01-27-2020 07:30 AM
Attempting to configure 802.1x eap-fast chaining thru Aruba Wireless 8.5 and ISE 2.4. Has anyone been successful with the machine authentication piece? Is there a compatibility/proprietary roadblock with EAP-Fast the is preventing this from working?... I had read on another thread that eap-fast v2 is proprietary, but cannot find confirmation?
Solved! Go to Solution.
01-28-2020 01:20 PM
Ok. I've gotten it working.
I had created a new NAM Profile for the wlan I was testing, saved it, then went into the anyconnect client and manually created what I had just done within the profile.... I believe this may have caused confusion in NAM.
After deleting the Saved Network in the client NAM page, everything started working as desired. I recreated the Profile without manually creating the Saved Network and found after rebooting and logging in that the network appears in the Saved Networks page. I am now just working out how to move this Local network into the Global Networks field so I can modify the priority order.
01-27-2020 02:26 PM
The original method for EAP Chaining requires EAP-FASTv2 which is Cisco proprietary. No native supplicants support it, so you would need to use AnyConnect NAM for Windows endpoints to leverage EAP Chaining. See the following document:
Understanding EAP-FAST and Chaining implementations on AnyConnect NAM and ISE
There is a published standards-based option for EAP Chaining (RFC 7170 - Tunnel EAP) that is supported in ISE 2.7, but vendors like Microsoft have not yet released support for it in their supplicants.
Cheers,
Greg
01-27-2020 03:34 PM
Thanks for the quick reply. We are currently using Anyconnect NAM v4.6.02074. I first created a new NAM profile for the aruba dot1x ssid and attempted to replicate how our cisco dot1x ssid was setup. I get the error:
24715 | ISE has not confirmed locally previous successful machine authentication for user in Active Directory |
I was thinking that eap-chaining was not working as The Authentication Protocol states: PEAP (EAP-MSCHAPv2) instead of the expected EAP-FAST(EAP-MSCHAPv2). I do not know how to discover why/where the shift to PEAP occurs.
01-27-2020 04:27 PM - edited 01-27-2020 04:27 PM
It sounds like the Windows supplicant may be competing with and overriding the NAM suppliant. I believe AnyConnect should auto-disable the Wireless AutoConfig service when the NAM services start.
You might check the services and try manually disabling the Wireless AutoConfig service if it's still enabled.
If you haven't done so, you might delete the Windows WLAN (if it was configured there prior to installing NAM), confirm that there are no GPOs that are pushing WLAN config, and remove/re-install the NAM profile.
If all else fails, you might need to get a DART bundle and open a TAC case to have the logs analysed.
Cheers,
Greg
01-28-2020 01:20 PM
Ok. I've gotten it working.
I had created a new NAM Profile for the wlan I was testing, saved it, then went into the anyconnect client and manually created what I had just done within the profile.... I believe this may have caused confusion in NAM.
After deleting the Saved Network in the client NAM page, everything started working as desired. I recreated the Profile without manually creating the Saved Network and found after rebooting and logging in that the network appears in the Saved Networks page. I am now just working out how to move this Local network into the Global Networks field so I can modify the priority order.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide