Hello Andy
I find the best way to resolve these things is by lab testing. I have a handy way to test this without needing any equipment, other than ISE and a Linux workstation. In your example you show Wired 802.1X, but if you would agree that Wireless 802.1X is an equivalent, then I would like to share with you my lab setup below. I don't know exactly what config you put in the Policy Set Condition (the top-most part) and what you put into the Authentication Policy - let's start with the config below and then tell me if I got it wrong:
My test client is a Linux workstation with wpa_supplicant configured on it. I wrote a blog series about this years ago - still one of my favourite things to lab with. The command below sends RADIUS requests to ISE and it looks to ISE as if it came from a Wireless Controler. The user is defined in a config file:
[admin-biera@iptel-centos-01 radius]$ cat mschap.conf
#
network={
ssid="example"
key_mgmt=WPA-EAP
eap=PEAP
identity="biera"
anonymous_identity="anonymous"
password="MyADPassword"
phase2="autheap=MSCHAPV2"
ca_cert="/home/admin-biera/radius/IPTEL-ROOT.CA.pem"
}
Then a client connection is simulated with this command
[admin-biera@iptel-centos-01 radius]$ eapol_test -c mschap.conf -s secretkey -a 192.168.0.220 -M '04:00:00:00:00:DD' -N '6:d:2' -N '8:x:C0A815CA'
The output on the CLI is very long and debug-like - but we look for the last message
WPA: Clear old PMK and PTK EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit ENGINE: engine deinit MPPE keys OK: 1 mismatch: 0 SUCCESS
If you have this setup in the lab, you can quickly test any ISE Policy Set.
Let me know the exact test you want to run and I can try again. I am using ISE 2.7 patch 3
I think it's safe to say that you cannot (and should not) test the EAP Inner Methods in the Policy Set Condition (in other words, the outer-most part that happens BEFORE Authentication and Authorization). In ISE 2.1 it seems you could still try and test all those methods, but they will fail. In ISE 2.7 you can still try and test MS-CHAPV2 but it will fail. I think the reason is that ISE does not check inside the EAP packets yet for the Inner Method. That is the job of the Authentication Policy configuration section. The misleading issue is that even ISE 2.7 still lets you configure MSCHAPV2 in the Policy Set Condition - not sure what the use case would be for - but for EAP-PEAP it does not work. I was able to confirm that. I think your config will be fixed if you remove that from the Policy Set and put your EAP checks into the Authentication Section.
Below shows what's still possible in ISE 2.7 - only MSCHAPV2 in the outer Policy Set Condition:
The results:
In my case, if I include the MSCHAPV2 check in the Policy Set, it will fail that Policy Set, and try the next one. In my case the nect Policy Set is called IPTEL WIRELESS 802.1X and it's a very simple Condition that only checks for "Wireless_802.1X" - that of course is good enough, and hence the Policy passes. But in our little experiment here, it proves that we had a "failure".
