05-31-2021 09:41 AM
Is it possible to setup a Cisco ISE authorization policy that uses TEAP chaining in combination with an active directory security group?
06-01-2021 01:13 AM
Hi @Maurice Ball
could you please clarify what exactly you want to achieve?
When using TEAP (EAP-Chaining) you can use the user information to retrieve the groups and build an authorization policy for it.
Please check this Bug as it might affect you https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt18613
BR
Rick
06-01-2021 01:55 AM
I am trying to configure my ISE policies to use TEAP with EAP-TLS as the inner method on Windows 10 computers.
It works fine if I use MSCHAPv2 as the inner method but if I use EAP-TLS. I am hitting the same bug as listed below.
Note: My ISE version 3.0 with patch 2 installed.
CSCvt18613
AuthZ Conditions with AD Groups Not matched for TEAP - EAP-Chaining
CSCvt18613
Description
Symptom:
Authorization rules conditioning on AD groups not matched.
Conditions:
TEAP with EAP Chaining Enabled
Either computer or user auth with the inner method MSCHAPv2
Expecting to hit AD group conditions
Workaround:
N/A
Further Problem Description
06-01-2021 11:18 PM
It should definitely work in my opinion.
If you can please open a TAC Case.
BR
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide