Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2151
Views
15
Helpful
5
Replies

EAP Chaining ?

Go to solution
EdouardZorrilla0939
Level 1
Level 1

‎07-29-2021 09:24 PM

Greetings,

 

I have deployed machine and user authentication, and there is something unexpected. 

 

When the user, who has signed in to W10, tries to connect the computer, the access is denied because the machine has not authenticated first.

 

Can the W10 supplicant send the machine and user authentication when the user has already logged in to W10 ?

 

Thanks,

Edouard.

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to EdouardZorrilla0939

‎07-30-2021 08:31 AM 

My question is, can the machine and the user be authenticated when the user already initiated a session in the computer at home.

no it wont be work this way, because the Port conencted is changed, and IP address going to change here. (there is some tweaks required to be done Windows side)

 

@Mike.Cifelli  given you good resouces to resolve this issue, still issue let us know.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-30-2021 02:49 AM

In general Deployment, Device authenticate with Certificate installed already, and user authenticated with giiving user and password(based on the AD or any other form to get in to network), Once it authenticated it not required again and again, Until device moved or different network.

 

Can the W10 supplicant send the machine and user authentication when the user has already logged in to W10 ?

not sure we undersand this quesiton correctly, can you explain this, if the user already logged in why he need to send that information again ?

based on the first login user conencted port on the switch and dACL already populated right ?

 

or do i miss understood your requirement ?

 

good reference :

 

https://www.ise-support.com/2020/05/29/using-teap-for-eap-chaining/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
EdouardZorrilla0939
Level 1
Level 1
In response to balaji.bandi

‎07-30-2021 07:53 AM

Hi Bakaji,

 

Thanks for replying.

 

Everything works when the user initiate the computer at office, (1) machine gets authenticated first and then, (2) user gets authenticated.

 

The scenario when it fails is:

MAR timeout is 8 hours in ISE.

User comes from home and computer is locked, then unlocks. Then user cannot access the wireless network unless user log off so machine can be authenticated.

 

My question is, can the machine and the user be authenticated when the user already initiated a session in the computer at home.

 

Thanks,

Edouard.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to EdouardZorrilla0939

‎07-30-2021 08:31 AM 

My question is, can the machine and the user be authenticated when the user already initiated a session in the computer at home.

no it wont be work this way, because the Port conencted is changed, and IP address going to change here. (there is some tweaks required to be done Windows side)

 

@Mike.Cifelli  given you good resouces to resolve this issue, still issue let us know.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎07-30-2021 04:45 AM

In regard to eap-chaining, ISE 2.7 and Windows 10 build 2004 (May 2020) and later added support for the industry standard TEAP.  Prior to this eap-chaining required the use of the Cisco proprietary EAP-FAST, and in order to use EAP-FAST you needed to use the AnyConnect NAM module.  Remember that eap-chaining grants you the ability to chain user and machine authentications together.  Now with TEAP you can use the native supplicant but you need ISE 2.7 or later as well as the specific Win10 OS.  Take a look at the following for examples & a better understanding of eap-chaining/supplicant usage:

TEAP for Windows 10 using Group Policy and ISE TEAP Configuration - Cisco Community

Understanding EAP-FAST and Chaining implementations on AnyConnect NAM and ISE - Cisco

HTH!

 

 

Go to solution
EdouardZorrilla0939
Level 1
Level 1
In response to Mike.Cifelli

‎07-30-2021 07:57 AM - edited ‎07-30-2021 07:58 AM

Hi Mike,

Thanks for replying.

Please let me read the documentation you share and maybe I can find the answer there.

Regards,

Edouard.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents