08-21-2018 04:48 AM
Hello Friends!
Today I tryed to implement EAP-chaining, but without certificate and AD integration.
I didn`t find any information about it. All existig info regards of AD integration, and machine cert validation.
Is it possible to do machine authentication using Internal Devices same way that we do User auth with Internal User store?
As result a have this
SelectedAuthenticationIdentityStores | Internal Users |
SelectedAuthenticationIdentityStores | Internal Endpoints |
SelectedAuthenticationIdentityStores | All_AD_Join_Points |
SelectedAuthenticationIdentityStores | Guest Users |
EapChainingResult | User succeeded and machine failed |
12219 | Selected identity type 'Machine' | |
12125 | EAP-FAST inner method started | |
11521 | Prepared EAP-Request/Identity for inner EAP method | |
12105 | Prepared EAP-Request with another EAP-FAST challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12104 | Extracted EAP-Response containing EAP-FAST challenge-response | |
12213 | Identity type provided by client is not equal to requested type | |
12216 | Identity type provided by client was already used for authentication | |
12967 | Sent EAP Intermediate Result TLV indicating failure | |
12105 | Prepared EAP-Request with another EAP-FAST challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12104 | Extracted EAP-Response containing EAP-FAST challenge-response | |
24715 | ISE has not confirmed locally previous successful machine authentication for user in Active Directory |
A don`t understand what I`m doing wrong.
Thanks in advance,
Tom
Solved! Go to Solution.
08-21-2018 08:19 AM - edited 08-21-2018 08:19 AM
This is not a supported setup as EAP-Chaining is for Windows environment ATM. Remember that machine authentication requires domain joined machine to function properly, which is not possible with ISE internal database. You may be able to fake machine authentication using machine certificate to bypass domain join requirement and make it work, but still not an orthodox setup.
Can you provide why you are looking for such setup?
08-21-2018 08:19 AM - edited 08-21-2018 08:19 AM
This is not a supported setup as EAP-Chaining is for Windows environment ATM. Remember that machine authentication requires domain joined machine to function properly, which is not possible with ISE internal database. You may be able to fake machine authentication using machine certificate to bypass domain join requirement and make it work, but still not an orthodox setup.
Can you provide why you are looking for such setup?
08-21-2018 08:41 AM
Thanks for your reference.
Actually there is no real reason to do this, I was only doing this because of temporary disabled CA role in our DC.
Again, thanks, It looks like I didn`t complete realize how chaining works(and generated this strange topic:)).
Regards,
Tom
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: