cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

406
Views
0
Helpful
4
Replies
Highlighted
Cisco Employee

ISE support for Machine Certificate plus User authentication

I found the following that was posted here many years ago.

Is this post still valid? Is EAP Chaining with AnyConnect client the only way to accomplish this?

OR has something changed in ISE to support 2 authentications from one device?

Cut from previous post.

I don't believe that this is possible and it is due to the limitations of the native windows supplicant where can do either one of the following:

1. User authentication

2. Machine authentication

3. Machine or user authentication

Machine+User authentication can only be accomplished with EAP-Chaining which is only supported by AnyConnect.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

ISE 2.7 release also provided the option for EAP-TEAP as an alternative to EAP-Chaining with NAM. As of today, only Windows supports EAP-TEAP, and of that only the Windows 10 2004+ (May 2020 release) 2H builds or newer. 

https://community.cisco.com/t5/security-documents/teap-for-windows-10-using-group-policy-and-ise-teap/ta-p/4134289

 

There were a couple open bugs in 2.7 for TEAP, but I believe patch 3 was going to address them. 

View solution in original post

4 REPLIES 4
Highlighted
VIP Advisor

ISE 2.7 release also provided the option for EAP-TEAP as an alternative to EAP-Chaining with NAM. As of today, only Windows supports EAP-TEAP, and of that only the Windows 10 2004+ (May 2020 release) 2H builds or newer. 

https://community.cisco.com/t5/security-documents/teap-for-windows-10-using-group-policy-and-ise-teap/ta-p/4134289

 

There were a couple open bugs in 2.7 for TEAP, but I believe patch 3 was going to address them. 

View solution in original post

Highlighted
Cisco Employee

In addition to the excellent answer from Damien, you can also do EAP+CWA chaining where machines that successfully authenticate with machine certificates are punted through the Central Web Authentication flow for user based authentication. 

Thank you rating helpful posts!

Highlighted

Thank you to both of you for the quick responses.  Do you know what version of ISE is needed to support the EAP+CWA chaining? 

 

Highlighted

I really don't recall but this has been supported for a while...probably since ISE 2.0 days. 

Thank you rating helpful posts!

Content for Community-Ad