cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

279
Views
0
Helpful
2
Replies
Highlighted
Contributor

Eap chaining with dot1x

Dears,

 

  1. my eap chaining Is working perfect, whenever user logoff i m not able to remote desktop pc, when i enter a command sh auth see int gig1/0/2 detail there is no ip on the port, so what is the solution for this type of scenario's
  2. i want to setup dot1x with certificate authentication with eap-tls anybody can route me to the configuration example. 

 

Please find the attached eap chaining conditions

 

 

2 REPLIES 2

Re: Eap chaining with dot1x

Hi Adamgibs7

1-my eap chaining Is working perfect, whenever user logoff i m not able to remote desktop pc, when i enter a command sh auth see int gig1/0/2 detail there is no ip on the port, so what is the solution for this type of scenario's.

What Authorization is being pushed under this state within Cisco ISE (one of the conditions checks should be EAP-Chaining result == User failed and machine succeeded ) so if he hit this authz rule for Machine only authentication what authorization permission are you pushing (DACL, Vlan assignment,...etc) and if pushing DACL does exist or created in Cisco ISE and if created how many ACEs are inside this DACL (some platform may not process more than 64 ACE in a DACL (platform dependent?. in your switch do you have Device tracking enabled?

Please share Show Auth sess int gix/0/x details and logs from Cisco ISE

 

2-i want to setup dot1x with certificate authentication with eap-tls anybody can route me to the configuration example. 

for EAP-TLS assuming that you want server and client side TLS authentication, Then you would need the client to have its own certificate created by some Root CA that Cisco ISE has to trust and when Cisco ISE present its own EAP certificate to the client, the client has to trust the Root CA that signed that EAP certificate

The main concept for successful Certificate Authentication against Cisco ISE is that:

  • The CA signer of the machines certificates has to be in the ISE Trusted Root Certificates.
  • The CA signer of the ISE EAP Certificate has to be in the Machine Trusted Root Certificates.

So based on the above concept the following explains a successful authentication scenarios:

Both Machine and ISE certificates are signed by the same Root CA.

A-1.jpg

Machine and ISE certificates are signed by the different Root CAs

8.png

Machine have multiple certificates from same and different CAA-3.jpg

 

Highlighted
Contributor

Re: Eap chaining with dot1x

Thanks for the reply

 

What Authorization is being pushed under this state within Cisco ISE (one of the conditions checks should be EAP-Chaining result == User failed and machine succeeded ) so if he hit this authz rule for Machine only authentication what authorization permission are you pushing (DACL, Vlan assignment,...etc) and if pushing DACL does exist or created in Cisco ISE and if created how many ACEs are inside this DACL (some platform may not process more than 64 ACE in a DACL (platform dependent?. in your switch do you have Device tracking enabled

i have 2 policies one is machine passed and user passed and the another is user failed machine passed, the top most is user passed machine passed and below that is machine passed user failed,

 

still i m not able to get the IP address,

 

there is no issue when the user is logged in