Solved: ISE is still using user authentication for EAP Chaining

SMD28316 · ‎09-07-2021

I am using ISE with AnyConnect in a lab environment, I tried switching from user authentication to machine authentication by configuring the authorization role to use computers domains on the AD instead of users (EAP Chaining), now ISE is querying both methods as the logs suggest:

12209	Starting EAP chaining
12210	Received User Authorization PAC
12211	Received Machine Authorization PAC
12218	Selected identity type 'User' <= Why
	......
22037	Authentication Passed
12124	EAP-FAST inner method skipped
12219	Selected identity type 'Machine'
	.....
22037	Authentication Passed
12124	EAP-FAST inner method skipped
12964	Sent EAP Result TLV indicating success= s
12105	Prepared EAP-Request with another EAP= -FAST challenge
11006	Returned RADIUS Access-Challenge
11001	Received RADIUS Access-Request
11018	RADIUS is re-using an existing session
12104	Extracted EAP-Response containing EAP-FAST challenge-response
12106	EAP-FAST authentication phase finished successfully
11503	Prepared EAP-Success
15036	Evaluating Authorization Policy

Why is that? any configuration is missing on ISE or AnyConnect?

Mike.Cifelli · ‎09-07-2021

I tried switching from user authentication to machine authentication by configuring the authorization role to use computers domains on the AD instead of users (EAP Chaining)

Why is that? any configuration is missing on ISE or AnyConnect?

-I am under the assumption that ISE is still allowing the eap-fast protocol, and nothing changed on the supplicant side (AnyConnect). IMO your issue is that the client is still attempting to negotiate via eap-fast due to how your NAM profile is setup. My suggestion would be to use the NAM profile editor to tweak the configuration as you desire (comp only OR eap-fast). Note that there is a way to configure multiple "profiles (networks)" within the NAM editor. Personally for testing this would be optimal for your sake. In doing this you would get the ability to negotiate eap-tls for comp only and/or eap-fast for user/comp chaining. During your testing you would control the negotiation aspect from the client side via the NAM drop down (click one network profile versus the other). Lastly, yes, you will still need to setup and configure rad policies within ISE to support both protocols and onboarding workflows. HTH!

View solution in original post

Mike.Cifelli · ‎09-07-2021

I tried switching from user authentication to machine authentication by configuring the authorization role to use computers domains on the AD instead of users (EAP Chaining)

Why is that? any configuration is missing on ISE or AnyConnect?

-I am under the assumption that ISE is still allowing the eap-fast protocol, and nothing changed on the supplicant side (AnyConnect). IMO your issue is that the client is still attempting to negotiate via eap-fast due to how your NAM profile is setup. My suggestion would be to use the NAM profile editor to tweak the configuration as you desire (comp only OR eap-fast). Note that there is a way to configure multiple "profiles (networks)" within the NAM editor. Personally for testing this would be optimal for your sake. In doing this you would get the ability to negotiate eap-tls for comp only and/or eap-fast for user/comp chaining. During your testing you would control the negotiation aspect from the client side via the NAM drop down (click one network profile versus the other). Lastly, yes, you will still need to setup and configure rad policies within ISE to support both protocols and onboarding workflows. HTH!