This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I found the following that was posted here many years ago.
Is this post still valid? Is EAP Chaining with AnyConnect client the only way to accomplish this?
OR has something changed in ISE to support 2 authentications from one device?
Cut from previous post.
I don't believe that this is possible and it is due to the limitations of the native windows supplicant where can do either one of the following:
1. User authentication
2. Machine authentication
3. Machine or user authentication
Machine+User authentication can only be accomplished with EAP-Chaining which is only supported by AnyConnect.
Solved! Go to Solution.
ISE 2.7 release also provided the option for EAP-TEAP as an alternative to EAP-Chaining with NAM. As of today, only Windows supports EAP-TEAP, and of that only the Windows 10 2004+ (May 2020 release) 2H builds or newer.
There were a couple open bugs in 2.7 for TEAP, but I believe patch 3 was going to address them.
ISE 2.7 release also provided the option for EAP-TEAP as an alternative to EAP-Chaining with NAM. As of today, only Windows supports EAP-TEAP, and of that only the Windows 10 2004+ (May 2020 release) 2H builds or newer.
There were a couple open bugs in 2.7 for TEAP, but I believe patch 3 was going to address them.
In addition to the excellent answer from Damien, you can also do EAP+CWA chaining where machines that successfully authenticate with machine certificates are punted through the Central Web Authentication flow for user based authentication.
Thank you rating helpful posts!
Thank you to both of you for the quick responses. Do you know what version of ISE is needed to support the EAP+CWA chaining?
I really don't recall but this has been supported for a while...probably since ISE 2.0 days.
Thank you rating helpful posts!