Solved: Aruba Dot1x Eap Chaining Machine Auth 5400

ssschunk1 · ‎01-27-2020

Attempting to configure 802.1x eap-fast chaining thru Aruba Wireless 8.5 and ISE 2.4. Has anyone been successful with the machine authentication piece? Is there a compatibility/proprietary roadblock with EAP-Fast the is preventing this from working?... I had read on another thread that eap-fast v2 is proprietary, but cannot find confirmation?

ssschunk1 · ‎01-28-2020

Ok. I've gotten it working.

I had created a new NAM Profile for the wlan I was testing, saved it, then went into the anyconnect client and manually created what I had just done within the profile.... I believe this may have caused confusion in NAM.

After deleting the Saved Network in the client NAM page, everything started working as desired. I recreated the Profile without manually creating the Saved Network and found after rebooting and logging in that the network appears in the Saved Networks page. I am now just working out how to move this Local network into the Global Networks field so I can modify the priority order.

View solution in original post

Greg Gibbs · ‎01-27-2020

The original method for EAP Chaining requires EAP-FASTv2 which is Cisco proprietary. No native supplicants support it, so you would need to use AnyConnect NAM for Windows endpoints to leverage EAP Chaining. See the following document:

Understanding EAP-FAST and Chaining implementations on AnyConnect NAM and ISE

There is a published standards-based option for EAP Chaining (RFC 7170 - Tunnel EAP) that is supported in ISE 2.7, but vendors like Microsoft have not yet released support for it in their supplicants.

Cheers,

Greg

ssschunk1 · ‎01-27-2020

Thanks for the quick reply. We are currently using Anyconnect NAM v4.6.02074. I first created a new NAM profile for the aruba dot1x ssid and attempted to replicate how our cisco dot1x ssid was setup. I get the error:

24715

ISE has not confirmed locally previous successful machine authentication for user in Active Directory

I was thinking that eap-chaining was not working as The Authentication Protocol states: PEAP (EAP-MSCHAPv2) instead of the expected EAP-FAST(EAP-MSCHAPv2). I do not know how to discover why/where the shift to PEAP occurs.

Greg Gibbs · ‎01-27-2020

It sounds like the Windows supplicant may be competing with and overriding the NAM suppliant. I believe AnyConnect should auto-disable the Wireless AutoConfig service when the NAM services start.

You might check the services and try manually disabling the Wireless AutoConfig service if it's still enabled.

If you haven't done so, you might delete the Windows WLAN (if it was configured there prior to installing NAM), confirm that there are no GPOs that are pushing WLAN config, and remove/re-install the NAM profile.

If all else fails, you might need to get a DART bundle and open a TAC case to have the logs analysed.

Cheers,

Greg

ssschunk1 · ‎01-28-2020

Ok. I've gotten it working.

I had created a new NAM Profile for the wlan I was testing, saved it, then went into the anyconnect client and manually created what I had just done within the profile.... I believe this may have caused confusion in NAM.

After deleting the Saved Network in the client NAM page, everything started working as desired. I recreated the Profile without manually creating the Saved Network and found after rebooting and logging in that the network appears in the Saved Networks page. I am now just working out how to move this Local network into the Global Networks field so I can modify the priority order.