Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
488
Views
0
Helpful
2
Replies

EAP-chaining with internal ID stores

Go to solution
tommy182
Level 1
Level 1

‎08-21-2018 04:48 AM

Hello Friends!

 

Today I tryed to implement EAP-chaining, but without certificate and AD integration.

I didn`t find any information about it. All existig info regards of AD integration, and machine cert validation.

 

Is it possible to do machine authentication using Internal Devices same way that we do User auth with Internal User store?

As result a have this

SelectedAuthenticationIdentityStores Internal Users
SelectedAuthenticationIdentityStores Internal Endpoints
SelectedAuthenticationIdentityStores All_AD_Join_Points
SelectedAuthenticationIdentityStores Guest Users
EapChainingResult User succeeded and machine failed

 

  12219 Selected identity type 'Machine'
  12125 EAP-FAST inner method started
  11521 Prepared EAP-Request/Identity for inner EAP method
  12105 Prepared EAP-Request with another EAP-FAST challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12104 Extracted EAP-Response containing EAP-FAST challenge-response
  12213 Identity type provided by client is not equal to requested type
  12216 Identity type provided by client was already used for authentication
  12967 Sent EAP Intermediate Result TLV indicating failure
  12105 Prepared EAP-Request with another EAP-FAST challenge
  11006 Returned RADIUS Access-Challenge
  11001 Received RADIUS Access-Request
  11018 RADIUS is re-using an existing session
  12104 Extracted EAP-Response containing EAP-FAST challenge-response
  24715 ISE has not confirmed locally previous successful machine authentication for user in Active Directory

 

A don`t understand what I`m doing wrong. 

 

Thanks in advance,

Tom

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎08-21-2018 08:19 AM - edited ‎08-21-2018 08:19 AM

This is not a supported setup as EAP-Chaining is for Windows environment ATM. Remember that machine authentication requires domain joined machine to function properly, which is not possible with ISE internal database. You may be able to fake machine authentication using machine certificate to bypass domain join requirement and make it work, but still not an orthodox setup.

Can you provide why you are looking for such setup?

View solution in original post

0 Helpful
2 Replies 2

Go to solution
howon
Cisco Employee
Cisco Employee

‎08-21-2018 08:19 AM - edited ‎08-21-2018 08:19 AM

This is not a supported setup as EAP-Chaining is for Windows environment ATM. Remember that machine authentication requires domain joined machine to function properly, which is not possible with ISE internal database. You may be able to fake machine authentication using machine certificate to bypass domain join requirement and make it work, but still not an orthodox setup.

Can you provide why you are looking for such setup?

0 Helpful

Go to solution
tommy182
Level 1
Level 1
In response to howon

‎08-21-2018 08:41 AM

Thanks for your reference.

Actually there is no real reason to do this, I was only doing this because of temporary disabled CA role in our DC.

 

Again, thanks, It looks like I didn`t complete realize how chaining works(and generated this strange topic:)).

 

Regards,

Tom

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents