02-10-2015 01:22 PM - edited 03-10-2019 10:26 PM
Does EAP chaining with EAP-FAST v2 and NAM 3.1 present the machine certificate for authentication during each connection to wireless? It's not still tied to the windows log in event as with PEAP?
I found this article, but would like to see if anyone has experience working with EAP chaining in ISE.
https://tswireless.wordpress.com/2012/09/22/cisco-ise-machine-authentication-cache/
02-10-2015 03:54 PM
Yes if you set up NAM for EAP-Chaining - Machine and User, and then select EAP-TLS w/cert, nam will send both when a user logs in. When the machine is booting only the machine identity will be sent (because we don't know the users identity before they have attempted to log in).
02-11-2015 10:47 AM
Thanks for the confirmation!
10-07-2015 03:50 PM
Wont eap-chaining send both machine and user information at each auth attempt? Say at the expiration of the reauthentication timer (when the user is already logged in)?
10-08-2015 10:04 AM
Yes, but only if the user is logged in, if the user logs off, the session will be automatically re-authenticated by NAM, as machine only.
10-08-2015 10:25 AM
That makes sense. I was concerned that it would have the same issue as MAR where eap-chaining only authenticates at boot or login.
10-08-2015 01:26 PM
Nope, EAP-Chaining was designed in order to fix the issues with MAR
10-08-2015 02:18 PM
This is deviating a little bit but what about policy node groups. Isn't the point of those node groups to alleviate the MAR issue as well? They cant share the MAR cached inventory between each other but they know about active sessions. So when a node dies it forces a reauthentication to the user.
This does not force a reath of machine creds though.
How does eap-chaining work policy node groups?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: