02-23-2015 05:02 PM - edited 03-10-2019 10:29 PM
We are deploying an ISE based .1x. The design is to use eap-tls for machine and eap-peap for user. Apparently EAP-Chaining is recommended, but can anyone confirm if we can do chaining based on machine TLS and user PEAP. I have done some investigation and could not find any supporting document, but not any document saying not supporting either. Looking at Anyconnect profile editor, it does not look like this configuration is supported. Has anyone done this before?
Thanks a lot.
02-24-2015 04:45 AM
Yes, that is possible, i use it at a few different customers.
02-24-2015 02:24 PM
Thanks Jan. Do you have any info or link I can follow?
02-24-2015 03:51 PM
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
Just change the authentication policy to allow the methods you want to use under eap-fast (eap-chaining) and use the same ones in your nam client configuration settings.
02-24-2015 04:19 PM
Thanks again. I have had another look at profile editor, it is configurable.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: