cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1551
Views
1
Helpful
1
Replies

Dual authentication without EAP Chaining/EAP FastV2 using ISE & Meraki

c.newcombe
Level 1
Level 1

Hi,

I am looking to deploy a Meraki switch and AP network but the client wants to be able to authenticate both machine and user (equivalent to EAP Chaining).   We are looking to deploy ISE 2.2 or 2.3 as the authentication server.  The client does not want to deploy any additional software to their machines but would accept a temporary agent if necessary.   Are there any suggestions on how this can be achieved in a Meraki environment.....

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

The network gear doesn’t matter. Either is supports dot1x or it doesn’t. There is no temporary agent that does EAP chaining. Its part of the anyconnect NAM (which is a persistent supplicant). There is also the TEAP standard that we are asking Microsoft and Apple to implement in their supplicants. Please have your customer request this through them.

What about doing Machine & User Auth with Microsoft native supplicant using MAR caching? Keep in mind this doesn't work with Fast USER Switching (known microsoft issue of only authenticating the first user on dot1x and not supplicant)

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/200388-Understanding-Machine-Access-Restriction.html

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

Some partners berbee like do advocate machine auth only i believe and then you can do what is called CWA chaining.

View solution in original post

1 Reply 1

Jason Kunst
Cisco Employee
Cisco Employee

The network gear doesn’t matter. Either is supports dot1x or it doesn’t. There is no temporary agent that does EAP chaining. Its part of the anyconnect NAM (which is a persistent supplicant). There is also the TEAP standard that we are asking Microsoft and Apple to implement in their supplicants. Please have your customer request this through them.

What about doing Machine & User Auth with Microsoft native supplicant using MAR caching? Keep in mind this doesn't work with Fast USER Switching (known microsoft issue of only authenticating the first user on dot1x and not supplicant)

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/200388-Understanding-Machine-Access-Restriction.html

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

Some partners berbee like do advocate machine auth only i believe and then you can do what is called CWA chaining.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: