certificate is not present.

Is this the expected behavior if we are using NAM??

Cisco Employee

Re: Authentication Open on switch Vs EAP chaining with user and machine certificate

Hi Sadashiv,

This is expected behavior for NAM.  If NAM cannot find a credential, username/password, or certificate we will prompt the user for this credential.  When no credential is provide we will not respond to the request from ISE and the connection will timeout.  In you case ISE is probably reporting Endpoint abandoned EAP session.... 

You may be able to use the port exception policy in NAM to help get around this.   I am not sure in this case if ISE is sending an authentication failure.  If it is you could allow access in NM after a failed auth, or you can also allow before any authentication is performed. 

Hope this helps,

Steve S.

Beginner

Re: Authentication Open on switch Vs EAP chaining with user and machine certificate

Hi Steven,

Thanks for your inputs and we also has the same observartion.

So one more query comes in my mind is, if user certificate is present and machine certificate is not present i.e, User Succeeded and Machine failed then the endpoint gets the network access in our scenario.

Does this mean that NAM checks user credentials before the machine credentials??

Thanks in advance!!

Cisco Employee

Re: Authentication Open on switch Vs EAP chaining with user and machine certificate

Hi Sadashiv,

NAM will provide credentials in the order that they are requested by ISE.  Is ISE actually hitting a user pass machine failed policy, or user only policy.  This would explain why you have access.

Thanks,

Steve S.

Cisco Employee

Re: Authentication Open on switch Vs EAP chaining with user and machine certificate

I assume you followed the instructions in How To: Deploy EAP Chaining with AnyConnect NAM and ISE ?