Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
533
Views
0
Helpful
0
Replies

Authentication with EAP-MD5/PEAP/FAST

Mika J
Level 1
Level 1

‎11-30-2014 07:39 AM - edited ‎03-10-2019 10:13 PM

Version: ISE 1.2p12

Hello,

 

I have trouble authenticating devices that use different protocols:

- Cisco IP Phones: EAP-MD5

- Windows machines: EAP-PEAP

- Cisco APs: EAP-FAST

 

1) I'm able to authenticate the IP Phones individually with a authentication rule:

IP PHONES If Wired_802.1X allowed protocols EAP-MD5

For EAP-MD5 I selected only EAP-MD5

 

Now if I use a generic rule

DEVICES If Wired_802.1X allowed protocols EAP-PEAP-FAST-MD5

with EAP-PEAP-FAST-MD5 having EAP-PEAP, EAP-FAST, EAP-MD5 selected, it doesn't work

 

ISE says that there's a protocol mismatch:

"Failure Reason: 12121 Client didn't provide suitable ciphers for anonymous PAC-provisioning"

ISE is trying to authenticate my phone with EAP-FAST while the Cisco phone is useing EAP-MD5

 

I read in another topic that some of you would consider MAB/Profiling for the APs and probably for the Cisco IP Phones. But I'm wondering if it's possible to have one authentication rule with allowed protocols EAP-PEAP-FAST-MD5

 

2) Also, if I place the EAP-MD5 authentication rule higher and then have a rule for EAP-PEAP-FAST below it doesn't work because only the first rule is matched. I have configured the first rule with "If authentication fails = Continue"

 

Does any of you have hints ?

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents