cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
798
Views
6
Helpful
7
Replies

ISE 1.2 - MAR cache with PEAP vs EAP Chaining

pwenstrand
Level 1
Level 1

Does EAP chaining with EAP-FAST v2 and NAM 3.1 present the machine certificate for authentication during each connection to wireless?  It's not still tied to the windows log in event as with PEAP?

 

I found this article, but would like to see if anyone has experience working with EAP chaining in ISE.

 

https://tswireless.wordpress.com/2012/09/22/cisco-ise-machine-authentication-cache/

 

 

7 Replies 7

jan.nielsen
Level 7
Level 7

Yes if you set up NAM for EAP-Chaining - Machine and User, and then select EAP-TLS w/cert, nam will send both when a user logs in. When the machine is booting only the machine identity will be sent (because we don't know the users identity before they have attempted to log in).

Thanks for the confirmation!

Wont eap-chaining send both machine and user information at each auth attempt?  Say at the expiration of the reauthentication timer (when the user is already logged in)?

Yes, but only if the user is logged in, if the user logs off, the session will be automatically re-authenticated by NAM, as machine only.

That makes sense.  I was concerned that it would have the same issue as MAR where eap-chaining only authenticates at boot or login.

Nope, EAP-Chaining was designed in order to fix the issues with MAR

This is deviating a little bit but what about policy node groups.  Isn't the point of those node groups to alleviate the MAR issue as well?  They cant share the MAR cached inventory between each other but they know about active sessions.  So when a node dies it forces a reauthentication to the user.  

This does not force a reath of machine creds though.

 

How does eap-chaining work policy node groups?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: