cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

526
Views
15
Helpful
5
Replies

EAP Chaining ?

Greetings,

 

I have deployed machine and user authentication, and there is something unexpected. 

 

When the user, who has signed in to W10, tries to connect the computer, the access is denied because the machine has not authenticated first.

 

Can the W10 supplicant send the machine and user authentication when the user has already logged in to W10 ?

 

Thanks,

Edouard.

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

My question is, can the machine and the user be authenticated when the user already initiated a session in the computer at home.

no it wont be work this way, because the Port conencted is changed, and IP address going to change here. (there is some tweaks required to be done Windows side)

 

@Mike.Cifelli  given you good resouces to resolve this issue, still issue let us know.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

View solution in original post

5 REPLIES 5
balaji.bandi
VIP Master

In general Deployment, Device authenticate with Certificate installed already, and user authenticated with giiving user and password(based on the AD or any other form to get in to network), Once it authenticated it not required again and again, Until device moved or different network.

 

Can the W10 supplicant send the machine and user authentication when the user has already logged in to W10 ?

not sure we undersand this quesiton correctly, can you explain this, if the user already logged in why he need to send that information again ?

based on the first login user conencted port on the switch and dACL already populated right ?

 

or do i miss understood your requirement ?

 

good reference :

 

https://www.ise-support.com/2020/05/29/using-teap-for-eap-chaining/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

Hi Bakaji,

 

Thanks for replying.

 

Everything works when the user initiate the computer at office, (1) machine gets authenticated first and then, (2) user gets authenticated.

 

The scenario when it fails is:

MAR timeout is 8 hours in ISE.

User comes from home and computer is locked, then unlocks. Then user cannot access the wireless network unless user log off so machine can be authenticated.

 

My question is, can the machine and the user be authenticated when the user already initiated a session in the computer at home.

 

Thanks,

Edouard.

My question is, can the machine and the user be authenticated when the user already initiated a session in the computer at home.

no it wont be work this way, because the Port conencted is changed, and IP address going to change here. (there is some tweaks required to be done Windows side)

 

@Mike.Cifelli  given you good resouces to resolve this issue, still issue let us know.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

View solution in original post

Mike.Cifelli
VIP Advocate

In regard to eap-chaining, ISE 2.7 and Windows 10 build 2004 (May 2020) and later added support for the industry standard TEAP.  Prior to this eap-chaining required the use of the Cisco proprietary EAP-FAST, and in order to use EAP-FAST you needed to use the AnyConnect NAM module.  Remember that eap-chaining grants you the ability to chain user and machine authentications together.  Now with TEAP you can use the native supplicant but you need ISE 2.7 or later as well as the specific Win10 OS.  Take a look at the following for examples & a better understanding of eap-chaining/supplicant usage:

TEAP for Windows 10 using Group Policy and ISE TEAP Configuration - Cisco Community

Understanding EAP-FAST and Chaining implementations on AnyConnect NAM and ISE - Cisco

HTH!

 

 

Hi Mike,

Thanks for replying.

Please let me read the documentation you share and maybe I can find the answer there.

Regards,

Edouard.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel