Solved: Re: EAP-FAST unprotected identity

ahurtadove · ‎01-05-2017

Hi community!

I was wondering, I'm using eap-fast with the unprotected identity as anonymous but I see that there are many failed authentications with this user in every authentication

Reading documentation it says that I need to append the domain in the nam config file, but I don't see the benefit for this. In this config file I'm not validating server identity.

The thing is that I believe it's failing because PAC expired, but then when user logs in to windows the auth succeeds. I do have some cases that this is not working and anonymous always fails.

Is this normla behaviour? Do I have to create an anonymous named account in AD?

Thank you

kthiruve · ‎01-05-2017

Hi Antonio,

EAP-FAST uses anonymous as outer identity. AFAIK this can be configured via Anyconnect NAM profile editor.

In ISE authencation policy, you have conditions that includes NAS port: Ethernet and Service type: Framed attribute. Usually this is enough for dot1x. Please look at the NAM logs from Windows logging to see what NAM is sending as outer and inner identity.

Finally please check in your NAM profile if service identity is configured. TLS happens within EAP-FAST as you might know.

Also check if the right inner protocol is selected in ISE UI from policy-->policy elements -->results-->allowed protocols.

Hope it helps.

Thanks

Krishnan

View solution in original post

kthiruve · ‎01-05-2017

Hi Antonio,

EAP-FAST uses anonymous as outer identity. AFAIK this can be configured via Anyconnect NAM profile editor.

In ISE authencation policy, you have conditions that includes NAS port: Ethernet and Service type: Framed attribute. Usually this is enough for dot1x. Please look at the NAM logs from Windows logging to see what NAM is sending as outer and inner identity.

Finally please check in your NAM profile if service identity is configured. TLS happens within EAP-FAST as you might know.

Also check if the right inner protocol is selected in ISE UI from policy-->policy elements -->results-->allowed protocols.

Hope it helps.

Thanks

Krishnan

ahurtadove · ‎01-06-2017

Thank you Krishnan but I believe I did not explain myself clearly.

I do have configured an outer identity and I know where to configure it. The thing that I don't understand is that "anonymous" is always a failed authentication as I don't have this user configured in any external or internal identity source. Outer identity is sent in clear text and I don't want to replace anonymous with [username] because I believe it will expose password.

So I wanted to know if this (anonymous failed auth) was normal behaviour or not. Also because in many devices I cannot see a domain computer authentication when user logs off windows, I wanted to know if this in any way was related.

kthiruve · ‎01-06-2017

Yes you are correct. You dont want to expose the credential. To circumvent, you can configure host/anomymous to be part of authentication policy condition using RADIUS IETF attributes that will take care of it.

-Krishnan

Elbrabra · ‎08-06-2018

Hello,

We also have this issue, ISE tried to authenticate the outer identity instead on the inside one.

We have also something weird, when authentication failed once, somethine Anyconnect or Switch keep the result of this authentication in cache and when we clear the authentication on the switch dot1x authentication failed instantly (The switch doesn't send a Radius authentication request).

Any idea about that ?

Thank you