Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
953
Views
0
Helpful
2
Replies

Eap chaining with dot1x

adamgibs7
Level 6
Level 6

‎05-08-2018 12:22 PM - edited ‎02-21-2020 10:55 AM

Dears,

 

  1. my eap chaining Is working perfect, whenever user logoff i m not able to remote desktop pc, when i enter a command sh auth see int gig1/0/2 detail there is no ip on the port, so what is the solution for this type of scenario's
  2. i want to setup dot1x with certificate authentication with eap-tls anybody can route me to the configuration example. 

 

Please find the attached eap chaining conditions

 

 

Labels:
Preview file
36 KB
0 Helpful
2 Replies 2

Mohamed Abd Elnaser Mohamed Mohamed Ali
Level 1
Level 1

‎05-08-2018 01:07 PM - edited ‎05-08-2018 01:10 PM

Hi Adamgibs7

1-my eap chaining Is working perfect, whenever user logoff i m not able to remote desktop pc, when i enter a command sh auth see int gig1/0/2 detail there is no ip on the port, so what is the solution for this type of scenario's.

What Authorization is being pushed under this state within Cisco ISE (one of the conditions checks should be EAP-Chaining result == User failed and machine succeeded ) so if he hit this authz rule for Machine only authentication what authorization permission are you pushing (DACL, Vlan assignment,...etc) and if pushing DACL does exist or created in Cisco ISE and if created how many ACEs are inside this DACL (some platform may not process more than 64 ACE in a DACL (platform dependent?. in your switch do you have Device tracking enabled?

Please share Show Auth sess int gix/0/x details and logs from Cisco ISE

 

2-i want to setup dot1x with certificate authentication with eap-tls anybody can route me to the configuration example. 

for EAP-TLS assuming that you want server and client side TLS authentication, Then you would need the client to have its own certificate created by some Root CA that Cisco ISE has to trust and when Cisco ISE present its own EAP certificate to the client, the client has to trust the Root CA that signed that EAP certificate

The main concept for successful Certificate Authentication against Cisco ISE is that:

  • The CA signer of the machines certificates has to be in the ISE Trusted Root Certificates.
  • The CA signer of the ISE EAP Certificate has to be in the Machine Trusted Root Certificates.

So based on the above concept the following explains a successful authentication scenarios:

Both Machine and ISE certificates are signed by the same Root CA.

A-1.jpg

Machine and ISE certificates are signed by the different Root CAs

8.png

Machine have multiple certificates from same and different CAA-3.jpg

 

0 Helpful

adamgibs7
Level 6
Level 6
In response to Mohamed Abd Elnaser Mohamed Mohamed Ali

‎05-08-2018 01:32 PM

Thanks for the reply

 

What Authorization is being pushed under this state within Cisco ISE (one of the conditions checks should be EAP-Chaining result == User failed and machine succeeded ) so if he hit this authz rule for Machine only authentication what authorization permission are you pushing (DACL, Vlan assignment,...etc) and if pushing DACL does exist or created in Cisco ISE and if created how many ACEs are inside this DACL (some platform may not process more than 64 ACE in a DACL (platform dependent?. in your switch do you have Device tracking enabled

i have 2 policies one is machine passed and user passed and the another is user failed machine passed, the top most is user passed machine passed and below that is machine passed user failed,

 

still i m not able to get the IP address,

 

there is no issue when the user is logged in

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents